1. Introduction

Varigence, Inc. (“Varigence”) is dedicated to safeguarding the privacy and security of any data it handles or processes. While Varigence’s core business model revolves around the creation and management of customer metadata (i.e., database schemas, transformation logic, and similar non-personal descriptive data), the company nonetheless aligns with the principles and requirements set forth in the UK Data Protection Act 2018 (DPA2018).
‍

2. Data Types Handled by Varigence

• Customer Metadata Only: Varigence does not store or host personal data. We only store metadata describing structures of customer databases or files, business logic, or transformation workflows.

• Duration of Storage: Customer metadata is only retained for as long as necessary to resolve a support incident or fulfill consulting/training engagements.
  ‍

3. Role Under DPA2018

• Not a Controller or Processor: Because Varigence does not handle personal data, it does not act as a Controller or Processor under DPA2018. In rare or exceptional circumstances where personal data might be inadvertently provided, Varigence has established processes to ensure immediate secure handling and erasure as appropriate.
  ‍

4. Data Subject Rights (DSARs) and Procedures

• Documented Processes: Although Varigence does not collect or process personal data, we maintain documented procedures to handle Data Subject Access Requests (DSARs) in the event that a customer or data subject believes personal data was shared inadvertently.

• Industry-Standard Timelines: These procedures follow standard DPA2018 timelines and processes, ensuring requests are addressed and resolved promptly.

5. Third-Party Services

• Microsoft 365 (Email, Dynamics 365, SharePoint): Varigence uses Microsoft 365 services to manage email, support tickets, and collaboration documents. This may occasionally include customer metadata at the customer’s request (e.g., sending a BimlFlex project file).

• Data Processing Agreement (DPA) with Microsoft: Varigence relies on Microsoft’s standard Data Processing Agreement for any data passing through these services. Because Varigence does not store personal data, these services are used solely for metadata sharing, support coordination, and internal communication.

6. Security Measures

• Technical & Organizational Measures:  

• Access to stored metadata is restricted on a “least privilege” basis.

• Data is protected in transit (e.g., TLS encryption) and at rest (e.g., secure server storage).

• Any inadvertent or exceptional receipt of personal data triggers immediate handling and, if necessary, secure disposal.

• No Formal Certifications: While Varigence does not hold formal certifications (e.g., ISO 27001, SOC 2), it employs security practices aligned with industry best practices, including strong access controls, encryption, and secure network configurations.

7. Breach Notification Procedures

• Incident Response Policy: Varigence maintains an internal incident response policy to address any security or data protection incident. Even though Varigence does not operate as a Controller or Processor of personal data, the company is committed to notifying relevant parties if a breach involving any form of personal data is suspected.

• Regulatory Notification: If a personal data breach were to occur, Varigence would notify the relevant supervisory authority (e.g., the UK’s ICO) and affected individuals, in accordance with DPA2018 and any other applicable laws.

8. Accountability and Governance

• Policy Reviews: Data handling policies, including this overview, are reviewed regularly (at least annually) to ensure ongoing compliance with relevant data protection legislation, including the DPA2018.

• Employee Awareness and Training: All Varigence employees and contractors undergo training that emphasizes the critical importance of data security, confidentiality, and DPA2018 alignment.

9. Conclusion

Although Varigence does not process or store personal data in its normal course of business, and therefore does not act as a Controller or Processor, Varigence remains committed to upholding DPA2018 principles of data security, minimization, and lawful handling. In the limited and exceptional event that personal data is inadvertently received, Varigence’s documented processes ensure robust safeguards, rapid incident response, and secure data disposal.