GDPR Compliance

Effective Date : August 2, 2025

CodesenSys is committed to ensuring compliance with the EU General Data Protection Regulation (GDPR) by safeguarding personal data and ensuring that our processing activities align with legal and regulatory requirements. Below is a concise, bullet-point digest of our GDPR compliance posture.

CodesenSys GDPR Compliance — Key Points

1 Lawful Bases for Processing

  • Contract: fulfilling project agreements and pre-contractual requests.
  • Legitimate Interest: improving services, securing infrastructure, and preventing fraud.
  • Consent: marketing communications and optional cookies.
  • Legal Obligation: bookkeeping, tax, and regulatory disclosures.

2 Data Subject Rights

  • Access : Obtain a copy of personal data.
  • Rectification : Correct inaccurate or incomplete records.
  • Erasure : Right to be forgotten where no overriding reason exists.
  • Restriction : Pause processing in specific circumstances.
  • Portability : Receive data in a machine-readable format.
  • Objection : Opt out of certain processing, including direct marketing.

3 International Data Transfers

  • Primary processing in Pakistan and the United States, protected by Standard Contractual Clauses (SCCs) and equivalent safeguards for any EU-to-non-EU transfer.

4 Data Minimization & Retention

  • Collect only data necessary for stated purposes. Retention schedules defined per data category; typical project files kept 7 years for audit purposes, then securely purged.

5 Security Measures

  • Encryption in transit (TLS 1.3) and at rest (AES-256). Role-based access control, MFA, quarterly vulnerability scanning, and annual third-party penetration testing.

6 Data Protection Impact Assessments (DPIAs)

  • Conducted for high-risk processing (e.g., large-scale profiling, special-category data). Mitigations documented and reviewed by senior security staff.

7 Processor & Sub-processor Management

  • Third-party vendors vetted for GDPR alignment and bound by Data Processing Agreements (DPAs). Full vendor list available upon request; material changes communicated in advance.

8 Breach Response

  • 24 × 7 monitoring and documented Incident Response Plan. Notify supervisory authority within 72 hours of detecting a notifiable breach; affected individuals informed without undue delay.

9 Data Protection Officer (DPO)

  • Appointed DPO oversees compliance, training, and incident management. Contact: dpo@codesensys.com.

10 Ongoing Compliance Activities

  • Annual GDPR audits and staff refresher training. Policies updated to reflect regulatory guidance and case law.