The General Data Protection Regulation (GDPR) establishes a consistent framework for safeguarding personal data across the European Union and in jurisdictions that interact with EU residents. XGC Software Inc. supports healthcare organizations and research partners that operate within these requirements and aligns our internal practices with GDPR principles.
This statement describes how we address GDPR obligations as a data processor and, in some instances, as a data controller for the services that we host and manage.
When delivering contracted solutions, we process personal data under the direction of our healthcare and research clients. Processing is grounded in legal bases such as public interest in public health, contractual necessity, and explicit consent when required. We document processing activities and data flows to support accountability.
We help controllers honor GDPR rights, including access, rectification, erasure, restriction, portability, and objection. Requests submitted directly to XGC are routed to the relevant controller for validation and response. We implement technical capabilities that enable timely retrieval, export, or deletion of data as part of standard operations.
Our engineering teams incorporate privacy and security requirements from project inception. We use secure development practices, role-based access controls, encryption in transit and at rest, and rigorous monitoring to mitigate risk. Regular assessments, penetration testing, and supplier reviews reinforce our compliance posture.
Whenever personal data is transferred outside of the EU or UK, we apply safeguards such as Standard Contractual Clauses (SCCs), data processing addenda, and technical controls that maintain continuity of protection. Hosting locations are selected in collaboration with each client to meet residency requirements.
We maintain a vetted list of subprocessors that provide infrastructure, analytics, or support functions. Each subprocessor is bound by contractual terms that require GDPR-aligned security, confidentiality, and breach notification obligations. Clients may request updates to the subprocessor list at any time.
XGC maintains a 24/7 incident response program that covers detection, containment, investigation, and communication procedures. If a personal data breach occurs, we promptly inform affected controllers and support them with impact assessments and regulatory notifications.
Questions regarding GDPR compliance can be directed to dpo@xgcsoftwareinc.com. Written inquiries may also be sent to XGC Software Inc., Attn: Data Protection Office, #250 - 997 Seymour St., PMB# 1303, Vancouver, British Columbia, V6B 3M1, Canada. For mail service, use 372 Bay Street, Suite 1800, Toronto, Ontario, M5H 2W9, Canada.
Last updated: January 5, 2025