Ensuring Trust and Security: A Deep Dive into PersonaFin AI’s Compliance and Security Policies

March 6, 2024

In an era where data security and compliance are paramount, it’s crucial for financial institutions to partner with technology providers that not only understand these concerns but also proactively address them. PersonaFin AI stands at the forefront of this commitment, ensuring that our clients’ data is handled with the utmost care and security. Our policies are designed to align with the highest standards of privacy, security, and ethical AI use in the financial sector.

Understanding the importance of transparency in building trust, we have compiled a comprehensive Q&A to address the most common queries about our compliance and security measures. This resource is intended to provide clear, detailed insights into how we protect data, manage privacy, and uphold our responsibility to our clients. Whether you’re a prospect, a current customer, or part of a compliance and security team, this Q&A aims to clarify our practices and policies, ensuring you have all the information you need to make informed decisions.

  1. Do you have an Information Security Policy?
    • Yes, we have a comprehensive Information Security Policy that outlines our security environment, teams, and tools. This policy is integral to our organizational structure and responsibilities for maintaining information security.
    • Relevant Policy: Information Security Policy Statement.
  2. Do you have a Data Protection Policy?
    • Our Data Protection Policy details how we protect data, including the use of anonymization methods and data access request policies. We strictly adhere to practices that ensure the confidentiality and integrity of data.
    • Relevant Policy: Information Security Policy Statement.
  3. Do you have an Access Control Policy?
    • We have implemented an Access Control Policy, which includes measures for securing access and authentication to our systems. This policy is in line with best practices for protecting sensitive information and controlling access to it.
    • Relevant Policy: Access Control and Data Security Policy*.
  4. Do you have an Information Classification Policy?
    • Our Information Classification Policy categorizes data into public or unclassified, restricted, and confidential assets. This classification guides the handling and protection of data according to its sensitivity.
    • Relevant Policy: Information Classification Procedure.
  5. Do you have a Security Training Policy?
    • Yes, we have a Security Training Policy in place. This policy ensures that our staff are regularly trained and kept up-to-date on security best practices and procedures.
    • Relevant Policy: Security Awareness and Training Policy.
  6. Is there a dedicated person for privacy compliance?
    • Yes, we have a dedicated Data Protection Officer (DPO) who oversees privacy compliance, along with a structured team responsible for various aspects of our Information Security Management System (ISMS).
    • Relevant Policy: Information Security Management System.
  7. Are regular privacy risk assessments conducted?
    • Our policies encompass regular privacy risk assessments to identify and mitigate any potential risks. These assessments are an essential part of our proactive approach to data protection and privacy.
    • Relevant Policy: Privacy Risk Assessment and Management Policy*.
  8. Is privacy awareness and training provided for all staff and contractors on an annual basis?
    • We ensure that all staff and contractors receive privacy awareness and training annually, as part of our commitment to maintaining high standards of data protection and privacy awareness.
    • Relevant Policy: Annual Privacy Training Program*.
  9. Is there a formal process for reporting and responding to privacy complaints?
    • A formal process is in place for handling and responding to privacy complaints, ensuring timely and effective resolution while adhering to regulatory standards.
    • Relevant Policy: Privacy Complaint Handling Policy*.
  10. Is a data classification and retention program in place?
    • Yes, we have a data classification and retention program in place, which clearly distinguishes between confidential and non-confidential data, and outlines how long data is retained.
    • Relevant Policy: Information Classification Procedure.
  11. Is client data shared with Sub-Processors?
    • No, we do not share in-scope client data with Sub-Processors.
    • Relevant Policy: Sub-Processor Data Sharing Policy*.
  12. How is client data captured and protected?
    • Client data is primarily captured through our Behaviour Capture library. It’s encrypted both at rest and in transit, protected with advanced security measures including HTTPS and end-to-end encryption.
    • Relevant Policy: Information Security Policy Statement & Data Capture and Encryption Policy.
  13. How soon is client data deleted after its use has expired?
    • Client data is typically retained for up to 10 years, in alignment with financial institutions’ policies. However, we promptly delete personal data upon request, no later than one month.
    • Relevant Policy: Information Security Policy Statement & Data Retention and Deletion Policy.
  14. Are staff allowed to access systems from personal devices?
    • Our policy restricts access to systems and data from personal mobile phones or laptops to ensure security and compliance.
    • Relevant Policy: Mobile Device and Remote Access Policy.