Data Processing Policy

This Data Processing Policy ("DPP"), which is a part of your Majestic Services Policy, regulates how Majestic and its affiliates process personal data.

Definitions

Your Majestic Services Policy defines terms that are capitalized and not otherwise specified in this DPP.

Any data transmission technique that is included in this DPP and has been authorized by a supervisory body in compliance with DP Law is referred to as an approved data transfer mechanism. Examples of such mechanisms include the UK Data transmission Addendum, the EEA SCCs, and others.

"Authorized services" are defined as those that are licensed, approved, or subject to regulations by a government body.

"CCPA" stands for the California Consumer Privacy Act of 2018, which is contained in the Civil Code at Sections 1798.100 through 1798.199.

"DP Law" refers to any applicable laws that control how personal data is processed under your Majestic Services Policy and this DPP. These laws may be international, national, state, provincial, or local legislation pertaining to privacy, data protection, or data security.

The term "Data Controller" designates the organization that determines the purposes and specific procedural aspects of the Processing of Personal Data, either alone or in conjunction with third parties. This entity might or might not be a "Business" under the CCPA's definition.

"Service Provider" is a term used by the CCPA to describe an organization that handles personal data on behalf of a data controller. These businesses are included in the definition of "data processor" here.

"Data Security Measures" are technical and organizational measures created to ensure that Personal Data is protected to an extent that is appropriate for the processing risk.

A identified or identifiable natural person to whom Personal Data relates is referred to as a "Data Subject".

"European Economic Area" is denoted by "EEA."

The term "EEA SCCs" refers to the standard contractual clauses included in Module 2 (Transfer: Controller to Processor) of the European Commission Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries in accordance with the GDPR.

"GDPR" is the abbreviation for the General Data Protection Regulation (EU) 2016/679.

The word "Instructions" refers to this DPP as well as any other written policies or documentation that the data controller uses to give instructions to a data processor about specific personal data processing that the data controller wants completed. A "Joint Controller" is a data controller who determines the purposes and means of processing personal data in conjunction with one or more other data controllers.

"Personal data" is any information that is processed in connection with the Services that pertains to an identifiable or identifiable natural person. It encompasses both the GDPR's definition of "personal data" and the CCPA's definition of "personal information."

The DP Law defines "process" as performing any operation or series of operations on a set of personal data or personal data, such as collecting, logging, organizing, structuring, storing, modifying, or removing, as well as retrieving, consulting, utilizing, disclosing via transmission, sharing, or otherwise making available, aligning or combining, limiting, erasing, or destroying.

Insofar as such information is expressly treated as a special category of personal data under DP Law, "sensitive data" refers to (a) genetic data, biometric data, health-related information, information about a natural person's sexual life, or (b) information about racial or ethnic origin, political opinions, religious beliefs, or union membership.

"SSA Affiliate" refers to a Majestic affiliate that fulfills one of the following roles: (a) joint controller with Majestic for Authorized Services or (b) data processor on Majestic's behalf for Services other than Authorized Services.

"Sub-processor" describes a business that a Data Processor employs to handle Personal data processing in relation to the Services on the Data Processor's behalf. The "UK Data Transfer Addendum" is the name given to the international data transfer addition to the EEA SCCs by the UK Information Commissioner's Office.

The term "UK GDPR" refers to the GDPR as it has been incorporated into national law in the United Kingdom, as per section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

Majestic As A Data Processor And Controller

Functions of data processing

Majestic, in its capacity as a Data Controller, is the only party with the authority to determine the purposes and methods for processing Personal Data that it obtains from or through you. Majestic is processing data for you, the data controller, in your capacity as a data processor. Subject groups pertaining to personal information.

Data subjects

Majestic may process the personal information of your clients, agents, and any other natural persons who access or use your Majestic account.private data.When necessary, Majestic may process the following: device IDs, email addresses, IP addresses, order IDs, payment card details, bank account details, billing and shipping addresses, names, date, time, and amount of transactions; tax ID/status; unique customer identifiers; and identity information, including data from official documents (passports, driver's licenses, and national IDs). Personal Data.When appropriate, Majestic may process facial recognition data.

Handling for objectives

In its capacity as a Data Processor for a Service, Majestic handles personal data in order to support payment transactions on behalf of Majestic users and to maintain the Majestic platform.As a data controller, Majestic collects and uses personal information for the following purposes: identifying the banks and payment method providers that will be used; deciding how personal information will be processed when Majestic offers products and services, including when Majestic offers a payment method; monitoring, stopping, and identifying fraudulent transactions and other fraudulent activity on the Majestic platform; and adhering to legal requirements, including privacy laws that may be relevant.

Majestic's Responsibilities as a Data Processor

Majestic will: Process personal data on your behalf and in compliance with your instructions when acting as your data processor.Majestic will not sell, keep, use, or disclose Personal Data for any purpose other than to perform the Services and to comply with law, unless otherwise specified by your Majestic Services Policy (including this DPP) or DP Law.Majestic will notify you if it thinks the Instructions are against the DP Law.

Make sure that everyone Majestic designates to Process Personal Data in relation to the Services has a commitment to protecting the privacy of Personal Data and is only granted access to Personal Data when absolutely necessary.

Any requests that Data Subjects make to Majestic in order to exercise their respective rights under DP Law, including "verifiable consumer requests" as defined by the CCPA, to:

(i) Access their Personal Data (e.g.) right to know under the CCPA).
(ii) Have their Personal Data corrected or erased.
(iii) Restrict or object to Majestic's Processing or.
(iv) Data portability must be reported to you, to the extent required by DP Law.

Majestic will not respond to these queries unless you specifically instruct Majestic to do so in writing. In such case, Majestic will only make requests for additional information, identify the Data Subject, and, if applicable, refer the Data Subject to you as the Data Controller.

Provide you with reasonable assistance, at your expense, in accordance with the requirements of DP Law, through suitable organizational and technical measures, so that you can fulfill your obligations under the law. This assistance may include informing you of every law enforcement request Majestic receives from a Governmental Authority, requiring Majestic to disclose Personal Data, or to participate in an investigation involving Personal Data.

Create and maintain a documented information security program using the data security measures specified in this DPP's Exhibit 1.

Majestic will also handle a data security event if there is an inadvertent or accidental loss, alteration, disclosure, or access to Personal Data (referred to as a "Incident"). This will be accomplished by putting in place a data security incident management program.If Majestic is required by DP Law to notify you of an occurrence, Majestic will do so as soon as possible and no later than the time range that DP Law specifies.

Furthermore, Majestic shall notify you of any incident affecting Personal Data subject to GDPR or UK GDPR no later than 48 hours after Majestic becomes aware of it.Majestic and you will collaborate to resolve the situation.Finding significant partners, investigating the occurrence, providing regular updates, and discussing notice needs are some examples of the response.Unless DP Law expressly mandates otherwise, Majestic will not inform your impacted data subjects about an incident without first speaking with you.

In accordance with the general written consent you give Majestic under Section 4.2 of this DPP, Majestic may use Sub-processors as necessary to perform the Services. Majestic may also provide you with audit reports, which contain confidential information about Majestic, in order for you to participate in audits or inspections as required by DP Law and at your written request.Upon written request, Majestic will promptly furnish documentation or complete a written data security questionnaire of a reasonable length and scope concerning Majestic's and its Affiliates' Processing of Personal Data, but no more than once a year.

All submitted information, including answers to security questionnaires, is Majestic's confidential information. You may, at your discretion and subject to Majestic's rights and obligations under your Majestic Services Policy (including this DPP), request that Majestic delete or return any copies of your personal data that it may have stored after the Term, unless Majestic is required or permitted by DP Law to retain your personal data for an extended period of time.

Sub-processors: By using the Sub-processors and Affiliates on the mutually agreed-upon lists of Sub-processors and Affiliates ("Majestic Service Providers List"), you specifically give Majestic permission to use them.If you have subscribed to email notifications at the Majestic Service Providers List, you will be notified by email of any changes Majestic intends to make to the list at least thirty days before the changes go into effect.

You have 30 days from the date of notification to raise a valid and reasonable objection to the modification.You acknowledge that Majestic's Sub-processors are required in order for Majestic to provide the Services, and that in the event that you object to Majestic using a Sub-processor, Majestic will not be required to provide you with the Services for which Majestic uses that Sub-processor.

Majestic will enter into a written policy with each Sub-processor that imposes obligations akin to those imposed on Majestic under this DPP, including the deployment of appropriate data security measures.If a Sub-processor violates the DPP's data protection obligations, Majestic will still be accountable to you for the deeds and omissions of that Sub-processor to the same extent that Majestic would be accountable if Majestic carried out the relevant Services directly.

CCPA Certification

Majestic certifies that, to the extent that the CCPA requirements in this DPP apply to the Services, it is aware of them and will adhere by them.Exclusion of Liability.Despite anything to the contrary in your Majestic Services Policy or this DPP, Majestic and its Affiliates will not be liable for any claim made by a Data Subject arising from or related to Majestic's or any of its Affiliates' acts or omissions, to the extent that Majestic was acting in accordance with your instructions.

What You Must Do as a Data Controller

All of your responsibilities under DP Law, including those pertaining to confidentiality, data security, and rights of data subjects, must be followed. Additionally, you need to confirm that the processing of personal data as outlined in your Majestic Services Policy, which includes this DPP, has the proper legal basis. Lastly, you have to give Data Subjects all the information they require, which includes having an open and simple-to-use website.

Data Transmissions

Majestic and its Affiliates may transmit Personal Data across national borders in order to provide the Services.In particular, Majestic and its Affiliates may send Personal Data to SINC in the US as well as to its Affiliates and Sub-processors overseas.If Personal Data is transferred under this DPP to a country or recipient that is not recognized as offering an adequate degree of protection for Personal Data, Majestic will comply with its obligations under DP Law.

Transfers From The EEA To The SINC

The DPP incorporates the EEA SCCs, which are applicable to any transfers of Personal Data processed between SINC and you from the EEA under this DPP.You agree that the following details are included in the EEA SCCs and are finalized:The data importer is SINC, and you are the data exporter. In general, you grant SINC permission to engage Sub-processors in compliance with Section 4.2 of this DPP, and Option 2 under Clause 9 of the EEA SCCs applies. The EEA SCCs' Clause 11(a) optional redress language will not be applicable. In accordance with Clause 17 of the EEA SCCs, Irish law will apply.

Under Clause 18 of the EEA SCCs, the courts in Ireland shall be the preferred venue and jurisdiction. Annexes I, II, and III of the EEA SCCs are deemed to contain the material in Exhibits 1 and 2 of this DPP, and Annex IV of Exhibit 2 of this DPP adds new clauses to the EEA SCCs.

2010 SCCs: For the purposes of transferring personal data from the European Economic Area (EEA), Switzerland, or the United Kingdom, any reference in a policy you have with Majestic or its Affiliates to the standard contractual clauses adopted under Directive 95/46/EC ("2010 SCCs") will be interpreted as a reference to the Approved Data Transfer Mechanism.The 2010 SCCs are to be replaced with the Approved Data Transfer Mechanism.Any Personal Data transferred under the 2010 SCCs will now be subject to the Approved Data Transfer Mechanism rather than being destroyed or returned as a result of its termination.

Transfers from the UK to SINC

This DPP includes the UK Data Transfer Addendum, which is applicable to transfers of Personal Data processed under this DPP from the United Kingdom between you and SINC.You agree that the UK Data Transfer Addendum now contains the following additional information:

The data importer is SINC, and you are the data exporter. It is assumed that the information specified in Annex IA of Exhibit 2 of this DPP is contained in Table 1 of the UK Data Transfer Addendum. The EEA SCCs are the version of the "Approved EU SCCs" that is appended to the UK Data Transfer Addendum, along with the appendix material, modules, and selected clauses.

  • The EEA SCCs' voluntary docking clause under Clause 7 will not be applicable.
  • Option 2 under Article 9 of the EEA SCC applies and generally permits SINC to contract with subprocessors in accordance with Section 4.2 of this DPP.
  • Any remedies under Clause 11(a) of the EEA Standard Contractual Clauses will not apply.
  • Annex IV of Annex 2 to this DPP supplements the EEA SCC with additional provisions.
  • Table 3 of the UK Data Transfer Addendum is assumed to be populated with the information provided in Appendices 1 and 2 of this DPP.
  • The 'Importer' and 'Exporter' options apply for the purposes of Table 4 of the UK Data Transfer Addendum.
  • For Part 2, the mandatory terms of the UK Data Transfer Addendum apply.
  • By transferring personal data to SINC using the Service, you are deemed to have signed the UK Data Transfer Addendum.

Transfers From Different Regions Or Countries

The conditions governing transfers of Personal Data handled under this DPP for many of the countries or regions mentioned in Schedule 3 of this DP Pareset for this DPP increase, including authorized data transfer techniques.

Resolution of Conflicts

Should there be a difference or uncertainty between:
  • the rules pertaining to the processing of personal data in this DPP and the Majestic Service Policy. This DPP's provisions will take precedence.
  • When it comes to the provisions of this DPP and any approved data transfer mechanism that Customer and SINC have signed, the approved data transfer mechanism's terms will take precedence.

Exhibition 1: Security of Majestic Data

Policies and programs for security

Majestic is responsible for upholding and executing a security program that covers Majestic's security management procedures, including the security controls Majestic uses. Among the security programs are:

  • A written policy duly endorsed by Majestic, published internally, communicated to stakeholders and reviewed at least annually.
  • Clear and documented assignment of responsibilities and authorities for safety program activities.
  • Policies covering acceptable computer use, data classification, encryption controls, access controls, removable media, and remote access, as appropriate.
  • Regular testing of key controls, systems and procedures.

Program for Privacy

Majestic oversees the upkeep and execution of a privacy program and associated guidelines that deal with the gathering, utilization, and dissemination of personal data.

Asset and Risk Management

  • Majestic conducts risk assessments as well as the implementation, upkeep, and monitoring of risk identification, analysis, reporting, and management of corrective action.
  • Hardware and software assets are correctly categorized and managed throughout their existence by Majestic's asset management program, which is maintained and put into practice.

Development and management of human resources

  • All (a) Majestic workers. (b) Any independent contractors of Majestic that may have access to the data, including those who process Personal Data ((a) and (b) together, "Personnel"), must abide by Majestic's privacy standards and be cognizant of their obligations.
  • For individual usage, either directly from Majestic or via a third party:

1. Conduct background checks and pre-employment screening.
2. Conduct security and privacy training.
3. Implement disciplinary procedures for violations of data security or data protection regulations.
4. Promptly revoke or renew employee access rights and require employees to return or destroy their personal data upon termination or change of applicable position.

Certification

Majestic uses suitable authentication methods, like token devices, biometrics, and secure passwords, to verify the identity of every employee.

Instruction and consciousness

yearly privacy and security education. Every year, Majestic staff undergo security and privacy awareness training on the company's policies and procedures regarding confidentiality and privacy.

Management of networks and operations

Rules and Guidelines

Policies and procedures for network and operational management are carried out by Majestic. Hardening, change control, separation of responsibilities, development and production environments, technical architecture management, network security, anti-malware, data integrity, encryption, audit trails, and network isolation are some of these policies and procedures.

Assessment of Weaknesses

Majestic conducts vulnerability assessments and penetration testing on a regular basis, focusing on systems and apps that handle sensitive data.

Technical control of access

Control of access

Majestic takes precautions to stop unauthorized users from accessing its data processing systems. This covers the subsequent actions:

  • User identification and authentication procedures.
  • ID/password security procedures (special characters, minimum length, password changes), including stricter digital authentication measures based on NIST 800-63B.
  • Automatic locks (passwords, timeouts, etc.).
  • Monitoring of intrusion attempts.

Control of Data Access

Majestic will not read, copy, modify, or delete personal data without authority. Only individuals who are authorized to use its data processing systems may access personal data as allowed by their access rights. We're going to take action to avoid.

  • Internal policies and procedures.
  • Administrative authorization rules.
  • Differentiated access rights (profiles, roles, actions, and objects).
  • Access to monitoring and logging.
  • Access Report.
  • Access procedures.
  • Changes to procedures.
  • Removal instructions.

Physical Access Controls

Majestic uses reliable outside service providers to host its production infrastructure. Majestic depends on these third parties to handle physical access to the facilities they oversee. Majestic's service providers employ a number of security measures to keep unauthorized people from physically accessing the data processing systems that are available at the sites where personal data is processed (such databases, application servers, and related hardware). Among these safety measures are:

  • Majestic facilities have physical access control systems and programs.
  • 24/7 Global Security Operations Center to monitor physical security systems.
  • Security video and alarm system.
  • Roles and scope zones for access control.
  • Access control auditing measures.
  • Electronic key tracking and management program.
  • Access to employee and third-party approval procedures.
  • Door locks (such as electric locks).
  • Security officers in uniform and with training.

To make sure that Majestic's service providers keep the proper physical access restrictions in place for managed data centers, Majestic examines third-party audit reports.

Management of Availability

Majestic has put procedures in place to guarantee that, in the case of a technical or physical issue, availability and access to personal data will be promptly restored.

  • Database replication
  • Backup procedures
  • Hardware redundancy
  • Disaster recovery plan

Management of Disclosures

Majestic guarantees that (a) personal information transmitted electronically, transmitted or stored on storage media (manual or electronic) cannot be read, copied, changed, or erased without permission. We'll take action to (b) examine the businesses or other organizations that have received personal data sharing, including logging, transport security, and encryption.

Limitation on admission

Majestic offers tools for tracking who has entered, modified, or erased data from data processing systems (such as audit trails, documentation, and logging and reporting systems).

Control of separation

Majestic puts policies in place to allow for the independent processing of personal information gathered for various uses.

  • “Least Privilege” restrictions on access to data by internal services.
  • Separation of duties (production/test).
  • Procedures for storing, modifying, deleting and transferring data for various purposes.
  • A logical segmentation process to manage the separation of personal data.

Reporting and Certification

PCI compliant

When it comes to the Service, Majestic is in charge of delivering it in a way that complies with PCI DSS criteria for the highest level of certification (PCI Level 1). A Qualified Security Assessor (QSA) validates Majestic's PCI certification every year.

SOC reports

Under the AICPA, Majestic maintains the Service Organization Controls ("SOC") Audit Standards for Service Organizations. SOC 1 and 2 reports are accessible upon request and are produced annually.

Standards and certifications may be added by Majestic at any time.

Encryption

Majestic uses data encryption techniques at various stages of its services to lessen the possibility that stored and transmitted Majestic data may be accessed by unauthorized parties. The cryptographic key material of Majestic is only accessible to a restricted group of approved Majestic workers.

Encryption in transit

Majestic mandates that all incoming and outgoing data connections be encrypted using the TLS 1.2 protocol in order to safeguard data while it is in transit. Majestic utilizes mTLS to encrypt connections between production systems for data traveling across Majestic's internal production network.

Encryption at rest

Majestic encrypts all operational data kept on its server architecture using industry grade encryption (AES 256) to safeguard data while it is at rest.

Data tokenization for bank accounts and credit cards

Payment card and bank account numbers are kept in a different, highly secured data vault and are encrypted at the data level using industry standard encryption (AES-256). One machine has the decryption key saved on it. To facilitate the processing of Majestic data, tokens are generated.

Management and notification of data security incidents

To address how Majestic handles events, Majestic has put in place a data security incident management program.

Per data protection rules, Majestic will promptly notify impacted Majestic users and relevant governmental authorities of the issue.

Evaluations, Test Results, and Safety Surveys

Majestic will fill out a written data security questionnaire of acceptable length and scope about Majestic's data technology environment and business procedures with regard to processing Personal Data upon written request, and no more often than once a year. rise. The information Majestic provided in response to the security questionnaire is private information.

System Configuration

Majestic will put procedures in place to guarantee system setup, such as industry-standard procedures for internal IT and IT security governance.

Majestic uses tools for deployment automation to provision systems and infrastructure. The infrastructure configurations controlled by the code going through Majestic's change management process are utilized by these automated technologies. Before going into production, Majestic's change management procedure calls for a formal code review and two-party sign-off.

Majestic use monitoring technologies to keep an eye out for deviations from established configuration baselines in the operational infrastructure.

Data Portability

Programmatic access to data kept for transmission (apart from data connected to PCI) is made possible for Majestic users through the Majestic API. The method of transferring PCI data to alternative payment processors that comply with PCI-DSS Level 1 can be accessed.

Data Erasure and Retention

Majestic is responsible for putting into effect, upholding, and reviewing data retention policies and procedures pertaining to personal information as needed.