Legal

Privacy Policy

Purpose

This Privacy by Design and Default Policy establishes Grayphite's commitment to embedding privacy and data protection into the design, development, deployment, operation, and retirement of all systems, applications, and business processes that process personal data. The policy ensures compliance with applicable privacy regulations, including the European Union General Data Protection Regulation (GDPR), while proactively minimizing privacy and data protection risks.

Scope

This policy applies to all Grayphite employees, contractors, consultants, third-party service providers, and business units involved in the design, development, implementation, operation, or management of systems, applications, networks, platforms, and business processes that collect, process, store, transmit, or dispose of personal data.

This policy covers:

  • Software development projects
  • Internal business applications
  • Customer-facing platforms
  • IT infrastructure and networks
  • Data processing workflows
  • Third-party integrations, APIs, and external platforms
  • Data storage, archival, backup, and disposal processes

Policy Principles

Grayphite adopts Privacy by Design and Default as a foundational principle across all personal data processing activities. The following principles shall be implemented:

1. Proactive and Preventative Approach

Privacy and data protection requirements shall be identified and addressed at the earliest stages of project planning, design, and implementation to prevent privacy risks before they occur.

2. Privacy as the Default Setting

Systems and services shall be configured with privacy-preserving settings by default. Only personal data necessary for a specific, legitimate business purpose shall be collected, processed, stored, or made accessible.

This applies to:

  • The type and volume of personal data collected
  • The extent of data processing
  • Data retention periods
  • Access permissions and data visibility

3. Privacy Embedded into Design

Privacy controls shall be integrated into the architecture of applications, systems, infrastructure, and business processes without compromising operational functionality.

Privacy considerations shall be included within:

  • Business Requirement Documents (BRD)
  • Functional Specification Documents (FSD)
  • System Solution Designs (SSD)
  • User interface and user experience designs
  • Testing and deployment workflows

4. Data Minimization

Grayphite shall collect and process only the minimum amount of personal data necessary to fulfill a defined business purpose.

This includes:

  • Limiting data fields collected
  • Minimizing duplication across databases and logs
  • Avoiding unnecessary archival of personal data
  • Defining appropriate retention periods

5. End-to-End Lifecycle Protection

Personal data shall be protected throughout its lifecycle—from collection to secure destruction.

Security measures may include:

  • Pseudonymization
  • Encryption
  • Access controls
  • Logging and monitoring
  • Secure backup and disposal procedures

Backups containing personal data shall be retained only for approved business and regulatory requirements.

6. Transparency and User Privacy

Grayphite shall maintain transparency regarding how personal data is collected, processed, stored, and shared. Individuals shall be provided with appropriate privacy notices and mechanisms to exercise their privacy rights where applicable.

7. Privacy Risk Assessment

A Data Protection Impact Assessment (DPIA) shall be completed before implementing any new system, application, integration, or business process involving personal data where privacy risks may arise.

Privacy assessments shall include:

  • Data flow analysis
  • Risk identification and prioritization
  • Control mapping
  • Regulatory compliance review
  • Stakeholder accountability

8. Privacy Training and Awareness

All relevant personnel shall receive privacy and data protection awareness training appropriate to their roles and responsibilities.

Governance

The implementation and oversight of this policy is governed by Grayphite's Information Security and Privacy Management function.

Responsibilities include:

  • Defining privacy requirements for projects and systems
  • Reviewing DPIAs and privacy assessments
  • Monitoring compliance with privacy regulations and internal standards
  • Maintaining privacy design checklists and implementation guidelines
  • Ensuring accountability across project teams, product owners, engineering teams, and business stakeholders

Non-compliance with this policy may result in corrective action in accordance with Grayphite's internal governance and disciplinary procedures.

Continuous Improvement

Grayphite continuously evaluates and enhances its privacy controls, design methodologies, and operational safeguards to address evolving regulatory requirements, business changes, emerging technologies, and privacy risks.

This includes:

  • Periodic policy reviews
  • Lessons learned from incidents and audits
  • Regulatory monitoring
  • Privacy control effectiveness assessments
  • Updates to training, processes, and technical safeguards

Contact

For questions regarding Grayphite's security and compliance practices, please contact: security@grayphite.com