Last Updated: 30th January 2025
Introduction
At Fintechnology Asia Pacific Lanka (Pvt) Ltd (FINAP), we recognize the critical importance of safeguarding personal, financial, and operational data processed through our ECOru Core Banking Software. This privacy statement describes how we collect, handle, store, and protect the data of our users—banks, financial institutions, and their respective customers. Our unwavering commitment to privacy, data protection, and confidentiality is fundamental to our operations, and we adhere to the highest industry standards to ensure data security.
1. Parties Involved
Users: Banks and financial institutions that deploy the ECOru Core Banking Software to support their banking operations, manage their financial products, and interact with their own customers. Users are responsible for the proper configuration and lawful use of the software in alignment with applicable regulations.
End Users: Employees and management staff within the financial institutions who interact with ECOru software to perform their day-to-day banking functions. They access data on the platform, making critical decisions and supporting customer operations.
Institutional Clients: Individual or business customers of banks and financial institutions who purchase savings, lending, and term deposit products. Institutional Clients’ personal and financial data, including Know Your Customer (KYC) and Customer Due Diligence (CDD) information, is stored and processed within the system to enable financial services. This category includes the customers’ associated individuals, such as guarantors, joint account holders, and those providing collateral.
2. Data Collected and Stored
ECOru Core Banking Software manages and processes various types of sensitive and confidential data crucial to the financial services ecosystem. This includes, but is not limited to:
For Financial Institutions (Users):
Detailed business information, including logos, branding materials, product names for savings, lending, and term deposit services, terms and conditions for financial products, internal policies, and interest rate calculations.
Sensitive operational data, including internal reports, transaction records, and procedural guidelines crucial to the day-to-day running of the institution.
Configuration data to customize banking services, adapt to changing market demands, and maintain compliance with evolving legal and financial regulations.
For Institutional Clients:
KYC and CDD Information: Personal identification data, including national IDs, tax information, proof of address, and documents verifying the individual’s identity and financial background.
Financial Information: Income levels, sources of income, employment information, banking history, account balances, and transaction data.
Collateral and Loan Information: Details of any collateral provided as security for loans, including valuation and ownership documents. Information related to loan agreements, repayment schedules, guarantor details, and credit histories.
Associated Individuals: Data on guarantors, joint account holders, and third-party beneficiaries, including personal details, financial relationships, and legal obligations.
3. Data Security and Storage
The data managed through ECOru Core Banking Software is stored in Microsoft Azure’s secure cloud infrastructure. Microsoft Azure provides a comprehensive suite of security measures designed to protect data from unauthorized access, loss, or corruption. Specific protections include:
99.999% Uptime Guarantee: Ensures that the ECOru platform is available and accessible at virtually all times, minimizing service disruptions. Azure’s redundant infrastructure prevents outages, maintaining the operational continuity of the financial institutions that rely on ECOru.
Advanced Encryption: All data, both in transit and at rest, is encrypted using industry-standard encryption protocols, ensuring that sensitive information remains secure during storage and transmission. This encryption protects against unauthorized access and ensures the confidentiality of financial and personal data.
Data Loss Prevention (DLP): Mechanisms are implemented to detect and prevent the accidental or unauthorized exposure of sensitive data. This includes data integrity checks, automated backup systems, and processes for preventing data corruption.
Comprehensive Monitoring: Continuous surveillance and advanced threat detection tools monitor data environments to detect suspicious activity, identify vulnerabilities, and respond to security incidents in real time.
4. Compliance with Regulations
FINAP ensures that the ECOru Core Banking Software complies with relevant global and local privacy regulations. We implement strict governance measures to uphold compliance, including but not limited to:
General Data Protection Regulation (GDPR): For financial institutions operating within or serving clients from the European Union, we adhere to the stringent data protection requirements set forth by the GDPR. This includes providing individuals with the right to access, correct, and delete their personal data.
Sri Lanka’s Data Protection Act: We comply with the provisions of Sri Lanka’s Data Protection Act, which governs the collection, storage, and processing of personal data within the country.
Other Applicable National Laws: ECOru is adaptable to the specific privacy and data protection laws of various jurisdictions. Institutions using the system can configure their data processing workflows to comply with Anti-Money Laundering (AML), Know Your Customer (KYC), and Customer Due Diligence (CDD) regulations that govern financial transactions in their region.
5. Data Usage and Access
Data processed and stored in ECOru Core Banking Software is governed by strict access control policies:
Role-Based Access Control (RBAC): Access to sensitive data is granted based on the role of the user within the financial institution. Employees are granted access to only the data they need to perform their job functions, minimizing the risk of unauthorized data exposure.
Data Ownership: Financial institutions retain full ownership of the data they upload into the ECOru system. They are considered the primary data controllers, responsible for determining the purposes and legal grounds for processing personal data, while FINAP acts as a data processor, ensuring that the data is managed securely and in accordance with contractual agreements.
Audit Logs: All data access, modifications, and transactions are tracked in detailed audit logs, providing financial institutions with full visibility over the usage of data within the system. These logs can be used to investigate suspicious activity or perform compliance audits.
6. Data Retention and Deletion
Data processed within ECOru is retained for the duration necessary to fulfill legal, regulatory, and contractual obligations. At the end of the contract, financial institutions have several options for managing their data:
Retention Period: Data is retained as long as required by applicable laws, such as tax regulations or anti-money laundering requirements.
Secure Data Deletion: Upon request and subject to legal requirements, FINAP will securely delete all institutional and customer data from the system.
Data Transfer: Institutions can also request the transfer of their data in a secure format, allowing them to migrate it to another system or retain it for archival purposes.
7. Data Breach Notification
In the event of a data breach, FINAP will initiate its breach response plan, which includes:
Immediate Assessment: Upon detection of a potential data breach, FINAP will perform an immediate assessment to determine the nature and extent of the breach.
Notification to Users: Financial institutions will be promptly informed of the breach and its impact. In compliance with data protection regulations, affected individuals and relevant authorities will be notified within the required timeframe.
Remediation Plan: FINAP will collaborate with financial institutions to mitigate the effects of the breach, secure affected data, and restore system integrity.
8. Changes to This Privacy Statement
FINAP reserves the right to update this privacy statement to reflect changes in technology, legal requirements, or industry practices. Any material changes will be communicated to users promptly:
Notification of Changes: Users will be informed via email or system notifications, and the updated privacy policy will be made available within the ECOru platform.
Continued Usage: Continued use of ECOru Core Banking Software after receiving notice of changes constitutes acceptance of the updated privacy terms.
9. User Acceptance
By purchasing, subscribing to, or using ECOru Core Banking Software and related services, financial institutions acknowledge and agree to the terms outlined in this privacy statement. Specifically:
Consent to Data Processing: Users consent to the collection, processing, and storage of their data, as well as the personal data of their Institutional Clients, in accordance with the practices described in this privacy policy.
Compliance with Legal Obligations: Users affirm that the data they submit, including customer data, complies with applicable laws and that they have secured the necessary consent for processing customer data.
Data Accuracy and Legality: Users bear responsibility for ensuring the accuracy, legality, and appropriateness of all data they provide.
Agreement to Security Measures: Users acknowledge and agree to the security measures implemented by Microsoft Azure and FINAP, including data encryption, access controls, and breach response protocols.
10. Limitation of Liability
While FINAP implements comprehensive security measures and complies with industry best practices, we are not liable for certain risks:
Unauthorized Access: FINAP is not liable for breaches caused by user mismanagement, such as failure to secure login credentials, failure to implement proper access controls, or unauthorized actions by third parties associated with the financial institution.
User Misconduct: Financial institutions are solely responsible for any misuse of ECOru or inappropriate handling of data by their employees or contractors.
Third-Party Service Disruptions: While hosted on Microsoft Azure, FINAP cannot be held liable for disruptions, breaches, or losses resulting from third-party service providers, including Azure.
Non-Compliance by Users: It is the responsibility of the financial institution to ensure compliance with legal obligations such as KYC, AML, and local data protection laws. FINAP shall not be liable for any legal or financial consequences arising from user non-compliance.
11. Indemnification
Users agree to indemnify and hold harmless FINAP from and against all liabilities, claims, and expenses (including reasonable attorney’s fees) arising from:
1. Breach of this privacy policy or applicable law by the user or their employees.
2. Misuse of ECOru software by the user, including failure to safeguard access credentials and internal data handling procedures.
3. Failure to comply with KYC, AML, and other regulatory obligations, leading to legal actions, penalties, or claims.
12. Force Majeure
FINAP is not responsible for delays, failures, or disruptions in service caused by unforeseen events outside our control, including natural disasters, civil disturbances, terrorist acts, government actions, or widespread internet failures. In such cases, we will make reasonable efforts to resume normal operations as soon as possible.
Contact Us
If you have any questions or concerns regarding this privacy statement or your data processed within the ECOru platform, please contact +94 76 824 7643.