Privacy, Confidentiality and Data Security
      Back to home
      1. Pathzero Help Centre
      2. Privacy and terms of use policies
      3. Privacy, Confidentiality and Data Security

      How does Pathzero ensure confidentiality of customer data?

      In this article, we provide details about Pathzero's data management policy and how we safeguard your sensitive data.

      Confidentiality

      We understand that sensitive information is uploaded to our platforms and the need to keep it confidential. This is one of our cornerstone priorities.

      Refer to Clause 10 ‘Confidentiality and privacy’ of our Terms and Conditions which are signed as part of your contract with Pathzero. All customers who have access to our platforms are required to agree to these terms.

      You can find detailed information about how we protect any personal information we come across in our Privacy Policy.

      Sharing with your stakeholders

      One or more other customers may request access to view your data through the Pathzero Product. If another customer requests access to your data in this way, you will be notified through the Product of the data to which the other customer has requested access. You may withdraw your consent to sharing of customer data with other customers at any time through the Product settings.

      Information Security Management System ('ISMS')

      We have established an Information Security Management System ('ISMS'), based on the ISO 27001 standard, to ensure comprehensive governance throughout our organisational operations and product offerings. This includes a suite of formal policies covering (amongst others): Compliance Requirements, Information System Security, Access Control, Data Protection, Systems Management, System Ownership and Return, Password Management and Email Management.

      Our Information Security Team regularly reviews our suite of policies and security training as part of continuous improvement efforts to enhance the security posture of our organisation.

      We have Compliance Management systems in place to continuously monitor our security posture and have rolled out across the organisation other security systems such as Password Management, Anti-Virus, Multi-Factor Authentication, and VPN access for internal systems.

      An extract of our internal Data Management Policy are outlined below:

      Confidential Data Handling Protocols at Pathzero

      • Data must only be used for the particular purpose for which it was collected

      • Access for non-preapproved roles requires documented approval from the data owner

      • Access is restricted to specific employees, roles and/or departments

      • Confidential systems shall not allow unauthenticated or anonymous access

      • Confidential customer data shall not be used or stored in non-production
        systems/environments

      • Confidential data shall be encrypted at rest and in transit over public networks in
        accordance with the Cryptography Policy

      • Mobile device storage containing confidential data, including laptops and mobile
        phones, shall be encrypted

      • Mobile devices storing or accessing confidential data, including laptops and mobile
        phones, shall be protected by a log-on password (or equivalent, such as biometric) or
        passcode and shall be configured to lock the screen after five (5) minutes of non-use

      • Backups shall be encrypted

      • Confidential data shall not be stored on personal phones or devices or removable media
        including USB drives, CDs, or DVDs

      • Paper records shall be labelled “confidential” and securely stored and disposed of in a
        secure, approved manner in accordance with data handling and destruction policies and
        procedures

      • Hardcopy paper records shall only be created based on a business need and shall be
        avoided whenever possible

      • Hard drives and mobile devices used to store confidential information must be securely
        wiped prior to disposal or physically destroyed

      • Transfer of confidential data to people or entities outside the company shall only be
        done in accordance with a legal contract or arrangement, and the explicit written
        permission of management or the data owner

      Data Retention

      Pathzero shall retain data as long as the company has a need for its use, or to meet regulatory
      or contractual requirements. Once data is no longer needed, it shall be securely disposed of or
      archived. Data owners, in consultation with legal counsel, may determine retention periods for
      their data.

      Legal Requirements

      Under certain circumstances, Pathzero may become subject to legal proceedings requiring
      retention of data associated with legal holds, lawsuits, or other matters as stipulated by
      Pathzero legal counsel. Such records and information are exempt from any other requirements
      specified within this Data Management Policy and are to be retained in accordance with
      requirements identified by the Legal department. All such holds and special retention
      requirements are subject to annual review with Pathzero’s legal counsel to evaluate continuing
      requirements and scope.

      Where Pathzero is requested or required by a law enforcement or other legal authority to
      disclose data, the matter shall be referred to the Chief Executive Officer and company legal
      counsel.

      Should affected data not belong to Pathzero (e.g. client data), Pathzero shall endeavour to
      notify the data owner in a timely manner unless disclosure is prohibited by law or otherwise
      deemed inappropriate.

      Violations & Enforcement

      Any known violations of this policy should be reported to Head of Finance and Operations.
      Violations of this policy can result in immediate withdrawal or suspension of system and
      network privileges and/or disciplinary action in accordance with company procedures up to and
      including termination of employment.