Data Privacy Policy

Purpose and Applicability

This policy outlines the internal data protection norms of CWallet and governs the use and storage of personal data under the laws of the State of Qatar.

Scope

This policy applies to all CWallet staff who process personal data and/or deal with personal data.


1. Data Privacy Policy

CWallet Services W.L.L. (the “CWallet”) takes your privacy very seriously and respects your privacy and is committed to protecting it. This privacy policy (“Privacy Policy”) describes the types of information we may collect from you and others and our practices for using, maintaining, protecting and disclosing such information. We collect information from you through our website, www.CWallet.qa (the “Website(s)”) and mobile application (“Mobile App”), when you request information from us or apply for our services (“Services”). We may also collect information about you from other sources when we provide our Services. This Privacy Policy does not apply to information collected by any external websites that may be accessible from or on our Website and Mobile App.

Please read this Privacy Policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, you may choose to not use our Services. By accessing or using our Website and Mobile App, you agree to this Privacy Policy. This Privacy Policy may change from time to time. We will notify you of any changes by email, website, or text messages or by providing a notice on the Website and Mobile App. Your continued use of our Services after we make changes shall be deemed to be an acceptance of those changes, so please check the Privacy Policy periodically for updates.


  1. CWallet will email users Privacy warnings, before or at the time of collecting personal information. The notice must be presented clearly and publicly, and it must be offered both online and offline. A privacy notice should be included on all websites (including intranet portals) and any product or service that gathers personal information internally.
  2. CWallet implemented processes for gathering and documenting data subjects' permission. If the collected data is used for marketing, advertising, or other reasons, the data subject may be notified. Users must be aware of the options open to them about their personal information.
  3. CWallet may collect personal information online or offline while maintaining the same level of privacy protection. Before accepting personal information from Third-Parties, CWallet shall review its privacy policies and collection methods. Users must not be forced to disclose more personal information than is required for the provision of the product or service requested or approved by the user.
  4. CWallet will conduct an annual internal audit to ensure that personal information is used, retained, and disposed of following accordance with the organization's data privacy policy. Personal information may be used only for the reasons specified in the notice/contract agreements, and only with the permission of the data subject.
  5. CWallet users can request that erroneous, misleading, outdated, or incomplete personal information be corrected or supplemented. Requests for access to or correction of personal information should be directed to the project team's or support function's data manager. CWallet shall provide personal information to data subjects in an understandable and simple manner (not in any code format).
  6. CWallet may disclose a user's sensitive data to Third Parties/partner firms solely to comply with the notice/contract/agreements or other lawful goals. CWallet communicates the privacy policies, methods, and duties for data privacy and protection to the parties involved. Before disclosing any personal information to Third Parties/Partners, they must first sign an NDA (Non-Disclosure Agreement) with CWallet.
  7. CWallet has implemented information security rules and procedures to provide proper protection for personal data. Controls for personal information storage, retention, and transfer must be part of information asset labeling and handling guidelines. Individuals who observe or become aware of a breach of personal data shall immediately contact the Data Protection Officer (DPO). Incident response systems are established and maintained to deal with incidents affecting personal data or privacy regulations.
  8. CWallet is responsible for ensuring that the personal information it collects is true and complete for the business reasons for which it will be used. CWallet should maintain data integrity and quality as necessary for the intended purpose of collecting and using personal data and shall ensure that data is trustworthy, precise, complete, and up to date.
  9. CWallet ensures that data is trustworthy, accurate, complete, and up to date by maintaining data integrity and quality as appropriate for the intended purpose of personal data collection and usage. CWallet has published a Security Incident Management policy that addresses privacy-related incidents and breaches. It defines a system for recording any incidents/complaints and inquiries concerning data privacy.
  10. CWallet's employees with concerns or objections concerning the processing of their personal information must first discuss the situation with their immediate supervisor. If the management and employee are unable to reach an agreement, the matter should be referred to the Customer Service Representative. Customers and third parties who have questions or concerns concerning the processing of their personal information can contact the Customer Service Representative in writing.
  11. CWallet performs a yearly internal audit to confirm compliance with established privacy policies and legislative requirements. The CWallet Team must document any instances of noncompliance with privacy policies and guidelines and report them to the IT and Cyber officer Paul Garcia. The it and cyber officer, in collaboration with the Acting CTO, will act on the findings of the internal audit and work on improvements to strengthen the privacy posture.
  12. CWallet guarantees that recorded registration data is momentarily encrypted and wiped out in the end-device user's before being submitted to the CWallet for verification using powerful encryption techniques that comply to security best practices.
  13. CWallet guarantees that no sensitive data is saved on the end user's device in clear text. This is true for both online and mobile applications. If required, such data may be encrypted in memory for the duration of a process's use, but it must not be saved on the end-user device. Encryption keys must not be stored in the same location as encrypted data if encrypted.

2. Information collected directly from the Individual

To register with CWallet you will be asked to provide your Full Name as per QID, Pictures of QIDs Front and Back, Video Selfie, Qatar ID No, email address, registered mobile number under your name, home address, employer, source of income, designation. Additional information may include without limitation from credit or debit-card information or other payment information and other details as may be reasonably requested by CWallet.

We will inform you at the point of collecting information from you, whether you are required to provide the information to us. If this information is requested, we will explain how we intend to use it and we will only collect sensitive personal information with your explicit consent.


3. Usage of Information

The personal information you provide us may be used for a number of purposes connected with our business operations (in accordance with the Protection of the Privacy of Personal Data Law (Law No. 13 of 2016)) which include without limitation:

  1. Marketing and communications;
  2. Research and analytics;
  3. Monitoring and recording communications;
  4. Dealing with requests, enquiries or complaints and other customer care related activities;
  5. Carrying out market and product analysis and marketing our products and Services generally;
  6. Contacting you about our products and services; and
  7. Providing you with advertising, promotions and/or marketing material.

4. Data storage policy

  1. CWallet stores every information in organized systems, according to classification and retrieval procedures that enable it to be easily identified and retrieved.
  2. CWallet involves storing and retaining the regulated data according to the local regulations of State of Qatar in such a way that, it ensures its usefulness and accessibility over time. Moving data from one environment or system to another, or converting data from outdated software formats to current versions, may be required.
  3. CWallet restricts physical access to information in rooms, cabinets, drawers, and other storage spaces to safeguard confidential information and preserve the integrity of all documents. It is also critical that data and computer monitors are not left available to public or casual inspection.
  4. CWallet protects against illegal access by integrating password security, encryption of digital files and data, and sign-in sheets or request dockets for access to non-digital material.
  5. CWallet has a policy against using cloud services to store files containing personal, sensitive, or confidential information because of the risks involved with this practice. When information is held on a mobile device (such as a PDA, USB drive, or laptop), additional precautions must be taken to safeguard the device against theft, loss, and damage.
  6. CWallet protects your privacy by encrypting sensitive data. The information will be delivered in accordance with Qatar Personal Data Privacy Law via a separate encrypted email.
  7. CWallet's policies and recommendations on appropriate digital information storage and protection are detailed in the supporting papers specified in the top-level Information Security Policy.

5. Who your information may be shared with?

We may share your information with:

  1. Law enforcement agencies to prevent unlawful activity;
  2. Courts, tribunals or judicial bodies to enforce or apply our terms and conditions and other agreements;
  3. Governmental bodies to respond to any government or regulatory request; Third parties without consent unless it is used for a legitimate purpose such as marketing;
  4. Other businesses and third parties (such as our service providers, IT hosting and maintenance providers and other contractors) which we engage to help us run our business, for example to provide services to you;
  5. Analytics and search engine providers that assist us in the improvement and optimization of our website;
  6. Such other entities or bodies as may be required by law; and other parties to which you authorize us to release information to.

6. Data back-up Policy

  1. CWallet's backup strategy balances the value of backing up data with the effort such backups inflict on users and network resources. Critical data includes all information determined to be critical to company operation and/or employee job function. It is the user's responsibility to ensure any data of importance is moved to the file server. This includes all information stored on network servers web servers, database servers, domain controllers, firewalls, and remote access servers which may include web pages, databases, email messages (both outgoing and incoming), automated reports created by scripts running on these servers, etc. CWallet backup administrator must log, monitor and maintain logs for network devices, such as switches, routers, and other network hardware. Information stored on employee desktops must be backed up, if CWallet backup administrator deems such information necessary and backup facilities exist for such an endeavor. CWallet backup administrator may instead choose to back up a standard desktop configuration and restore data from the file server at his or her discretion.
  2. CWallet has decided that the following backup plan would allow for adequate data recovery in the case of an incident while avoiding an excessive load on its users, network administrators, and backup administrator.
  3. According to CWallet, any offsite storage must be linked with the time required to recover the data in order to limit the risk of loss due to fire, flood, or other regional or large-scale catastrophes. Backup media must be shifted off-site at least once a week.
  4. CWallet has established the following standards for backup storage to assure their safety and security. Backups should be kept in an access-controlled place when stored on-site. To protect the integrity of backup media when delivered off-site, a hardened facility (i.e., commercial backup service or safe deposit box) that follows approved techniques of environmental controls and security protocols must be employed. Online backups are permitted if the service fits the standards outlined above.

7. Encryption Policy

  1. CWallet use cryptographic controls for information classified as {PROTECTED} or {RESTRICTED} including, but not limited to, Personally Identifiable Information (PII), credit card numbers, passwords, intellectual property (define), research and development information, and budget or contract proposals. All encryption mechanisms utilized by CWallet must be authorized by the appropriate authority. Users must not attempt to utilize any form of cryptography that has not been approved and installed/implemented by our designated representative. In order to meet regulatory and legal requirements, all encryption methods should meet the following criteria:
    1. They must be used by companies that export or import data;
    2. They must be approved by the government;
    3. They must require manual key generation; and
    4. They must use a strong key length.

  2. CWallet manage all encryption keys using a commercially available key management system. The key management system ensure that all encryption keys are secured and there is limited access to CWallet's personnel. Master keys and privileged access to the key management system must be granted to at least two administrators. Keys generated by the key management system must not be easily discernible and easy to guess when transmitted to third-party users, since encryption keys are transmitted over a different communication channel than data encrypted by them. All key recovery operations must be authorized and all activities logged by the key management system must be periodically reviewed.
  3. CWallet considers all sensitive information that is classified by our company as PROTECTED or RESTRICTED, including, but not limited to, Personal Identifying Information (PII), Protected Health Information (PHI), credit card numbers, passwords, and research and development information, to be encrypted when transmitted outside of our company. This includes the transmission of information via email or other channels. Remote management activities for our company, such as contractors accessing our network remotely, must consistently employ session encryption. Define remote access procedures such as using a VPN to access corporate systems while teleworking. When feasible, hardware encryption must be utilized over software encryption.li>


8. Marketing

We would like to send you the information about new services and offers which may be of interest you. Such information could be sent by post, email, text message, or telephone. We will ask whether you would like us to send you marketing messages on the first occasion when you provide any relevant contact information.


9. Reasons we can collect and use your personal information

We rely on the following as the lawful basis on which we collect and use your personal information:

  1. Consent;
  2. Terms and conditions of service; and
  3. Legal obligation;
  4. Legitimate interests including information being used for marketing purposes while ensuring impact on the consumer is minimal.

10. Consequence of our use of your personal information

Consequences of using your personal information involve including but not limited to recommending changes to our Services to better suit your personal needs.


11. Data processing restriction policy

  1. CWallet will restrict the processing of personal data when a user notifies us that they believe the personal data we hold for them is inaccurate, and we investigate this claim.
  2. CWallet staff are familiar with this procedure and comply with it when dealing with personal data. Non- compliance with the procedure will be dealt with following the Privacy Policy, which may involve disciplinary action.
  3. CWallet's Data Protection Officer will log the Personal Data Processing Restriction Request, and contact departments relevant to the restriction in order to discuss appropriate actions. The most appropriate method will then be identified by the relevant CWallet departments.
  4. CWallet ensures that while processing is restricted, personal data will not be used in any other way and stored in an encrypted form.
  5. CWallet will inform the user if a restriction is applied to the processing of personal data. The user will also be informed about the controller's details before the restriction is lifted that this is going to occur. During the verification process, all processing of the relevant personal data will be restricted and CWallet will identify whether the personal data has been processed by any authorized third parties. Any rectification will include reference to those third parties as required.
  6. The user has the right to contest the decision made in response to their Personal Data Restriction Request. If the user is still unsatisfied with the outcome of the appeal, they have the right to file a complaint with the Information Commissioner’s Office or another supervisory body. CWallet will notify the user of this right without undue delay and no later than one month after receiving their Personal Data Restriction Request.
  7. The user has the right to contest the decision made in response to their Personal Data Restriction Request. If the user is still unsatisfied with the outcome of the appeal, they have the right to file a complaint with the Information Commissioner’s Office or another supervisory body. CWallet will notify the user of this right without undue delay and no later than one month after receiving their Personal Data Restriction Request.
  8. CWallet will not be able to process the Personal Data Processing Restriction Request if the user does not provide proof of identity.
  9. CWallet's Data Protection Officer may decide to treat the Personal Data Restriction Request as manifestly unfounded or excessive and to either:
    • request a reasonable fee to deal with the Personal Data Restriction Request, or
    • refuse to process the Personal Data Restriction Request under CWallet’s statutory rights.
  10. In either case, this will be communicated to the user following the law. The user will be informed without undue delay and within one month of receipt of their PersonalData Restriction Request.

  11. CWallet Data Protection Officer (or their designees) registers Personal Data Processing Restriction Requests and their conclusions on the Register of Personal Data Restriction Requests.

12. Data and Information classification policy

  1. Introduction: This data classification policy outlines the categories and handling requirements for different types of data within CWallet. Proper classification and handling of data is crucial to the security and confidentiality of our company and our customers. CWallet ensure the appropriate handling of all formats and classifications of information by establishing a system of categorizing information assets in relation to its sensitivity and confidentiality, and to define a set of policy statements for the handling these information assets in order to ensure the appropriate level of security of that information.
  2. Scope: This policy applies to all employees, contractors, and third parties who have access to CWallet data.
  3. Information Classification:
    • CWallet define information classifications based on the sensitivity, criticality, confidentiality/privacy requirements, and value of the information.
    • When information of various classifications is combined, the resulting collection of information or new information must be classified at the most restrictive level among the sources.
    • All information and data assets within CWallet must be classified and labeled with appropriate level of Confidentiality, Integrity and Availability.
    • All CWallet information assets, whether generated internally or externally, must be categorized into one of these information classifications: Public, Internal, Confidential and Highly Confidential.
  4. Classification Level Definition Examples
    HIGHLY CONFIDENTIAL This classification applies to the restricted business information, which is intended strictly for use within CWallet or a group of individuals at CWallet. Its unauthorized disclosure could adversely impact CWallet , its employees, and/or its customers. Information leading to legal and financial repercussions and adverse public opinion. Access to highly confidential data should be restricted to the minimum level necessary to perform job duties. In addition, highly confidential data should be encrypted when stored or transmitted. Designs or company trade secrets, PII Information, Customer related information, employee social security numbers, customer account passwords etc.
    CONFIDENTIAL Information that is sensitive or confidential within the organization and it is intended for use only by specified groups of employees or within selected department(s). BCP documents, financial, transactions, proprietary business information etc.
    INTERNAL Internal use data is information that is only intended for use within CWallet and is not intended for external distribution. This classification applies to all other information, which does not clearly fit into any of the other three classifications. While its unauthorised disclosure is against policy, it is not expected to seriously or adversely impact CWallet its employees / customers. Information Published on Intranet, Business Plans, Project Plans etc.
    PUBLIC This classification applies to information, which has been explicitly approved by CWallet Management for release to the employees. By definition, there is nothing as unauthorised disclosure of this information and it may be freely disseminated without potential harm. Public data is information that can be freely shared with the public without any negative consequences Advertisements, job opening announcements, marketing materials etc.

  5. Data and Information Labeling
  6. Data and Information Handling Requirements:
  7. All information assets must be labeled and handled accordingly; from the time it is created until the time it is destroyed or re-labeled. Such markings must appear on all manifestations of the information (hard copies, soft copies, Tapes, etc.).

    Label Public Internal Confidential Highly Confidential
    Physical Labeling (Paper, File, Document) None required. Appropriate markings (“CWallet Internal” or equivalent) recommended, but not required. Specific access restrictions (e.g., “For Internal CWallet Use Only”) also recommended. Appropriate markings (“CWallet Sensitive” or equivalent) strongly recommended. Specific access restrictions (e.g., “For Limited, Need-to-Know Use Only”) also recommended. Appropriate markings (“CWallet Confidential” or equivalent) required. Specific access restrictions (e.g., “For Use By Named Individuals Only”) also recommended.
    Electronic Labeling (Digital File, E-mail, or Web Page) None required. Appropriate markings (as above) on subject-line or header / footer recommended, but not required. Appropriate markings (as above) on subject-line or header/footer required. Appropriate markings (as above) on subject-line or header/footer strongly recommended.
    Physical Storage (Paper, File, Document) No security requireme nts. Secure office or other location. Room need not be locked if access to the building or floor is Secret to CWallet employees and authorized non-employees. Secure office or other location. Storage in a locked drawer, file cabinet, or office recommended, but not required. Storage in a locked drawer, file cabinet, or office required. If stored in an open-file storage area, access to the area must be Secret to authorized personnel.
    Electronic Storage (Digital File, E-mail, or Web Page) No security requireme nts. Stored in a directory or folder with Secret access, e.g., password protection. Information should be stored in encrypted form (using Corporate or business-approved methods), unless your business does not provide such capability. Stored in a directory or folder with controlled access, e.g., password protection. Information should be stored in encrypted form (using Corporate or business-approved methods), unless your business does not provide such capability. Stored in a directory or folder with controlled access, e.g., password protection.

  8. Data and Information Labeling
  9. The network shall be segregated into Four primary networks namely External DMZ (Perimeter Network), De-Militarized Zone (DMZ) Networks, Subsidiary Networks and Internal Network. Networks other than the above are called Public Networks.

13. Keeping your information secure

We have appropriate security measures in place on our Websites, Mobile App and electronic devices to prevent personal information from being accidentally lost, used or accessed in an unauthorized way. Access will be limited to those who have a genuine business interest and/ or a need to know, and will only process your information in an authorized manner and they will be subject to a duty of confidentiality.

We also have procedures to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach, as required by law. All reasonable efforts will be used to secure your personal data, however when using our services and the internet, you acknowledge the internet is not entirely secure, therefore, security of personal data cannot be guaranteed.

  1. CWallet network, systems, and communications will be monitored to identify potential misuseof systems or information. Logging activities will include monitoring system access to prevent unauthorized access and confirm control is effective. Only appropriate personnel have access to these logs and they are kept secure and available as required.
  2. CWallet's System Information (servers, workstations, firewalls, routers, switches, communications equipment, etc.) will be monitored and logged to Ensure the use of the systemis authorized; Manage and administer, and troubleshoot, systems; Protect against unauthorized access; Verify security procedures and access; Verify system and operational security; Comply with CWallet's policies and procedures; Detect and prevent criminal or illegal activities.
  3. CWallet employees shall report to the Acting CTO of Information Systems of any security incident within 24 hours. The incident will be documented, including any relevant details. The Acting CTO of Information Systems is responsible for investigating security incidents and taking any necessary corrective action based on the results of an investigation.
  4. CWallet's Acting CTO of Information Systems has responsibility for developing and implementing an incident response plan. The plan must include procedures for reporting, investigating, responding to, and recovering from security incidents. The Acting CTO will notify senior management when a security incident occurs, including any potential impact on the organization’s operations.
  5. CWallet has implemented a data protection policy and regularly audits its systems to ensure compliance with the applicable laws. This is done by an appointed representative through data protection audits, controls, and other methods. The results of these controls are reported to the Executive CEO, who must be informed of the primary results as part of related reporting duties. On request, CWallet will provide additional details about these processes and controls. The committee can also perform its own controls of compliance with the regulations of this policy, as permitted under Qatar Personal Data Privacy Law.
14. Data breach policy

Action to be taken in the event of a data breach:

  1. When a member of staff Of CWallet becomes aware that personal information has been provided mistakenly to the wrong individual, he or she must notify:
    • Their line manager and the Data Protection Officer.
    • In their absence, the SIRO, an Acting CTO, or senior management must be present.
    • Failure to notify IPSA immediately upon discovery increases IPSA's risk and exposure and may result in disciplinary proceedings.
  2. Before taking any corrective action, employees should obtain guidance
  3. CWallet's Data Protection Officer, or another individual nominated by the Senior Information Risk Owner (SIRO), will conduct an initial investigation of the data incident to determine the timeline, facts, and scale, and will inform the SIRO and other Acting CTOs of the existence of a databreach and any recommendations. Normally, this inquiry should begin within 24 hours after being notified of the data problem. It should contain an initial risk assessment for the individual(s) involved.
  4. Use the CARE method to manage the incident:
    • Contain - It involved taking quick steps to avoid additional disclosure or damage.
    • Assess - To halt and plan in light of the magnitude of the breach
    • Respond - Putting the plan into action after considering all possibilities
    • Evaluate - To reflect on and report on the success of efforts, as well as to contemplate futuresteps or more forceful action.
  5. CWallet's employee who has committed a data breach should notify their line manager as soon as possible. They should also call the individuals whose personal information was transferred to the incorrect location and offer to talk with them directly. The email should include the line manager's name and contact information, as well as a promise to keep them updated on any changes.
  6. CWallet's Data Protection Officer (DPO) shall report to the SIRO and other Acting CTOs within aweek after the first investigation of the data breach. The findings should contain a detailed explanation of the type, origin, and time of the breach, as well as an evaluation of the risks to the persons involved.
  7. 7. Common questions to address, and which the ICO will almost certainly ask: • Has the worker received enough training and completed the Civil Service-Learning course on Information Management? • Did the required process occur? Is that procedure operational? • What checks were performed to ensure the process's success?

    8. HR should be kept up-to-date on all developments so that they may assist the lead investigator and support the employees engaged in the event.

    9. If the receiver who accidentally got the material does not answer within 48 hours, they should be contacted again. Check by email and phone, and keep track of all efforts. This cycle should be repeated until a satisfactory conclusion is achieved.

Security of the data breach
  1. While all security breaches are alarming, some will have a heavier impact on the user than others. Potential harm to the data subject can take three forms:
    • Financial, if any bank or card information, or other information that may allow someone to impersonate them, falls into the wrong hands.
    • Security, if personal addresses, itineraries, or other information essential to a person's securityis misplaced. This includeshome security measures.
    • Reputational damage occurs when information that might be abused by the media, political opponents, or other persons goes awry.
  2. The ICO defines severe discomfort as "a level of upset, or emotional or mental anguish, that goes beyond annoyance or irritation, strong disapproval, or a belief that the [data] processing is morally repugnant." Clearly, any of the aforementioned types of injury might cause significant grief. However, there are other types of data losses that might cause anguish or harm (disadvantage).
  3. As a general rule, CWallet considers there to be three levels of severity. These definitions are internal only; they are not based on official sources, albeit they are informed by the ICO's harm and distress advice:
    • LOW RISK - IRRITATION/ INCONVENIENCE. This is when the user may experience some inconvenience or irritation, but no severe damage or distress is created. For example, this may occur when an email regarding meeting plans is sent to the incorrect individual.
    • MEDIUM RISK - DISTRESS THAT DOES NOT HAVE THE POTENTIAL TO CAUSE SERIOUS DAMAGE, such as giving salary information to the wrong person. This may cause substantial anxiety to the employee, but unless coupled by payment details (for example, bankaccount information), it will not cause serious harm to the user.
    • HIGH RISK - SERIOUS Damages: Any misplacing of information that poses a financial or security risk to the data subject, or poses a major reputational risk should be viewed as possibly inflicting serious damageto the user.
  4. Keeping a central record of data breaches and disciplinary measures It is the IT and Cyber Officer's obligation to conduct the investigation and report on data breaches. He or she will also serve as the Advisor Acting CTO primary point of contact and keep a central record of all data breaches. HR will keep track of any disciplinary actions
15. Policy Breaches

Any violation of this policy may result in disciplinary action, up to and including termination of employment. CWallet reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity. CWallet does not consider conduct in violation of this policy to be within an employee’s or partner’s course and scope of employment, or the direct consequence of the discharge of the employee’s or partner’sduties. Accordingly, to the extent permitted by law, CWallet reserves the right not to defend or pay any damages awarded against employees or partners that result from violation of this policy.

16. Policy Exemptions

To seek exemption to this policy, please write to [email protected]

17. Where to get help

Contact your line manager or risk and compliance manager if you have queries or need assistance.

18. Glossary
Term Description
Confidential Information Any CWallet information that is not publicly known and includes tangible and intangible information in all forms, such as information that is observed or orally delivered, or is in electronic form, or is written or in other tangible form. Confidential Information may include, but is not limited to, source code, product designs and plans, beta and benchmarking results, patent applications, production methods, product roadmaps, customer lists and information, prospect lists and information, promotional plans, competitive information, names, salaries, skills, positions, pre-public financial results, product costs, and pricing, and employee information and lists including organizational charts. Confidential Information also includes any confidential information received by CWallet from a third party under a non-disclosure agreement.
Sensitive Information Same as Confidential Information
Information Asset Any CWallet data in any form, and the equipment used to manage, process, or store CWallet data, that is used in the course of executing business. This includes, but is not limited to, corporate, customer, and partner data.
Production Information System Any computer or communication system that is used to support day-to-day operations, including any systems used to support customers or store sensitive data in any way.
Third Party Any non-employee of CWallet who is contractually bound to provide some form of service to CWallet.
User CWallet employee, staff

Annexure:” A”

Backup-policy (data privacy)

The Cwallet backup policy have Schedules that define the backup frequency and retention period. This gives us control over the backup frequency and retention period. In Cwallet backup policy, the first thing we configure is the schedule type, this specifies the backup frequency. Cwallet provides the following schedule types:

* Daily: Backups are generated daily. specify the hour of the day for the backup.

* Weekly: Backups are generated weekly. specify the day of the week, and the hour of that day for the backup.

* Monthly: Backups are generated monthly. specify the day of the month, and the hour of that day for the backup.

* Yearly: Backups are generated yearly. specify the month, the day of that month, and the hour of that day for the backup.

* Cwallet Ensure Strong encryption :

*Storage/encryption details/hashing algorithms adopted for passwords encrypt Hashing Mechanism.

*$2b$10$CmzzZa7TtdQ8dNlE5MW/YO3CK3PFHfNS0KHZ89LjKVZPgj26sflXO

*Keys and sensitive information are encrypted with RSA and SHA256 hash encryption such as AES 256 to protect the stored data.

Responsibility

Cwallet ensure The IT department manager delegates a member of the IT department to perform regular backups. The delegated person develops a procedure for testing backups and test the ability to restore data from backups on a monthly basis. The restoration of data using data backups are tested periodically to ensure that complete data restoration is possible to ensure whether: • Data restoration is possible • The data backup procedure is practicable • Data backup procedures are documented properly • The time required for data restoration meets the availability requirements

Verification and Testing

The integrity of the data is verified at the time of daily back-up by enabling the integrity check function. Regular tests are carried out to establish the effectiveness of the Council’s backup and restore procedures by restoring data/software from backup copies and analysing the results. Departmental IT Service Relationship managers are provided with information relating to any issues with the backup testing of their data

Data retention period

Customer data, including personal information such as name, address, phone number, and email address, will be retained for a period of 7 years after the customer's account is closed or becomes inactive. This data will be used to comply with legal and regulatory requirements and to resolve any disputes or issues that may arise. Transaction data, including details of any transactions made using CWallet's services, will be retained for a period of 5 years after the transaction date. This data will be used to comply with legal and regulatory requirements, to resolve any disputes or issues that may arise, and to improve CWallet's products and services. Marketing data, including information collected through customer surveys or marketing campaigns, will be retained for a period of 2 years. This data will be used to improve CWallet's products and services and to personalize marketing efforts. Security data, including logs of access to CWallet's systems and user activity, will be retained for a period of 6 months. This data will be used to maintain the security and integrity of CWallet's systems and to investigate any potential security breaches or unauthorized access.

Data Integrity Security Controls

This section deals with how CWallet maintain Data Integrity in organization. For Data Integrity to be achieved, best practices in handling data must be followed. It is always better to standardize these processes throughout organization instead of leaving it to the individuals or teams. The section below highlights some of the practices that are used to achieve Data Integrity. The controls for maintaining data integrity are:

  1. Validation of Input Data and Encryption Mechanism:

    Input data should always be validated before it is allowed into your data storage system. Validation is the process of checking data to make sure it is correct and useful. Data should be checked for accuracy regardless of the source of the data, be it data from end-users of an application, internal systems, or external sources.

    Implementation:

    CWallet channel data is being transmitted over HTTPS hence it is ensured that security protocol is implemented for the transmission of data over open, public internet.

    CWallet portal is equipped with CA certified TLS 1.3, X25519, and AES_128_GCM certificate which serves TLS1.2 over HTTPS for all locations. Hence it is ensured that security protocols are implemented for all locations.

    In Azure console, Microsoft Defender for cloud is running and identify changes in content, permissions, ownership and attributes of files to ensure the system settings for file integrity monitoring or change detection software on logs.

  2. Implement Access Control:

    Access to data should be tightly regulated to ensure that only those with the proper authorizations have access to data. A least privileged model of security should be used in which access is only granted on a need-to-know basis.
    Broad access such as administrative rights of entire systems should seldom exist. Instead, employees should have access to only data that enable them to perform their specific job roles. Data should be isolated so that incidences of unauthorized access are pretty much non-existent.

    Implementation:

    CWallet uses below method authentication methods for login to Admin portal, Merchant portal and Azure Cloud Console;

    • Regular individual user id and password
    • 2 factor authentication using OTP

  3. Keeping Audit Trail:

    It is important to maintain an audit trail mechanism that can track the source of data changes. In the event of a data breach, it is vital to know the source of the breach, the documents or data that may have been accessed, and how the breach was possible.
    An audit trail should be generated through an automated process in which individuals do not have access to tamper with the results of the audit trail.
    It should also have the ability to track data events such as create, delete, update, etc. along with the time the events occurred and the individual that triggered them. A well-managed audit trail can help a lot in the case of investigating a data breach.

    Implementation:

    CWallet has Sentinel which conforms that audit trails are enabled and active for system components.
    Following audit trails are enabled for Azure: Success Login, Invalid Login, User Creation, Privilege Elevation, User Deletion.
    Following audit trails are enabled for Application: Login Attempt, Success Login

  4. Always Backup Data

    Having regular, reliable, and timely backup of data systems is essential to ensure that data can be recovered in the event of data loss. Data loss may be occasioned by hardware failure, software bugs, or even ransomware attacks. A backup process ensures that your organization will not suffer from permanent data loss.

    Implementation:

    For Database, CWallet uses COSMOS DB which again is most scalable DB environment on cloud. COSMOS DB automatically takes snapshot of data from one zone to a replica running in another zone.

  5. Adopting Security Best Practices

    The security of systems that contain data should be checked regularly. Software patches should be installed in a timely fashion, and known security vulnerabilities of software packages should be mitigated.

    Implementation:

    CWallet infrastructure is hosted on Azure cloud and taking the Azure App Services which is PCI compliant as per AOC dated 04th March 2022.
    As per the responsibility matrix of Azure Cloud, PCI DSS Responsibility Matrix dated 04th March 2022 and confirmed that system hardening related controls is managed by Azure.