Handling Confidential Data

The General Data Protection Regulation (GDPR) does not not explicitly state what data types that can be stored, but it does impose strict rules on how and why personal data is collected, stored, and processed.

Any type of data that can be linked to an identifiable individual — such as names, email addresses, IP addresses, or even device identifiers — falls under GDPR’s regulations, if it pertains to EU residents.

It is worth noting that GDPR places additional restrictions on certain categories of personal data which are considered more sensitive. The sensitive nature of these categories mandate for stronger controls to safeguard individual privacy.

Please refer to relevant GDPR documentation for more information.

Pre implementation and onboarding, expectations are set out regarding data confidentiality and privacy between the Data controller and Data processor.

• Data controller: the customer, who may be tied to other contractual agreements with other organisations

• Data processor: Seal

As an example, the data controller will need to identify various types of information, such as (but not limited to):

• Personal data and data subjects: this includes information that relates to individuals or groups who can be directly or indirectly identified

• Data processing: any action that will be performed on the data, whether automated or manual

• Purpose limitation: processing of data for legitimate purposes according to what is defined by the data controller

• Storage limitation: storage of data for as long as necessary for the specified purpose

• Laws under which the data is governed under

If necessary, a Data Processing Agreement (DPA) may be drafted. This agreement will rely on transparency from both the data controller and processor to understand their obligations under data protection regulations.

During the implementation phase, customers may also utilize anonymized or dummy data to test workflows, integrations, and functionality without exposing real, sensitive information.

Seal recommends this approach to allow teams to replicate daily workflows and scenarios to ensure that the Seal system operates as expected, while still maintaining data privacy and compliance.

• Anonymized data -> mirrors actual data structure but removes any personal identifiers

• Dummy data -> generated to simulate typical user inputs or transactional information.

By using the above data types, customers can confidently validate configurations, troubleshoot potential issues, and conduct user training sessions without potentially risking data security.

Note that Seal only processes personal data on behalf of the customer, in connection with the provision of services, and in accordance with the customer's instruction and guidance. It is the customer's responsibility to provide and enable access to the appropriate data for platform configuration, and at the customer's discretion to ensure that the data shared complies with the appropriate data regulation principles.

Customers maintain full ownership and oversight of their data within the Seal Platform.

During support, or when further configuration assistance is required, customers should grant access permissions to the Seal Team to enable Seal Support to view or interact with the platform, for troubleshooting purposes.

Seal is committed to, and is always working to stay compliant. This includes (but not limited to):

• Complying with applicable data protection laws in relation to storage and processing of customer data

• Offering additional security features to protect more sensitive data, upon customer request

• Supporting in creation of documentation and resources for customer privacy assessments and audits

• Committing to continuously evolve Seal's data security and protection capabilities as the data landscape changes

Please refer to our Data Storage and Security and Back-Up and Disaster Recovery pages for more information.