top of page

Legal

Suprema AI GDPR Compliance Statement

Suprema AI (hereinafter "the Company," or "We") is committed to ensuring the security and protection of personal information handled by the Company, to complying with the Data Protection Regulation, and to providing a consistent approach.

 

The Company has created this GDPR Compliance Statement to explain its approach to implementing the GDPR Compliance program. It explains the implementation of data protection roles, policies, procedures, controls and measures to consistently comply with GDPR.

 

The solutions, products, and services that the Company develops, and sells are not the personal information processing systems mentioned in this Statement.

 

What is GDPR?

The EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”) went into effect on May 25, 2018 to harmonize data protection regulations throughout the European Union as well as providing greater protection and rights to individual. GDPR applies to any organization operating within the EU, as well as any organizations outside of the EU which offer goods or services to customers or businesses in the EU.

 

Principle of GDPR

We, at Suprema AI, recognize and respect the importance of protecting our customers’ personal data.

The principles stated below provide a summary of the basic rules that we follow when processing personal data:

  • We process personal data lawfully, fairly and in a transparent manner.

  • We collect personal data only for specified, explicit and legitimate purposes.

  • We collect and keep personal data only to the extent it is necessary in relation to the purposes for which they are processed.

  • We ensure that the personal data we store is up-to-date and accurate.

  • We merely produce the technology that enables customers to process personal data. We are not a controller nor a processor under the GDPR. When a customer processes personal data using Suprema AI’s solutions, the customer is a controller under GDPR and is subject to the obligations set out in the GDPR, if the customer fall within the territorial ambit of GDPR.

  • To the extent possible, we implement appropriate technical measures to our products to help our customers comply with GDPR.

 

Data Subject Rights under GDPR

 

In regard to the personal data in our custody or control, an individual may request the following information from the Company.

You should bear in mind that this does not apply to an individual who is registered and managed by the customer using our products. The customer shall handle it in accordance with its own policy independently of us.

  • Personal data that we retain regarding individuals.

  • Categories of Personal data that we collect from individuals.

  • Purpose of individual personal data collection and processing.

  • How long personal data will be retained.

  • The procedure to rectify or complete incomplete or inaccurate personal data.

  • The procedure to request deletion of personal data, or to restrict processing of personal data and reject the Company's direct marketing under the Data Protection Regulations, where applicable.

  • Information regarding all automated decision making that we use.

 

GDPR Compliance Plan

 

The Company has performed, or will perform, the following steps in order to comply with GDPR.

 

  • We have performed an analysis of personal information collected through our system.

  • We have put a procedure and a policy in place to restrict personal information processing.

  • We have updated our procedure for handling data breaches and incidents.

  • We have updated our data protection policy, data retention policy, information security policy, cookie policy and personal information protection policy.

  • We have identified the legal basis for personal information processing by reviewing all processing activities, and confirmed whether each legal basis is appropriate for the related activity.

 

Protection Measures under GDPR

 

Suprema AI considers the privacy and security of individuals and personal information extraordinarily important, and takes all reasonable preventive measures to protect personal data handled by the Company.

The Company has the following policies and procedures for information security in place, and takes security measures on various layers in order to protect personal information from unauthorized access, modification, disclosure and destruction.

 

  • Risk Management. We evaluate and manage any service-related risks as a part of our risk management process. The risk management process is included in the Company's rules.

  • Information Security Management. We maintain and comply with an internally established Information Security Management System (ISMS), which includes security policies, organization, processes, and controls that satisfy the regulatory compliance and security requirements identified by us.

  • Individual Security. We implement the employment, maintenance and termination processes of a contract with individual employees. We implement background investigations, continuous security recognition, and physical and logical access management, address and identify risks, and carry out other security activities for each role, with security requirements, legal requirements and restrictions for each role.

  • Assets Management. We handle customer data in accordance with contracts, terms or privacy policies, including any relevant service documents. We may manage an IT resource included in service provision in accordance with our internal categories and processes. If any data or assets are set to be deleted and disposed of, we follow an established process to delete from devices and storage mediums appropriately before physical disposal.

  • Access Management. We handle personal information necessary for tasks such as sales, technology support, and purchase consultations. Our personal information processing system is protected by network and logic-level security solutions. Only separately authorized personnel may access this system.

  • Encryption. All network traffic through our Internet or product shall be encrypted and transmitted, and all personal information shall be encrypted and transmitted.

  • Physical Security. Our personal information processing system uses the infrastructure services and safe data center of a reliable provider in the industry. The infrastructure service provider defines, maintains and manages physical and environmental control of the production environment. The provider retains assurance reports and security verifications related to such control.

  • Operation Security. We adhere to industry best practices, including automation and provider recommendations, to ensure a secure environment for our personal information processing system services. Additionally, we maintain our software by utilizing up-to-date automation and manual processes to address any identified vulnerabilities.

  • Vulnerability Management. We identify potential vulnerabilities using various methods such as vulnerability screening, security tests, source code analyzers and threat intelligence. We evaluate and solve any reported vulnerabilities using defined processes and activities. We provide an accountable disclosure channel through which security managers may report any problems they find.

  • Security Testing and Audits. We regularly conduct security testing and audits internally. When necessary, we also cooperate with a third-party security service company to perform penetration tests. We manage any test results and other findings using our vulnerability management processes and activities. Any security test results are treated as confidential and internal.

  • Security Event Management. We identify any events and cases which affect services and data by monitoring the personal information processing environment. Any security events are managed by an operational process from the security department.

  • Business Continuity and Back-up. Customer data is backed up and tested on a regular basis so that our Recovery Point Objective (RPO) and Recovery Time Objective (RTO) can be satisfied, in accordance with our internal rules.

  • Endpoint Security. We inspect and monitor malware in order to detect malicious programs and files in the employee working environment. In addition, we have a function to filter and block any spam and phishing emails in place.

 

International Data Transfer

 

As a general rule, we do not engage in International Data Transfers. However, if it becomes necessary for tasks such as sales support, technical support, or purchase consultations at the customer's request, we will inform the data subjects of the details and obtain their consent before proceeding. In such cases, we ensure that the International Data Transfers are conducted using verified and secure industry-standard cloud services.

 

Items prepared in Suprema AI products to ensure the customer's compliance with GDPR

 

Our services and products are developed using a R&D process. The development process includes security requirements for each level, such as analysis, development, implementation, test, distribution, etc.

 

If you have any questions regarding GDPR, please contact us.

If you have any questions regarding this GDPR Compliance Statement or our personal information protection, please contact:

 

Email: sales_ai@supremainc.com

bottom of page