Consumer Privacy
Introduction
Consumer privacy refers to the protection and control of consumer's personal identification information and other sensitive data. The key aspects of consumer privacy are listed below:
- Data collection and consent
- Data usage and retention
- Data Security
- Transparency in privacy policies
- Data Breach: Incident detection and response
Consumer Privacy Laws
Organizations must adhere to an array of security regulations, depending on where they operate. Examples include: GDPR, HIPPA, CCPA, GLBA, PIPA, PIPEDA, LGPD, and the NYDFS Cybersecurity Regulation, to name a few. These laws define a variety of restrictions around data use, but the most stringent controls are around personally identifiable information (PII): addresses, social security numbers, credit card numbers, debit card numbers, signatures, and more.
Kumo does not persist the data used for model training in the long-term. This makes it easy for your firm to remain compliant to the provisions related to data retention and deletion. Also, as Kumo does not directly collect data from your customers, the provisions related to consent and right-of-access do not apply to Kumo.
The following sections provide more details on the tools that Kumo provides to help your business remain compliant.
Data Collection and Consent
Most companies that collect customer information typically have a privacy policy that controls how customer data is used. In order to determine whether you are legally permitted to use a tool like Kumo to process your customer data, we recommend following up with your internal privacy team, to confirm that you have received consent from your customers. Typically, this is not an issue, but it doesn't hurt to double-check.
Data Usage and Retention
Before beginning any engagement, Kumo can work with your privacy team to ensure that Kumo's data handling practices adhere to the data processing agreement between you, your customers, and your regulators. This could include:
- Defining and enforcing retention policies for temporary data stored in the Kumo cache during model training
- Filtering or obfuscating PII, before loading data into Kumo.
- Making contractual arrangements to mitigate risk, such as signing a DPA or BAA.
Data Deletion
GDPR and CCPA typically limits the duration that a business may retain information about any of their customers. As Kumo may store temporary data in the Kumo cache during and shortly after model training, we need to be mindful of how this impacts the compliance of our clients.
Prior to onboarding, Kumo will formalize an agreement with the engagement partner outlining the process for data deletion. The data deletion process is configured to automatically delete any intermediate training data after a certain number of days, to help the company remain CCPA and/or GDPR compliant.
Data Security
Kumo maintains an information security and privacy program based on NIST 800-53 (or industry-recognized successor framework), under which Kumo implements and maintains physical, administrative, and technical safeguards designed to protect the confidentiality, integrity, availability, and security of the Service and Customer Data (the “Security and Privacy Program”). In addition, Kumo regularly tests and evaluates its Security and Privacy Program, and may review and update its Security and Privacy Program, provided, however, that such updates shall be designed to enhance and not materially diminish the Security and Privacy Program. To learn more please see Data Security.
Kumo’s Audits & Certifications
Kumo maintains internal processes and programs that are designed to monitor the implementation and effectiveness of the Security program.
Independent Audits and Reports.
In addition to its internal monitoring of the Security program’s implementation and effectiveness, Kumo engages qualified and independent third-party auditors to regularly assess Kumo’s information security and privacy programs.
SOC 2 Type II.
Kumo has planned to undergo at least annual SOC 2 Type II audits that evaluate the adequacy and effectiveness of Kumo’s information security program. Each such audit will generate an audit report, which will be made available to customers under a non-disclosure agreement.
Incident Detection & Response
Security Incident Reporting.
If Kumo becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a “Security Incident“), Kumo shall notify Customer without undue delay and in any case, where feasible, notify Customer within 72 hours after becoming aware. To facilitate
timely notification, the Customer must register and maintain an up-to-date email within the Service for this type of notification. Where no such email is registered, Customer acknowledges that the means of notification shall be at Kumo’s reasonable discretion, and Kumo’s ability to timely notify shall be negatively impacted.
Updated 2 months ago