Skip to main content

Data Security

Privacy and Confidentiality Statement

Conscia is committed to maintaining the highest standards of privacy and confidentiality when processing information sourced from various customer APIs, which may include sensitive data. Our approach is guided by rigorous compliance with GDPR and ISO 27001, ensuring robust data protection across our platform.

Compliance and Certifications

Conscia adheres to the General Data Protection Regulation (GDPR) and has maintained ISO 27001 certification, demonstrating our commitment to managing and securing sensitive information according to the highest industry standards.

Data Security and Protection Measures

  1. API Endpoint Security: We secure API endpoints to prevent unauthorized access to personal information. Customers can filter unnecessary data fields at the endpoint level, controlling what data is accessed and used.

  2. Encryption Practices: Data in transit and at rest is encrypted using industry-standard AES-256 encryption, ensuring protection from unauthorized access. Sensitive credentials are securely managed through Keycloak, an open-source identity and access management solution.

  3. Data Access Control: Access to the DX Engine configurations is restricted through granular access controls, ensuring only authorized personnel have access to critical resources. This includes the use of robust API token-based authentication to manage and secure API access.

  4. Data Processing Restrictions: At the Component level, Conscia allows customers to mask or remove specific data fields, such as Personally Identifiable Information (PII), to prevent sensitive information from being included in downstream flows.

  5. Data Storage and Retention: Customers control the retention and deletion of their data. Options include using DX Engine Cache for temporary data storage, DX Engine State for session-specific information, and logs that are stored for up to four weeks, with the ability to manage or export logs as needed. The DX Graph also supports secure data storage with advanced encryption techniques.

Commitment to Data Privacy

Conscia is dedicated to protecting the privacy and security of customer data. We provide customers with full control over their data, ensuring compliance with GDPR and other relevant regulations. Our platform is designed to securely manage data throughout its lifecycle, from secure access and processing to safe storage and deletion.

This Privacy and Confidentiality Statement underscores our dedication to safeguarding the data entrusted to us, ensuring that it is processed and managed with the utmost care and security.

Data Storage

There are three ways in which data may be stored within the DX Engine:

  • DX Engine Cache: Session-specific details, e.g., visitor ID, session status, etc., are stored in an internal cache. This cache is temporary and can be deleted through our Cache Invalidation API. The user has control over whether and how long to store any state in this cache, ensuring compliance with various data protection regulations.

  • DX Engine State: The state holds on to any information that you choose to hold on to during the session. The data within the State is available to all components in every orchestration flow defined within the application and hence is more versatile in its use than the cache. The Cache is limited to the response of a specific Component and the Component must be part of the orchestration flow in order for it to be able to access it. You should use Cache when you want to hold on to data from backends that are slow and you want to avoid sending unnecessary API requests to them. You should use State when several components within different orchestration flows need to be able to access and update the information within a session. An example would be items in cart, products viewed, categories clicked, etc.

  • DX Engine Logs: All data processed by the DX Engine is logged and stored for up to four weeks. When calling the DX Engine, you have the option to not store the DX Engine response in the logs via the responseLogged=false flag. These logs can be exported by Conscia upon request or on a schedule. You also have the option of routing the logs to your own logging service using the core capabilities of API orchestration.

  • DX Graph: Data in the DX Graph is also encrypted during transit and at rest. DX Graph uses asymmetric and symmetric encryption techniques to protect sensitive communications and large data volumes efficiently. Asymmetric encryption is utilized for secure communication and involves a pair of keys (public and private) for encryption and decryption, respectively. Symmetric encryption, on the other hand, uses a single key for both encrypting and decrypting data, making it suitable for processing large amounts of data quickly.

While Conscia equips the DXO with robust data security features, the ultimate responsibility for configuration and usage lies with you. The DXO data handling is determined by your setup, allowing you to selectively process information from various backend systems. This includes the option to exclude Personally Identifiable Information (PII) entirely, focusing only on necessary data for orchestrating digital experiences. In instances where PII is involved, such as when fetching customer data from a CRM, the DX Engine can facilitate its flow through the system. However, you can leverage the provided security mechanisms to prevent PII from being stored on our servers.

Complying with the General Data Protection Regulation (GDPR) involves both adhering to its requirements and communicating your practices to your users. Here's a suggestion for verbiage that could be included on your website:

Privacy and Data Protection – Our Commitment to GDPR Compliance

At Conscia, we are fully committed to upholding the highest standards of data privacy and security in line with the General Data Protection Regulation (GDPR).

Your Data, Your Rights: We respect your right to privacy and control over your personal data. Our Privacy Policy outlines how we collect, use, store, and protect your information.

Transparent Data Practices: We believe in transparency and are clear about the data we collect and how it is used to enhance your experience with our services.

Data Protection and Security: Safeguarding your information is our top priority. We employ robust security measures to protect your data from unauthorized access, alteration, or destruction.

User Consent and Control: We ensure that consent is sought where required, and provide easy options for you to manage your personal information and preferences.

Data Portability and Access: In compliance with GDPR, we provide mechanisms for you to access your data and, where applicable, to port it to other service providers.

Continuous Compliance: Our GDPR compliance is an ongoing effort, involving regular reviews and updates to our practices to stay aligned with legal requirements and best practices.