GEP TRUST - PRIVACY
At GEP, privacy isn’t just a policy — it’s a commitment. We are dedicated to protecting personal and sensitive information across all our platforms, products, and services. This page outlines how we handle data, including our policies, security controls, and legal agreements to ensure full compliance with global privacy laws and customer expectations.
Privacy Policy
GEP is fully committed to maintaining the privacy and personal information collected through GEP’s public Website, non-public web sites and any GEP software platforms including web application(s) and mobile application (s) (“GEP’s Application(s) and Services”). All Privacy Information is protected by GEP in accordance with the terms set forth in the Privacy Statement. The GEP Privacy Statement can be found at - https://www.gep.com/privacy-statement
Data Privacy Officer
GEP has assigned a Privacy Committee responsible for privacy related concerns. The committee may be reached at Privacy@GEP.com.
Data Protection Controls
Data Ownership
GEP acts solely as a data processor, processing personal data only in accordance with customer instructions and exclusively for service delivery purposes. Customers retain full ownership of all data - including personal data - shared and processed as part of the services. No ownership rights in customer data are transferred, and all processing is conducted in compliance with applicable data protection laws.
Data Processing on a Lawful Basis
Personal data is processed only on a valid lawful basis, including customer authorization or consent, as applicable. Processing activities are limited to the purposes defined and agreed with the customer. No personal data is processed beyond agreed instructions. Consent requirements are managed in accordance with applicable data protection laws and regulations.
Data Access Restrictions
Access to customer personal data is strictly restricted and governed by role-based access controls and the principle of least privilege. Only authorized personnel with a legitimate business need are granted access. Such access is provided solely for the purpose of delivering services to the customer. All personnel with access to customer personal data are bound by confidentiality obligations.
Data Security
Customer data is protected through appropriate technical and organizational security measures. Encryption is used to safeguard data in transit and at rest. Access to data is restricted based on defined security controls and business need. Additional safeguards such as vulnerability management, backups, and periodic security reviews are followed to ensure data security.
Data Retention & Deletion
Customer data is retained for the duration of the contractual engagement. Upon contract completion, data is returned to the customer and securely deleted after data receipt is confirmed. Secure data destruction methods are used to ensure complete removal. Data destruction certificate is provided upon request.
Cookies and Tracking Technologies
Necessary, performance, and targeting cookies may be used in connection with GEP’s services. For further information, please refer to the Cookie Policy available at https://www.gep.com/cookie-policy.
Responses to Data Requests
Data Subjects
Personal data-related requests like correction, access, deletion, portability, restriction etc. are first notified to the customer, as the data controller. No action is taken without documented instructions from the customer. Requests are processed strictly in accordance with customer direction and applicable legal requirements. Appropriate verification is performed before fulfilling any data request to prevent unauthorized disclosure.
Government and Law Enforcement Requests
GEP is committed to transparency, due process, and protecting customer confidentiality when responding to government or law enforcement requests. All such requests, including subpoenas, court orders, and warrants, are reviewed and validated for legal sufficiency before any disclosure is made. Where legally permissible, GEP provides advance notice to the affected customer, enabling them to seek a protective order or otherwise exercise their legal rights prior to disclosure. If disclosure is required, only the data explicitly specified in the request is shared, and only the minimum amount of data necessary is disclosed, in accordance with applicable laws and contractual obligations.
Compliance with Privacy laws
Data Processing Agreement (DPA)
GEP enters into a Data Processing Agreement (DPA) with customers to support compliance with applicable data protection laws. The DPA establishes the terms under which GEP processes personal data on behalf of customers, including commitments related to data protection, security, confidentiality, and sub-processor management.
Sub-processors details
GEP maintains a list of sub-processors that may process customer data in connection with the delivery of GEP’s services. The list includes details such as the sub-processor name and the services provided.
GEP is committed to transparency and accountability in its data handling practices and provides this information to help customers understand the third parties involved in supporting GEP’s services.
| Name of the sub-processor | Applicable Products or Services | Purpose of Processing | Is Customer data or Customer PII Processed? |
| Microsoft Corporation | Azure Cloud Services | Cloud services for hosting GEP Software | Yes |
| Zeronsec | Zeronsec | Security logs monitoring | Yes |
| Salesforce, Inc. | Salesforce | Ticketing software for recording cases raised by users. | Yes |
| Akamai Technologies, Inc. | Akamai CDN | Content delivery network (CDN) | Yes |
| New Relic, Inc. | New Relic APM | Application performance monitoring and analytics. | Yes |
| Cloudmersive LLC | Cloudmersive | Malware analysis of uploaded files and file security validation | No |
| Octopus Deploy Pty Ltd | Octopus Deploy | Deployment automation and DevOps tools. | No |
| Zoho Corporation | Site 24/7 | Application and website monitoring. | No |
| GitHub Inc, (a subsidiary of Microsoft Corp) | Github Enterprise | Source code management and collaboration. | No |
| Twilio Inc | SendGrid | Email delivery and communication platform. | No |
| MongoDB Inc. | Atlas MongoDB | Cloud-based database management. | No |
| DigiCert | DNSMadeEasy | Managed DNS service | No |
| Cloudflare | Routing Services | Content delivery network (CDN) | No |
| Elasticsearch, Inc. | Elastic Cloud | Search and analytics engine (e.g., Elasticsearch). | No |
| PagerDuty | Call Manager | Incident response and alerting platform. | No |
| AWS | Cloud Services for Marketing | Cloud services for hosting GEP Marketing website | No |
| Atlassian | Jira | Project management tool | No |
Technical and Organizational Measures (TOMs)
Appropriate Technical and Organizational Measures (TOMs) are implemented to meet privacy regulatory requirements, ensuring the security and confidentiality of personal data. These measures are designed to align with the nature and scope of processing activities and to mitigate associated risks.
Where required by agreements such as Data Processing Agreements (DPAs), TOMs are deployed to protect personal data against unauthorized access, accidental loss, or unlawful processing. The measures combine technological safeguards, procedural controls, and continuous improvement to keep pace with evolving security standards.
Details of specific measures are available upon request or within customer agreements and compliance documentation.