Does Crayon process Personal Data only in accordance with Customer documented instructions including with regard to transfers of Personal Data to a third country or an international organization?
Yes, In the absence of separate instructions issued by the Controller, the relevant subsidiary of Crayon Group will follow the definitions contained in the Personal Data Processing Agreement used across Crayon Group.
Where applicable, does Crayon ensure sufficient checks carried out before choosing a subcontractor/subprocessor in order to evaluate that appropriate privacy and security measures will be applied to the Personal Data they handle on Customer’s behalf?
Yes: Where applicable, Crayon Group signs Data Processing Agreements with sub contractors/sub processors to evaluate and document that appropriate privacy and security measures will be applied to the Personal Data they handle on behalf of the controller, including any specific instructions received from the Controller regarding the processing of their data.
Does Crayon have a process in place to notify Customers prior to the engagement of subcontractor/subprocessors?
Yes, in Accordance with our Data Processing Agreement with our clients "may engage subcontractors to process the personal data only with the Controller’s prior specific written consent".
Does Crayon have a process in place to periodically monitor and assess subcontractors/ sub processors to verify on-going compliance with their contractual and compliance obligations?
Yes: The annual Audit Program followed by the Crayon Group Data Protection Officer includes the monitoring and assessment of subcontractors/subprocessors to verify ongoing compliance with their contractual and compliance obligations.
Does Crayon have a procedures governing the secure storage, archiving, disposal, destruction or return of Personal Data which is no longer required?
Yes: The annual Audit Program followed by the Crayon Group Data Protection Officer includes the review of compliance with the data storage, archiving, disposal, destruction, return definitions stipulated in Data Processing Agreements and Records of Processing.
Does Crayon have a suitable and functional ISMS (Information Security Management System) or an equivalent set of management processes in place to ensure adequate and continual focus on information security?
Yes, Under the umbrella of Crayon’s Anticipatory Information Security and Data Protection (ISDP) Strategy, the Head of Information Security and ISDP Team work closely with a network of over 20 ISDP Agents worldwide to ensure the continuous monitoring and updating of Crayon’s technical and organisational information security measures.
Does Crayon have a management process for building and maintaining an information security culture in the organisation and to which degree security awareness campaigns is run regularly?
In addition to Crayon’s Mandatory ISDP Training, Crayon’s ISDP Team maintains a highly proactive approach to the identification, resolution and communication of emerging security threats/risks.