Legal

Data Protection Policy

Purpose

This Data Protection Policy establishes Grayphite's commitment to protecting personal data, respecting individual privacy rights, and ensuring compliance with applicable data protection laws, including the European Union General Data Protection Regulation (GDPR). This policy defines the framework for the lawful collection, processing, storage, sharing, retention, and protection of personal data across Grayphite's operations.

Scope

This policy applies to all Grayphite employees, contractors, consultants, board members, suppliers, service providers, and third parties who access, process, manage, or store personal data on behalf of Grayphite.

This policy applies to:

  • All information systems and business applications
  • Physical and electronic records
  • Cloud platforms and hosted environments
  • Customer, employee, vendor, and partner information
  • Internal and external data processing activities
  • Cross-border data transfers
  • Third-party processing arrangements

Policy Principles

Grayphite processes personal data in accordance with applicable legal, regulatory, and contractual obligations and adheres to the following principles:

1. Lawfulness, Fairness, and Transparency

Personal data shall be processed lawfully, fairly, and transparently. Individuals shall be informed about how their data is collected, used, stored, shared, and protected through clear privacy notices and appropriate communication channels.

2. Purpose Limitation

Personal data shall be collected only for specified, explicit, and legitimate business purposes and shall not be processed in a manner incompatible with those purposes.

3. Data Minimization

Grayphite shall collect and process only personal data that is adequate, relevant, and limited to what is necessary for the intended business purpose.

4. Accuracy

Grayphite shall take reasonable steps to ensure that personal data remains accurate, complete, and up to date. Inaccurate or outdated data shall be corrected or deleted without undue delay.

5. Storage Limitation

Personal data shall be retained only for as long as necessary to fulfill business, legal, regulatory, or contractual obligations. Secure deletion and disposal procedures shall be followed when retention periods expire.

6. Integrity and Confidentiality

Personal data shall be protected against unauthorized access, disclosure, alteration, loss, destruction, or misuse through appropriate technical and organizational safeguards.

Security measures may include:

  • Access controls
  • Encryption and pseudonymization
  • Secure backups
  • Logging and monitoring
  • Vulnerability management
  • Secure disposal procedures

7. Accountability

Grayphite shall maintain documented evidence of compliance with data protection requirements, including policies, procedures, records of processing activities, risk assessments, and audit evidence.

8. Sensitive Personal Data

Grayphite does not knowingly collect, store, process, or transmit sensitive personal data unless explicitly required by law, contractual obligation, or approved business necessity supported by appropriate legal basis and enhanced safeguards.

9. Lawful Basis for Processing

Grayphite shall identify, document, and maintain an appropriate lawful basis before processing personal data. Processing may be based on:

  • Consent
  • Contractual necessity
  • Legal obligation
  • Protection of vital interests
  • Public interest
  • Legitimate business interests

Where consent is used:

  • Consent shall be explicit, informed, freely given, and unambiguous
  • Individuals may withdraw consent at any time
  • Consent records shall be maintained for audit purposes

10. Individual Rights

Grayphite recognizes and supports individuals' rights under applicable privacy regulations, including:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights related to automated decision-making and profiling

Requests relating to individual rights shall be handled through documented procedures within applicable legal timeframes.

11. Data Protection Impact Assessments

Grayphite shall conduct Data Protection Impact Assessments (DPIAs) for new systems, processes, technologies, or changes that may introduce privacy risks.

DPIAs shall evaluate:

  • Purpose of processing
  • Data flows
  • Risks to individuals
  • Proportionality and necessity
  • Security and privacy controls
  • Compliance obligations

12. Privacy by Design and Default

Privacy and data protection controls shall be integrated into systems, applications, business processes, and technologies from design through retirement, with privacy-preserving settings enabled by default where applicable.

13. Data Inventory and Mapping

Grayphite shall maintain an inventory of personal data processing activities, including:

  • Categories of personal data
  • Categories of data subjects
  • Processing purposes
  • Retention periods
  • Recipients and transfers
  • Security measures
  • Third-party processors

14. Third-Party Processing and Data Sharing

Any third party processing personal data on behalf of Grayphite shall operate under documented contractual agreements that define:

  • Processing scope
  • Security requirements
  • Confidentiality obligations
  • Regulatory compliance responsibilities
  • Incident reporting obligations

15. International Data Transfers

Transfers of personal data outside approved jurisdictions shall be subject to appropriate safeguards, contractual protections, and legal transfer mechanisms consistent with applicable regulations.

16. Personal Data Breach Management

Grayphite shall maintain documented procedures for identifying, reporting, investigating, and responding to personal data breaches.

Where required by law:

  • Relevant supervisory authorities shall be notified within applicable regulatory timelines, including 72 hours where required under GDPR
  • Affected individuals shall be notified without undue delay where risks are identified

All personnel must promptly report suspected data breaches through established incident reporting procedures.

17. Training and Awareness

All personnel with access to personal data shall receive mandatory privacy and data protection training during onboarding and periodically thereafter.

Training includes:

  • Data protection obligations
  • Privacy principles
  • Secure handling of personal data
  • Incident reporting responsibilities
  • Regulatory and contractual obligations

Governance

The implementation and oversight of this policy is governed by Grayphite's Information Security and Privacy Management function.

Grayphite shall designate authorized personnel to fulfill privacy governance responsibilities, including:

  • Data Controller responsibilities
  • Data Processor responsibilities
  • Privacy Officer or equivalent privacy oversight role
  • Regulatory compliance monitoring
  • Privacy incident management
  • DPIA review and approval
  • Data subject request management
  • Audit and compliance reporting

Senior management shall review data protection risks, compliance status, incidents, and improvement initiatives on a regular basis.

Continuous Improvement

Grayphite continuously reviews and enhances its privacy controls, governance framework, operational procedures, and technical safeguards to address evolving regulatory requirements, business changes, emerging technologies, and security threats.

Continuous improvement activities include:

  • Periodic policy reviews
  • Internal audits and self-assessments
  • Privacy risk assessments
  • Incident reviews and lessons learned
  • Regulatory monitoring
  • Updates to training, tools, and operational controls

Contact

For questions regarding Grayphite's security and compliance practices, please contact: security@grayphite.com