The following is updated as of February 2023
Cyclr Systems Limited has two products: Cyclr and ConnectorEngine. In this document a reference to Cyclr or ‘Our’ is in regards to the trading company Cyclr Systems Limited and its obligations under GDPR as it pertains to the activities of Cyclr.
The General Data protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of citizens and residents of the UK and the member states of the EU (including those countries in the EEA).
Due to recent changes to the GDPR, we have recently updated our Data Protection Agreement to incorporate the new transfer tools that apply for organisations transferring personal data outside the EU and UK.
This article provides an overview of Cyclr’s position within the GDPR legal framework, and the actions we take to comply with its terms. We will refresh this page as and when variations are required.
Cyclr as Data Controller
Cyclr is a Data Controller when it comes to handling the personal information of our Direct Clients and any Client Prospects. Cyclr is strictly a Business to Business enterprise and does not actively target individual consumers.
Direct Clients are companies with a direct paid subscription to the Cyclr application. Client Prospects are those companies that we are actively targeting as prospective clients and companies/individuals who have provided us with their contact information.
We take the right to be forgotten seriously and use any Direct Client or prospect information solely for the purposes of dealing with existing Direct Clients and prospecting for new business. We do not use personal information for any other purposes. Should you wish your record in Cyclr’s systems to be deleted then please email us – dpo@cyclr.com
In addition, for full transparency, we have disclosed the various applications that we use to store Direct Client and prospect information here.
You can also see our Privacy Policy here.
Cyclr as Data Processor
Cyclr and our Direct Clients may each be a Data Processor, depending on the processing activity, when it comes to providing services to, and enacting the instructions of, our Direct Clients. Direct Clients are companies with a direct paid subscription to the Cyclr application, who in turn provide integration functionality to their own End Users (an individual, company or entity that is a client of our Direct Client). We have a Data Protection Agreement to which we and all Direct Clients adhere when they take out a subscription to the Cyclr application.
Our obligations to Direct Clients are also covered by our online terms and conditions or an independent Enterprise Agreement depending upon the subscription and service level the Direct Client has with Cyclr. We endeavour to regularly review and update our terms and conditions and contracts, and communicate any such amendments in a timely fashion.
Functional Overview
The Cyclr and ConnectorEngine platforms enable our Direct Clients to offer integration and connectivity functionality between two or more applications to their End Users. This can be achieved by embedding Cyclr into the Direct Client’s application or the Direct Client using Cyclr to deliver a service to their End Users. Cyclr processes data at the instruction of our Direct Clients who in turn are acting on the instruction of their End Users.
By enabling an integration the Direct Client is instructing Cyclr to enable the transfer of data from one application to another. Inherently Direct Clients are enabling integrations at the behest of their own End Users and it is critical that Direct Clients ensure that their End User is aware that they are making the instruction and have given permission. Direct Clients are responsible for this part of the process.
When an integration is activated by an End User, in almost all instances, it is standard for the End User to provide an explicit and unique Authorisation Key for any application from which data is transferred, or to which data is transmitted, in order for any data transfer to take place. This is the authorisation of the data transfer. The integration workflows can also be stopped at any time.
Except in circumstances where an error arises and Cyclr is asked by the Direct Client to explicitly resolve any issues, Cyclr does not proactively analyse or access any data transferred across the Cyclr application.
Geography
At the simplest level we offer our Direct Clients the option to host theCyclr application in the UK (London), the EU (Germany) the US (North Virginia) or Asia Pacific (Sydney) such that when data is transferred it remains within the requested geographic location whilst in the Cyclr environment.
The Cyclr application and databases are currently hosted with Amazon Web Services. Amazon Web Services assert full compliance with GDPR, please see link here –
https://aws.amazon.com/compliance/gdpr-center/
If Direct Clients take out an Enterprise/Scale subscription with Cyclr, the Direct Client may also select their own hosting provider, and location, of choice.
Data Transit and Storage Security
We always encourage the use of https:// or SSL where possible when customers are connecting to Cyclr or third party APIs, such that data is encrypted on the way into and out of the Cyclr application.
Whilst in the Cyclr application environment all data is encrypted.
Account access credentials, Authorisation tokens and API keys are all encrypted using AES (an encryption algorithm).
Two factor authentication (2FA) is enforced when accessing the Cyclr application.
Data Management in Cyclr
As a conduit of data consolidation and movement on behalf of our Direct Clients and their End Users, we have worked hard to include new features that put the parties in full control of their data.
These options include:
Data Retention Settings
We provide complete control over how long data transactions are stored in the Cyclr and ConnectorEngine applications. Each individual workflow can have different data retention periods in hours, minutes or days in order to keep Direct Clients in compliance with your data policy.
We also allow for a separate retention period for transactions with errors, enabling the completion of any support tasks with the full picture.
Whilst Direct Clients have the ability to set their company’s data retention period, End Users can also have separate control over their retention duration. This can be set within their account inside your console, giving your users even more control of their data.
As a backstop we purge all data that is greater than 30 days old and hasn’t already been deleted under the instruction of a Direct Client or an End User.
You can access this in the following menu:
Settings > Data Retention
OAuth Client Credential Settings
Direct Clients have the ability to revoke Access Tokens if necessary. This can be used to prevent and control misuse of their platform.
You can access this in the following menu:
Settings > OAuth Client Credentials
Notification Settings
Direct Clients and End Users can set what notifications they receive via email. These can be turned on and off within the management console.
You can access this in the following menu:
For Users: Settings > Integration Settings > Enable User Notification Users
For Console Admins: Settings > Console Administrators > Receive Notification Emails
Assigning a Data Protection Contact
To prove a single point of contact for any data related queries and enquiries we have a dedicated point of contact for data protection. If you have any data related questions please direct them to dpo@cyclr.com
Summary
Thank you for reading this far. We at Cyclr understand the importance of data, the importance of privacy and the right to be forgotten. We will endeavour to adapt rapidly to legislation as it changes and to work proactively with our Direct Clients, Client Prospects and our Direct Clients’ End Users in order to respond to requests.
Should you have any further questions then please contact us at dpo@cyclr.com