WiseExo Powered by Many Digits
Log in Start free trial

Legal

Data Security Policy

Many Digits Inc. · WiseExo · Last updated June 2026

1. Introduction

At Many Digits, safeguarding customer data is our highest priority. We are committed to ensuring the confidentiality, integrity, and availability of all data we process. This policy outlines the technical, organizational, and procedural measures we take to protect information against unauthorized access, disclosure, alteration, or destruction. It applies to all employees, contractors, systems, and third-party service providers engaged by Many Digits.

We align our practices with globally recognized security and privacy standards (e.g., ISO 27001, SOC 2, GDPR, CCPA, HIPAA where applicable). This policy forms part of our broader compliance and risk management framework and complements our Privacy Policy.

2. Data Collection and Purpose

We collect only the minimum data necessary to deliver and improve our services.

  • Data is processed strictly in line with our Privacy Policy and applicable laws (e.g., GDPR, CCPA, PCI DSS where relevant).
  • We never sell or share personal data with unauthorized third parties.
  • Sensitive data (e.g., payment details, authentication data) is handled exclusively through secure, compliant providers.
  • Data Minimization & Purpose Limitation: Personal data is used strictly for the purposes stated and not repurposed without user consent.
  • Consent Management: Users can withdraw consent to certain data processing activities in accordance with applicable law.

3. Access Control

  • Principle of Least Privilege: Access to systems and data is restricted based on job responsibilities.
  • Authentication & MFA: All privileged access requires strong authentication methods, including unique passwords and multi-factor authentication (MFA).
  • Role-Based Access: Employees are assigned role-specific permissions that are reviewed and updated periodically.
  • Logging & Monitoring: All access to customer data is logged and monitored for suspicious activity.
  • Session Management: Automatic timeouts and reauthentication requirements are enforced for sensitive systems.
  • Periodic Access Review: Access rights are reviewed quarterly and immediately revoked for inactive or terminated users.

4. Data Encryption

  • In Transit: All communications between user devices, servers, and third-party services are encrypted using TLS 1.2+.
  • At Rest: Sensitive data (including personal information, credentials, and chat histories) is encrypted using industry-standard algorithms (e.g., AES-256).
  • Key Management: Encryption keys are securely managed, rotated periodically, and protected from unauthorized access.
  • Hashing & Salting: Passwords and authentication tokens are hashed and salted before storage.

5. System & Network Security

  • Firewalls & Intrusion Detection: Our systems are protected with firewalls, intrusion detection, and intrusion prevention tools.
  • Patch Management: All software, servers, and libraries are updated regularly to address security vulnerabilities.
  • Segregation: Development, testing, and production environments are separated to reduce risk.
  • Vulnerability Management: Regular vulnerability scans and penetration tests are conducted to identify and remediate risks.
  • Zero Trust Principles: Internal traffic between services is authenticated and encrypted.
  • Endpoint Protection: Company devices are equipped with anti-malware, endpoint detection, and device encryption.

6. Data Retention & Disposal

  • Data is retained only as long as necessary for the purposes stated in our Privacy Policy or to meet legal obligations.
  • Upon request or termination of services, personal data is securely deleted or anonymized.
  • Physical and electronic records are destroyed using secure, irreversible methods.
  • User Rights: Users may request deletion or portability of their personal data under GDPR/CCPA.

7. Payment & Financial Data Security

  • Many Digits does not store raw payment card information.
  • All payment processing is handled through PCI DSS-compliant authorized payment providers.
  • Financial transactions are encrypted and secured according to industry standards.
  • Fraud detection and monitoring systems are in place to identify suspicious activity.

8. Incident Response & Breach Notification

In the event of a security incident:

  • Containment: Immediate measures are taken to limit exposure.
  • Investigation: We identify the root cause and impacted systems.
  • Notification: Affected users and regulators will be notified within 24–72 hours, in accordance with legal requirements and payment partner obligations.
  • Remediation: Steps are implemented to prevent recurrence.
  • Documentation: All incidents are logged, analyzed, and reviewed.
  • Testing & Simulation: Incident response plans are tested periodically with tabletop exercises.

9. Employee Awareness & Training

  • All employees undergo security awareness training upon onboarding and annually thereafter.
  • Employees are required to comply with this policy and report any suspicious activity or incidents immediately.
  • Access is revoked immediately upon termination of employment.
  • Specialized training: Specialized training is provided to employees with privileged access or handling sensitive data.

10. Third-Party & Vendor Security

  • Vendors and service providers (including cloud, hosting, and payment providers) are vetted for compliance with security and privacy standards.
  • Contracts require third parties to adhere to equivalent levels of data protection.
  • Access to customer data by third parties is strictly controlled and monitored.
  • Third-party risk assessments are conducted periodically.

11. Business Continuity & Disaster Recovery

  • Regular backups are taken and encrypted to ensure business continuity.
  • Disaster recovery plans are tested periodically to minimize downtime in case of a system failure or cyber incident.
  • Critical systems are deployed with redundancy for high availability.
  • Data center providers must demonstrate compliance with international standards (e.g., ISO 22301 for business continuity).

12. Policy Review & Auditing

  • This policy is reviewed at least annually or upon significant changes in technology, regulation, or business processes.
  • Independent security audits and assessments are conducted periodically to validate compliance and identify improvements.
  • Internal compliance checks are performed quarterly to ensure adherence to policy.

Questions about this policy? Contact contact@wiseexo.com.