Wingify Privacy Principles : Our Commitment to Privacy, Data Protection & Compliance
Wingify believes privacy is a fundamental human right. We are committed to providing you with products, information, and controls that allow you to choose how information is processed, collected and used.
When you use Wingify Services, you trust us to protect your privacy and to use your information only in a way that is consistent with your expectations.
Our time-tested approach to privacy is grounded in our commitment to give you control over the collection, use, and distribution of your data. We are transparent about the specific policies, operational practices, and technologies that help ensure the privacy of your data in Wingify Services.
As part of our commitment to privacy, Wingify has made a number of investments and improvements to our data handling practices to support GDPR and the privacy rights of individuals in the European Economic Area and United Kingdom. Our measures include lawful basis documentation, data subject rights management, DPA execution, standard contractual clauses for data transfers, and DPIA processes.
Wingify respects the privacy rights of California residents under CCPA and its amendment CPRA. We do not sell personal information. We provide clear opt-out mechanisms, respond to consumer rights requests for access, deletion, and correction, and maintain transparency about data collection practices.
Wingify is committed to compliance with the Digital Personal Data Protection Act, 2023 (DPDP Act) applicable to the processing of digital personal data of individuals in India. Our compliance program addresses the obligations of a Data Fiduciary, including lawful processing, notice requirements, consent management, data principal rights, and grievance redressal mechanisms.
Wingify continuously monitors and aligns with other applicable privacy and data protection regulations globally, including PIPEDA (Canada), PDPA (Singapore/Thailand), LGPD (Brazil) and other emerging regional frameworks, ensuring a consistent, high-standard privacy posture across all markets.
Wingify Security Development Lifecycle (SDL): Privacy requirements are defined and integrated into the SDL the software development process that helps Wingify build more secure products and services. The SDL consists of a set of practices that support security assurance and compliance requirements, including effective privacy reviews of each release of a Wingify product or service. The Wingify SDL introduces security and privacy considerations throughout all phases of the development process.
The Wingify Privacy Policy puts our commitment in writing and details Wingify’s data protection policies and practices in clear, straightforward language.
Wingify’s privacy and security commitments are independently validated through internationally recognized certifications. These certifications demonstrate our adherence to the highest standards of information security and privacy management:
| Certification | Scope & Significance |
| ISO 27001:2022 ISMS | Information Security Management System – governs the overall security of information assets. |
| ISO 27701 PIMS | Privacy Information Management System – extends ISO 27001 with privacy-specific requirements for PII controllers and processors. |
| ISO 27017 Cloud Security | Security controls for cloud services, ensuring secure provision and use of cloud computing. |
| ISO 27018 Cloud Privacy | Protection of Personally Identifiable Information (PII) in public cloud environments. |
| SOC 2 Type II | Service Organization Controls – validates the effectiveness of security, availability, processing integrity, confidentiality, and privacy controls over a sustained period. |
| PCI DSS v4.0.1 | Payment Card Industry Data Security Standard – ensures secure handling of cardholder data and payment transactions. |
Wingify makes broad contractual commitments to businesses through our Terms of Business. Wingify uses customer data only to provide the agreed services, and for purposes compatible with providing those services. We do not use customer data or derive information from it for advertising.
Furthermore, we will not disclose customer data to a government agency unless required by law. If law enforcement demands customer data, we will attempt to redirect the agency to request that data directly from the customer. If we are compelled to disclose customer data to law enforcement, we will promptly notify the customer and provide a copy of the demand, unless legally prohibited from doing so.
Our Customer Data Protection Addendum (DPA) provides contractual guarantees for the protection of personal data processed on behalf of our customers, incorporating Standard Contractual Clauses and addressing GDPR, CCPA/CPRA, IN-DPDP, and other applicable regulatory requirements.
Wingify’s Code of Conduct governs the ethical standards and behavior expected of all Wingify employees, contractors, and partners in the handling of customer and personal data.
Our Cookie Notice provides transparent information about the cookies and similar tracking technologies used in our products and services, and how users can manage their preferences.
Wingify is committed to privacy and data protection of individuals and customers. This is especially important as technology progresses and privacy laws evolve.
In support of the Security & Privacy by Design initiative, Wingify has established the Wingify Security & Privacy Management Principles. These Principles provide a robust framework for building and maintaining secure systems, applications, and services that address cybersecurity and privacy considerations by default and by design.
Wingify has identified leading global privacy frameworks and created a comprehensive set of Privacy Management Principles – a Privacy Control Framework that is tailored for privacy and is intended to help design, build and maintain processes, systems, and applications that incorporate both cybersecurity and privacy principles by default. The table below provides an overview of how our Privacy Management Principles meet the control requirements for SOC 2, CCPA, CPRA, EU GDPR, IN-DPDP, FIPPs, PIPEDA, GAPP, ISO 29100, NIST 800-53 Rev 4, APEC, and other applicable frameworks.
We have adopted these principles to guide our products, our processes, and our people in keeping our Customers’ and Visitors’ information private, safe, and secure. This integrated approach addresses multiple requirements through a common framework covering accountability, transparency, and clarity.
Sixty-four (64) principles organized into ten (10) domains – the table below depicts each privacy principle that Wingify adheres to, along with our implementation status, ensuring you receive meaningful choices about how and why information is collected, processed, and used.
Establish and maintain a comprehensive privacy program that ensures privacy considerations are addressed by design in the development of policies, standards, processes, systems, applications, projects and third-party contracts.
| # | Principle Name | Privacy Management Principle Description | Wingify Adherence Details |
| 6.1.1 | Assigned Responsibilities | Assign accountability through documented roles and responsibilities to qualified individuals for maintaining compliance with all applicable privacy requirements that involve appropriately monitoring and documenting the privacy program. | Wingify has appointed a Data Protection Officer and assigned responsibilities to liaise on matters of information security, data protection, compliance and overseeing the security and compliance of PII, Company IP, etc., which aligns with data protection by law and local law(s). |
| 6.1.2 | Policies, Standards & Procedures | Ensure appropriate policies, standards and procedures exist to operationalize the privacy program. | Wingify follows ISO 27001:2022 ISMS standard control framework as a baseline, cross-mapping controls with ISO 27701, ISO 27017, ISO 27018, PCI DSS v4.0.1, CSA, SOC 2, GDPR, CCPA, CPRA, IN-DPDP, and other applicable regulations. Wingify has an integrated Information Security & Privacy Management Policy in place. |
| 6.1.3 | Periodic Review | At planned intervals or after significant changes, policies, standards, and procedures are reviewed to ensure continuing suitability, adequacy, and effectiveness to meet applicable statutory, regulatory and contractual needs. | Wingify has established the Corporate Security & Compliance Committee (CSCC) comprising knowledgeable workforce members to ensure confidentiality, privacy, and security compliance as required by applicable law. The CSCC meets quarterly to discuss and review concerns. Wingify runs Vulnerability Assessment Penetration Testing (VAPT) annually through a third-party service provider and performs quarterly security audits for all production environment systems. |
| 6.1.4 | Oversight | Provide oversight of privacy controls throughout the lifecycle of systems, applications, and services to ensure that senior leaders are made aware of privacy-related risks in a timely manner. | As noted in 6.1.3, CSCC ensures that overall controls are in place. CSCC is headed by the CEO with members from various departments. |
| 6.1.5 | Management Visibility | Provide performance metrics and trend analysis to enable management visibility and coordinate privacy efforts across the organization. | As noted in 6.1.1, the DPO provides overall visibility to the CEO, Top, and Senior Management on a regular basis. |
| 6.1.6 | Compliance | Oversee the execution of privacy controls with appropriate evidence of due care and due diligence, demonstrating compliance with all applicable statutory, regulatory and contractual obligations, including age-based restrictions. | Wingify adheres to all applicable laws, and regulatory and contractual controls are in place. We do not knowingly collect any personal information from children under the age of 13. Refer to our Privacy Policy for more details. |
| 6.1.7 | Data Classification | Classify data according to the sensitivity and type of personal data as defined by appropriate statutory, regulatory and contractual contexts. | Wingify has a robust data and assets classification mechanism in place that ensures categorization in accordance with applicable laws, regulatory and contractual requirements. |
| 6.1.8 | Registering Databases | Register applicable databases containing personal data with the appropriate Data Authority, when required. | Wingify has created a Personal Data Inventory and Data Flow in accordance with all applicable laws and regulatory requirements. We also maintain ROPA (Record of Processing Activities) as defined in Article 30 of GDPR. |
| 6.1.9 | Resource Planning | Identify and plan for resources needed to operate a privacy program and include privacy requirements in solicitations for technology solutions and services. | Wingify has implemented a robust Privacy Program comprising a DPO, Core privacy team, departmental-level DPRs (Data Protection Representatives), and facilitates regular training for all members. |
| 6.1.10 | Inventory of PI | Maintain an inventory of both the type of personal data and specific data elements, as well as the systems, applications, and processes that collect, create, use, disseminate, maintain, and/or disclose that personal data. | Wingify establishes and maintains a Personal Information Inventory and Flow that covers the whole information lifecycle from collection, processing, storing, to deletion – reviewed and updated on an annual basis. |
| 6.1.11 | Privacy Training | Provide recurring privacy awareness and training for all employees and contractors. | Wingify has established a robust privacy program including an awareness and training program for all workforce members. Mandatory Privacy & Security Awareness training is provided annually. Workforce members who access any system for processing, storing or transmitting personal or sensitive information are formally trained in data handling requirements prior to access authorization. |
Individuals are directly involved in the decision-making process regarding the fair and lawful processing of their personal data, and to the extent practicable, directly engaged to receive explicit permission to use their personal data.
| # | Principle Name | Privacy Management Principle Description | Wingify Adherence Details |
| 6.2.1 | Clear Choices | Provide clear and conspicuous choices that enable an individual to permit or prohibit the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of their personal data. Also referred to as the right to ‘opt-out.’ | Refer to the Privacy Policy, which clearly outlines all privacy attributes and management practices, including how we collect and process information, how to exercise data protection rights, and retention practices. Note: Wingify provides Services primarily intended for organizations. Where Wingify Services are made available to Users through an organization (such as your employer), that organization is responsible for administering the accounts it controls. Please direct privacy and security questions to your administrator. |
| 6.2.2 | Initial Consent | Prior to the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of an individual’s personal data, the knowledge and consent of the individual are required. | Wingify is committed to providing Services with information, controls and transparency that allow users to opt-in or opt-out. Refer to the ‘Legal Basis for Processing’ and ‘Notice to Users’ sections of the Privacy Policy for more details. |
| 6.2.3 | Updated Consent | Based on changes to privacy practices that affect the parameters of an individual’s initial consent, updated consent is required to continue processing. This is also referred to as the right to ‘opt-out’ at any time after the initial consent was provided. | Processing is based on your consent. Where we rely on your consent, you have the right to withdraw it at any time by sending a request to [email protected] with the word ‘Opt-out’ or ‘UNSUBSCRIBE’ in the subject. Note: Even after opting out of promotional messages, non-promotional communications such as service-related emails will still be sent for active accounts. |
| 6.2.4 | Equal Service & Price | Implement business processes to protect the right of data subjects to equal service and price, even if they exercise their privacy rights. | Wingify is committed and adheres to all applicable laws. Refer to the Privacy Policy for more details. |
| 6.2.5 | Prohibit The Sale of Personal Data | Provide a clear and conspicuous link on the organization’s website, titled ‘Do Not Sell My Personal Information,’ enabling consumers to opt-out of the sale of their personal data. | We do not ‘sell’ our customers’ personal information to anyone — we do not rent, disclose, release, transfer, or make available personal information to third parties for monetary or other valuable consideration. Refer to the ‘Privacy Commitment’ section of the Privacy Policy for reference. |
Ensure that the design of information collection is consistent with the intended use of the information, and that the need for new information is balanced against any privacy risks.
| # | Principle Name | Privacy Management Principle Description | Wingify Adherence Details |
| 6.3.1 | Authority to Collect | Identify the authority given to collect, create, use, disseminate, maintain, and/or disclose an individual’s personal data. Document the authority in the organization’s privacy notice. | Refer to the Wingify Privacy Policy for full details. |
| 6.3.2 | Data Minimization | Take steps to minimize the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of personal data to what is directly relevant and necessary to accomplish a legally authorized purpose. | Wingify has established a Privacy Impact Assessment and Privacy Risk Treatment (PIA & PRT) exercise conducted annually and validated by an external third-party auditor. |
| 6.3.3 | Internal Use | Restrict the internal use of personal data to only authorized purpose(s) that are consistent with the stated privacy notice. | Wingify has adopted least access privilege principles and role-based access provisioning across all information systems. Wingify has Information Retention, Archive, and Disposal Policy and Procedure in place, consistent with applicable laws, validated by an external third-party auditor annually. |
Provide transparent notice to the public about privacy practices through a clear and conspicuous notice on all organizational websites, mobile applications, and other digital services regarding the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of personal data.
| # | Principle Name | Privacy Management Principle Description | Wingify Adherence Details |
| 6.4.1 | Notice & Purpose Specification | Provide notice of the specific purpose(s) for which personal data is collected, created, used, disseminated, maintained, retained and/or disclosed. | As a Controller: Wingify clearly describes information collection and its usage under the Privacy Policy. This policy is updated regularly and individuals are notified. As a Processor: The Controller (Customer) is responsible for informing its end-users about the purposes of information collection and use. |
Limit the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of personal data to what is legally authorized, relevant, and deemed reasonably necessary for the proper performance of business functions.
| # | Principle Name | Privacy Management Principle Description | Wingify Adherence Details |
| 6.5.1 | Data Flow Mapping | Maintain a record of processing activities that documents the flow of personal data, including geographic locations and third-parties involved, contact details of controllers, purposes of processing, categories of data subjects, time limits for erasure, and cybersecurity and privacy measures of the data controller. | Wingify has a robust Data Inventory and Data Flow document in place as per Article 30 of EU GDPR and applicable laws including IN-DPDP. We also maintain Network Architecture Diagrams that reflect the current state of network and information transmission. |
| 6.5.2 | Retention of Personal Information | Ensure that all records containing personal data are maintained in accordance with the organization’s records retention schedule and comply with applicable statutory, regulatory and contractual obligations. | Wingify maintains ROPA (Record of Processing Activities) and has Information Retention, Archive, and Disposal Policy and Procedure in place, defining ownership, accountability, access, use, and storage location. These are validated by an external third-party auditor annually. |
| 6.5.3 | Secure Destruction of Personal Information | Utilize secure methods to dispose of or destroy both physical and digital media containing personal data. | Wingify customer data is hosted in a secure cloud data center, logically segregated at the application layer, with de-identification mechanisms in place. Wingify follows NIST SP 800-88 Rev 1 Guidelines for Media Sanitization for PII Deletion and Disposal of Media. |
| 6.5.4 | Geolocation Restrictions | Restrict the location of processing, storage and service locations to comply with the privacy notice, as well as applicable statutory, regulatory and contractual obligations. | Wingify maintains a Data Flow Diagram for personal information processing that clearly documents information storage and location. Personal information about website visitors and service users may be stored within India, the United States, and other countries to facilitate global operations. Personal Information may be processed outside of the EEA in countries not subject to an adequacy decision by the European Commission. In such cases, Wingify ensures that the recipient provides an adequate level of protection, including through Standard Contractual Clauses approved under Article 46 of the GDPR. Refer to the Data Protection Addendum. |
| 6.5.5 | Data Portability | Provide the functionality to export personal data in a structured, commonly-used and machine-readable format that can be transferred to another controller without hindrance. | Wingify has a robust Data Subject Access Request (DSAR) Procedure and Process in place. We will provide information in a structured, commonly-used electronic format upon submission of requests by email to [email protected]. We may request specific information to confirm your identity and process your request. |
| 6.5.6 | Record of Disclosures | Develop and maintain an account of personal data disclosures that, upon request, can be made available to the individual whose personal data was disclosed. | Wingify keeps accurate information held in each system of records under its control, including date, nature and purpose of each disclosure, and the name and address of the person or agency to which the disclosure was made. Accounting of disclosures is retained for the life of the record or as per applicable data protection laws. |
| 6.5.7 | Integrity Protections | Maintain the accuracy and relevance of personal data across the information lifecycle as personal data is collected, created, used, disseminated, maintained, retained and/or disclosed. | Wingify confirms, to the greatest extent practicable, the accuracy, relevance, timeliness and completeness of personal information upon collection. We collect personal information directly from individuals to the greatest extent practicable and revalidate collected information via email confirmation for Wingify Services account creation. |
| 6.5.8 | De-Identification | Process personal data in such a manner that it is not attributable to a data subject through technical or organizational measures (e.g., anonymization, pseudonymization or data minimization). | Wingify customer data is hosted in a secure cloud data center, logically segregated at the application layer, with de-identification mechanisms in place. Key measures include: i. Wingify Services does not collect nor require any sensitive information by default for its functioning. ii. Wingify Services adopts pseudonymization of the UUID stored on the client-side before storing on its servers. iii. Any IP address intended to be stored is anonymized with at least the last octet masked (configurable up to complete anonymization). |
| 6.5.9 | Quality Management | Maintain quality assurances throughout the information lifecycle with accuracy, relevance, timeliness, and completeness as reasonably necessary to ensure fairness to the individual. | Wingify has internal guidelines that ensure and maximize the quality, utility, objectivity and integrity of personal information across its lifecycle. |
| 6.5.10 | Flaw Remediation with Personal Information | Identify and correct flaws related to personal data as it is collected, created, used, disseminated, maintained, retained and/or disclosed. | Wingify has the following measures in place: i. A Technical Vulnerabilities Management Program. ii. A Software Development Lifecycle (SDLC) process including system change control, technical and security reviews after each release, and a robust information security and privacy weakness program, including a Responsible Disclosure Policy. |
Provide individuals with appropriate access to personal data and mechanisms to exercise their rights under applicable data protection laws, including the right to access, rectify, erase, restrict processing, object, and port their data.
| # | Principle Name | Privacy Management Principle Description | Wingify Adherence Details |
| 6.6.1 | Inquiry Management | Maintain a capability to receive and respond to privacy-related requests, complaints, concerns or questions from individuals. | Wingify has taken all necessary and appropriate steps to protect and respect data subject rights and personal information. Our robust Data Subject Access Request (DSAR) Procedure and Process ensures that customers can request information about our processing activities. Requests may be submitted by email to [email protected]. We may request specific information to confirm your identity. |
| 6.6.2 | Updating Personal Information | Provide individuals with appropriate opportunity to correct or amend their personal data. | As a Controller, Wingify provides the Right to Rectification, under which data subjects have the right to rectification of inaccurate personal information, including completion of incomplete information. Contact Wingify at [email protected] for questions or to update your information. As a Processor, upon instruction by the Controller, Wingify shall correct, rectify, or block Personal Information. Any request from a data subject directly to the Processor shall be directed to the Controller. |
| 6.6.3 | Redress | Provide individuals with appropriate opportunity to challenge the organization’s compliance with its privacy principles. | As a Controller, Wingify provides the Right to Object, enabling data subjects to object at any time to our processing of personal information concerning them. Contact Wingify at [email protected] for questions or to update your information. As a Processor, upon instruction by the Controller, Wingify shall correct, rectify, or block Personal Information. Requests from data subjects directly to the Processor shall be directed to the Controller. |
| 6.6.4 | Notice of Correction or Amendment | Notify affected individuals when their personal data is corrected or amended. | Wingify will provide information about our processing of your personal information and give you access to your personal information. Requests may be submitted by email to [email protected]. We may request specific information to confirm your identity. |
| 6.6.5 | Appeal | Provide individuals with appropriate opportunity to appeal an adverse decision to have incorrect personal data amended. | Requests may be submitted by email to [email protected]. |
| 6.6.6 | Right to Erasure | Provide individuals with appropriate opportunity to request the deletion of personal data where it is used, disseminated, maintained, retained and/or disclosed, including where stored or processed by third-parties. | As a Controller, Wingify provides the Right to Erasure. Under certain circumstances, you have the right to the erasure of personal information concerning you. Contact Wingify at [email protected] for questions or to update your information. As a Processor, upon instruction by the Controller, Wingify shall correct, rectify, or block Personal Information. Requests from data subjects directly to the Processor shall be directed to the Controller. |
Establish administrative, technical, and physical safeguards to protect personal data commensurate with the risk and magnitude of the harm that would result from its unauthorized access, use, modification, loss or dissemination.
| # | Principle Name | Privacy Management Principle Description | Wingify Adherence Details |
| 6.7.1 | Cybersecurity Considerations | Incorporate privacy requirements into enterprise architecture to ensure that risk is addressed so that the systems, applications and services achieve the necessary levels of trustworthiness, protection, and resilience. | Wingify backs robust information security and privacy practices that form an integral part of our product engineering and services. We follow security by design principles with top-down governance. Key measures include: i. Secure Engineering Principles guidelines. ii. Robust Software Development Lifecycle (SDLC) procedure and process that incorporates security and privacy by design in all phases of development. |
| 6.7.2 | Cryptographic Protections | Ensure personal data is encrypted both at rest and in transit. | Wingify has implemented best-practice cryptographic protection controls using trusted technologies: i. All data in transit is encrypted using TLS 1.2 or higher. ii. Data at rest is encrypted using AES-256 standards – one of the strongest block ciphers available. |
| 6.7.3 | Physical Protections | Ensure physical security and environmental controls to provide appropriate protection for environments where personal data is stored, transmitted and/or processed. | Wingify data centers are hosted in some of the most secure facilities available today, protected from physical and logical attacks as well as natural disasters. Physical security measures include intrusion protection and security guards. We rely on third-party attestations of physical security. Within our office premises, we employ best industry-standard physical security controls. |
| 6.7.4 | Embedded Technology | Facilitate the secure implementation of embedded technologies so that sensors minimize the collection of personal data and alert individuals to the personal data collected. | Not applicable to Wingify’s current product and service offerings. |
| 6.7.5 | Retire Outdated Systems | Upgrade, replace, or retire any system, application or service for which appropriate protections commensurate with risk cannot be effectively implemented. | Wingify has a mechanism in place for all End User Computing (EUC) devices, ensuring replacement before the prescribed end of life mostly within 3 to 4 years. An intelligent defence mechanism (Crowdstrike Falcon) is also in place to identify vulnerabilities related to unsupported components in real time. |
| 6.7.6 | Personnel Security | Implement personnel management practices covering employees, contractors and other entities that ensure appropriate vetting and clearance to systems containing, storing or transmitting personal data. | Wingify has established a security program including awareness and training for all workforce members. Mandatory Security & Privacy Awareness training is provided annually. Workforce members who access systems for processing, storing or transmitting personal information are formally trained in data handling requirements prior to access authorization. |
| 6.7.7 | Rules of Behavior | Require employees and contractors to read and agree to abide by the organization’s rules of behavior prior to being granted access to systems, applications and/or services that store, transmit or process personal data. | Wingify has an Acceptable Use Policy (AUP) and every workforce member acknowledges it annually. The AUP defines acceptable and unacceptable use of technologies, including consequences for unacceptable behavior. |
| 6.7.8 | Employee Sanctions | Utilize employee sanctions to hold personnel accountable for complying with the organization’s privacy policies and processes. | Wingify has a robust Disciplinary Policy for sanctioning personnel who fail to comply with established security and privacy policies, standards and procedures. |
| 6.7.9 | Workforce Management | Respond to changing mission requirements and maintain workforce skills in a rapidly-developing technology environment through recruiting and retaining the talent needed to support the organization’s mission. | Wingify has Human Resource personnel security mechanisms in place as per ISO 27001:2022 Annex A.7 standard control requirements, validated annually by an external third-party auditor. |
| 6.7.10 | Professional Competency | Develop and enforce privacy competency requirements for staff members involved in the acquisition, management, maintenance and use of information resources. | Wingify has mechanisms in place (e.g., Background Verification — BGV) to manage personnel security risk by screening individuals prior to authorizing information system access. Clearly defined cybersecurity and privacy responsibilities for all personnel and a RACI matrix are maintained. |
Maintain adequate incident response capabilities and provide training for employees and contractors on how to report and respond to incidents involving personal data.
| # | Principle Name | Privacy Management Principle Description | Wingify Adherence Details |
| 6.8.1 | Breach Notification | Report data breaches involving personal data to relevant regulators, law enforcement and affected parties in accordance with applicable statutory, regulatory and contractual obligations for breach notification. | Wingify has a robust Security Incident Policy & Procedure and Breach Notification Plan. Any security incident or data breach is reported without undue delay. Please refer to ‘Incident Response and Breach Notification’ section of our Data Protection Addendum (DPA). |
Implement a risk management framework to ensure that risks are identified, evaluated and addressed to achieve the necessary levels of trustworthiness, protection, and resilience.
| # | Principle Name | Privacy Management Principle Description | Wingify Adherence Details |
| 6.9.1 | Evaluate Risks | Utilize appropriate risk analysis methods to evaluate the likelihood and magnitude of harm from unauthorized access, use, disclosure, disruption, modification or destruction of personal data. | Wingify has a robust Risk Management Program including Risk Assessment, Risk Treatment, Business Impact Analysis, and Privacy Impact Assessment. We conduct annual assessments of risk likelihood and magnitude. Critical systems and applications undergo Vulnerability Assessment Penetration Testing (VAPT) annually and quarterly security audits. |
| 6.9.2 | Risk Awareness | Maintain a current and accurate register of risk. | As part of our Risk Management Program, we maintain a risk register that facilitates monitoring and reporting of risks. |
| 6.9.3 | Assess Supply Chain Risk | Assess supply chain risks associated with systems, system components and services for privacy implications. | Wingify’s Risk Management Program includes supply chain risk assessment associated with information systems, system components and services. Before contracting with any third-party supplier or sub-processor, Wingify exercises due diligence to understand their information security and data protection controls. Existing third-party supplier due diligence is initiated annually. Business Impact Assessment processes are in place. |
| 6.9.4 | Data Protection Impact Assessment (DPIA) | Utilize Data Protection Impact Assessments (DPIAs) to effectively identify and reduce privacy risks to an acceptable level. | Wingify conducts a Privacy Impact Assessment (PIA) on all information systems, applications and services annually to evaluate privacy implications and associated risks. These are validated by an external third-party auditor. |
Provide privacy oversight of third-parties with access to personal data, so that only trusted third-parties are contracted with.
| # | Principle Name | Privacy Management Principle Description | Wingify Adherence Details |
| 6.10.1 | Supply Chain Protections | Govern the disclosure of personal data to ensure it is only provided to trusted third-parties that can store, process and/or transmit it in a secure manner. | Wingify evaluates security and privacy risks associated with the services and product supply chain. Further details on third-party supplier practices are outlined in our Information Security Policy. |
| 6.10.2 | Secure Disclosure To Third-Parties | Govern third-party use of personal data to ensure privacy requirements are enforced when a third-party stores, processes or transmits personal data on behalf of the organization. | Wingify has proper mechanisms in place to disclose Personal Information to third parties or sub-processors only for purposes identified in the Privacy Policy and with appropriate consent of the individual. |
| 6.10.3 | Contractual Obligations for Third-Parties | Require terms and conditions in contracts and other agreements to cover the collection, creation, use, dissemination, maintenance, retention, and/or disclosure of personal data. | Wingify enters into contractual agreements with all vendors and service providers, with a confidentiality clause as an essential component. Where personal information is involved, we sign a data protection agreement to ensure clearly defined roles and responsibilities. |
| 6.10.4 | Third-Party Compliance | Validate that privacy controls for systems, applications and services used or operated by third-parties are effectively implemented and align with industry-recognized secure practices, as well as applicable statutory, regulatory and contractual obligations. | Wingify has a process and plan in place for conducting security and privacy training, assessment, and monitoring activities associated with organizational systems. We do not provide any information access to third-parties or vendors beyond what is operationally necessary and contractually defined. |
We believe these ideas are inseparable. Together, they represent a single, core belief that has influenced everything we’ve made since day one, and everything we’ll make moving forward. When people use our products, they trust us with their information, and it is our job to do right by them. This means always being thoughtful about what information we use, how we use it, and how we protect it.
Choose Privacy. Choose Wingify.