GDPR Statement

Everway's GDPR Statement outlines its commitment to data protection and information handling best practice.

Key GDPR Commitments:

• Lawful Processing: Data is processed only with a lawful purpose or consent, and only the minimum necessary data is used.
• Data Management: Data retention periods are based on legal frameworks, accuracy and confidentiality are maintained, and all processing activities are recorded.
• Transparency & Rights: Individuals' rights are maintained, and Everway is transparent about data usage, including subprocessors, through accessible privacy policies and our Trust Center.
• Agreements: Terms and conditions, customer agreements, and data processing agreements are kept up-to-date and consistent.
• Supplier Monitoring: Third-party suppliers/sub-processors are monitored to ensure GDPR compatibility, prioritizing data protection and security.
• International Transfers: A robust approach is applied to international data transfers, confirming legal frameworks and contingencies.
• Policy Updates: Internal policies and practices have been updated to meet GDPR requirements.
• Continuous Investment: Everway continues to invest in products, services, and staff training.

Security Standards, Certifications, and Third-Party Audits:

• Everway is ISO 27001:2022 certified, implementing technical and organizational measures for high information security.
• Customer/Personal Information Storage Guidelines:

• Encrypted at Rest and in Transit (SSL).
• All access is logged and protected by two-factor authentication.
• Stored in ISO 27001 or equally secure facilities.
• Regularly and securely backed up.
• Recorded in the data security management system.
• Relevant data security contracts are recorded.

• No physical media for data transport.
• All data storage complies with the Information Security Policy.

Data Processing:

• Everway is committed to safeguarding customer, product user, and website visitor privacy, as detailed in its Privacy Policy.
• Everway has signed the Student Data Pledge and implements COPPA-compliant data policies.
• Data & Privacy Policies are regularly reviewed for ISO 27001 accreditation.

International Data Transfers:

• End-user personal information is stored in Amazon Web Services (AWS) and Microsoft Azure.
• Standard Contractual Clauses (SCCs) are in place with AWS to comply with EU and UK GDPR rules.
• User settings (cookies, local storage, Google/Microsoft accounts, servers) store preferences and annotations.
• Technical, security, and organizational measures are implemented for international data protection.
• Sub-processors, suppliers, and third parties must adhere to stringent security standards (ISO 27001, SOC2, etc.).
• Due diligence includes assessing and verifying accreditations and ensuring adequate legal frameworks/Transfer Impact Assessments.
• Agreements with third-country providers include SCCs and security measures.
• For international data transfers, we rely on adequacy decisions, EU SCCs and EU-US Data Privacy Framework.

Subprocessors:

• Everway engages sub-processors for product delivery and business operations, acting as the data controller.
• Comprehensive annual reviews of subprocessor security and compliance practices are conducted.
• Personal data processed by subprocessors is limited to employees, customers, and users, handled in accordance with data protection regulations.

Staff Training:

• Mandatory Information Security and Data Protection training is required for all employees (onboarding and annual refreshers).
• Background/criminal record checks are conducted where legally permitted.
• Employees are contractually bound by confidentiality clauses, reminded during onboarding and offboarding.
• Ongoing learning is supported through our communication strategy