Data Security
Policy

At Marloo, we take privacy and data security seriously.

1. Introduction

Marloo Limited is committed to ensuring the highest level of data security and compliance for Marloo, our product that handles sensitive client information, including financial, personal, and other confidential data. This policy outlines how we protect this data in compliance with the New Zealand Privacy Act 2020, Australian Privacy Principles (APPs), GDPR, CCPA, and other applicable laws.

2. Data Protection & Ethical Responsibility

As Compliance Manager and Data Protection Officer, Shakeel Lala is responsible for overseeing our adherence to data privacy regulations, managing incident responses, and ensuring ethical data handling. Please contact compliance@gomarloo.com for any privacy or compliance matters.

3. Data Collection, Processing & Usage

Marloo processes data necessary for providing our services, including transcription of meetings, compliance monitoring, and workflow automation.

  • Ownership & Control: Clients retain full ownership and control over their data. Marloo Limited does not share, sell, or use client data beyond what is necessary for providing our services.

  • Types of Data: Marloo handles various data types, including personal identifiers (e.g., name, contact details), financial information, meeting transcripts, and summaries. This data is only collected with user consent and is used strictly within the terms of service.

4. Data Storage & Processing Locations

All data collected is stored and processed using reputable third-party cloud providers, each of which meets the highest standards for data security and privacy.

  • Data Storage & Backups: Data is stored in secure environments, with backups distributed across geographically diverse regions to enhance resilience. Providers use AES-256 encryption for data at rest and TLS 1.2/1.3 for data in transit.

  • Cross-Border Data Transfers: Data may be processed in jurisdictions outside New Zealand and Australia, including the US and EU. Marloo Limited ensures that all cross-border data transfers are compliant with relevant privacy regulations, including GDPR’s Standard Contractual Clauses (SCCs).

5. Data Retention & Deletion Policies

Data is retained only as long as necessary to fulfil service requirements. Upon client request, data can be securely exported or deleted.

  • Retention Periods: Data is retained until the user requests deletion or terminates their account. Marloo Limited ensures data deletion aligns with each provider’s process, which may involve data removal from active systems within 72 hours and backups being destroyed within 30 days (confirming that all providers can meet this policy is critical and may vary).

  • Right to be Forgotten: Clients have the right to request the deletion of their data at any time, and Marloo has established processes to ensure this right is honoured promptly.

6. Access Controls & Data Security

To prevent unauthorised access and ensure data confidentiality:

  • Authentication & Authorisation: Marloo enforces Multi-Factor Authentication (MFA) for all users accessing the system. Access is controlled by a role-based system, with super-admin privileges for each firm and master privileges for compliance teams.

  • Encryption Standards: All data is encrypted both in transit (TLS 1.2/1.3) and at rest (AES-256), ensuring data integrity and confidentiality.

  • Access Logging & Monitoring: Comprehensive access logs are maintained for a minimum of one year, and these are regularly audited to detect and respond to unauthorised activity.

7. Data Handling for AI Services

Marloo may utilise third-party AI services for transcription and summarisation, which adhere to the following principles:

  • Opt-Out for AI Training: Client data is not used for AI training purposes.

  • Accuracy & Review of AI Outputs: While Marloo aims to ensure high accuracy, clients are responsible for validating AI-generated content before use.

  • Bias Mitigation: Regular reviews of AI model outputs are conducted to mitigate potential biases and ensure fair, reliable reporting.

8. Incident Response & Breach Notification

In the event of a security incident:

  • 72-Hour Breach Notification: Clients will be notified of any breach involving their data within 72 hours of detection, in compliance with GDPR and other privacy laws.

  • Response Process: Marloo has established an incident response process to quickly identify, contain, and remediate any data security issues.

9. Compliance & Audit Trail

To support compliance with regulatory standards:

  • Audit Trails & Reports: Marloo maintains comprehensive audit trails to support compliance monitoring and provide reports for both regulatory and internal reviews.

  • Continuous Improvement & Scalability: Marloo Limited is committed to continually improving security practices and scaling the solution to meet the evolving needs of clients.

Document Information

  • Date: 26 September 2024

  • Version: 1.0

  • Author: Shakeel Lala, Compliance Manager, Marloo Limited

  • Contact: compliance@gomarloo.com