This Privacy and Cookie Policy outlines how Dignep Group Pvt. Ltd. (“the Company”) manages the collection, use, and protection of data across its services, platforms, and systems. As a service partner specializing in bespoke software and AI solutions, the Company is committed to safeguarding client data and maintaining compliance with international standards such as SOC 2, ISO 27001, and GDPR.
1. Data Categories and Collection
Dignep processes various types of data to support its compliance, risk management, and digital transformation services. These include:
- Customer Data: Any information uploaded or processed by customers, including personal identifiers (PII), compliance artifacts, and evidence.
- System Data: Platform metadata such as log files, access records, operational metrics, and usage analytics.
- AI-Generated Data: Outputs produced by the platform’s AI, such as risk assessments, report drafts, and automated insights derived from customer data.
- Restricted Data (High Risk): Highly sensitive information, including financial records and proprietary algorithms, subject to the most stringent access controls.
2. Use of Information
Data is used exclusively to deliver the platform’s core services, including automated compliance management, risk analysis, and customer support.
- Service Enhancement: System data and anonymized AI data may be used to improve features and train models, provided appropriate privacy safeguards are in place.
- Prohibition on Marketing: Dignep does not use customer data for third-party sales, marketing, or unrelated product development.
- AI Oversight: For high-risk automation or decision-making logic, the Company employs human-in-the-loop oversight to ensure transparency and explainability.
3. Cookie and System Tracking Policy
While the sources primarily refer to System Data, this includes platform metadata and usage analytics used to monitor performance and enhance user experience.
- Monitoring: The platform utilizes AI-driven analytics for real-time anomaly detection and predictive maintenance.
- Audit Trails: Comprehensive logs of all access attempts, source IPs, and sessions are maintained for audit and investigation purposes.
- Control: Users are generally required to log out of all sessions at the end of use to maintain credential security.
4. Third-Party Disclosures
Dignep does not disclose data to third parties except under the following conditions:
- Subprocessors: Data may be shared with cloud service providers under strict contractual, security, and confidentiality terms (such as DPAs and NDAs).
- Legal Requirements: Disclosure occurs only when required by law or a binding governmental request. The Company will provide reasonable notification to the customer unless legally prohibited.
- Assurance: Critical vendors are subject to annual third-party audits and risk assessments to ensure they meet Dignep’s security standards.
5. Data Security Measures
Dignep implements a “Security by Design” approach. Technical safeguards include:
- Encryption: All sensitive data is encrypted using AES-256 at rest and TLS 1.2 or higher in transit.
- Access Control: Access is governed by the principle of least privilege, requiring unique credentials and Multi-Factor Authentication (MFA) for all sensitive and remote access.
- Network Security: Corporate networks are secured via WPA3 or WPA2-Enterprise encryption, and the use of a company-approved VPN is mandatory for remote access.
6. Your Rights and Data Ownership
The platform is designed to support individual rights under global privacy frameworks.
- Ownership: Customers retain full ownership of the data they upload and the specific data generated on their behalf.
- Access and Correction: Administrators may review, export, correct, or delete their data at any time.
- Right to Erasure: At the end of a contract or upon request, customer data (including AI-generated content) is permanently and securely deleted using cryptographic wipe methods.
- Opt-Out: Customers may opt out of having their data used for product improvement or model training, unless essential for core service delivery.
7. Data Retention
Retention periods are determined by data type and purpose:
- Compliance Evidence: 1–7 years (client-configurable).
- Audit Logs: 1–3 years (client-configurable).
- Backup Data: Up to 90 days on a rolling cycle for disaster recovery.
- Deactivated User Data: Retained for 90 days post-deactivation for security and forensics.
8. Contact and Policy Governance
This policy is owned by the Chief Information Security Officer (CISO), and is reviewed at least annually. For inquiries or to report security concerns, contact:
- Email: info@dignep.com.np or security@dignep.com.np.
- Address: Dignep Group Pvt. Ltd., Pulchowk, Lalitpur.
