Precision for complex portfolios — reconciliations, private assets, and audit-ready reporting in one system.

Connect with us
Legal & Privacy / Privacy Policy

Privacy Policy

Personal Data Protection Policy

Mosaiq

1. Purpose

The purpose of this Personal Data Protection Policy is to establish the principles, rules, and responsibilities governing the collection, access, use, storage, sharing, retention, and disposal of personal data processed by Mosaiq. This Policy is intended to ensure that personal data is handled in a lawful, fair, secure, and confidential manner, consistent with applicable legal, regulatory, contractual, and business requirements.

2. Scope

This Policy applies to all Mosaiq employees, contractors, consultants, temporary personnel, service providers, and any other individuals acting on behalf of Mosaiq who access, process, store, transmit, or otherwise handle personal data in connection with Mosaiq’s operations, systems, services, or business activities.

This Policy applies to personal data in any form, including electronic records, paper documents, emails, reports, databases, backups, portable media, and any other medium containing personal data.

3. Definitions

For purposes of this Policy:

  • Personal Data means any information relating to an identified or identifiable natural person, whether directly or indirectly.
  • Sensitive Personal Data means personal data requiring enhanced protection due to its nature, including, where applicable under law, data relating to health, biometric information, government identification data, financial information, or any other category deemed sensitive under applicable regulations.
  • Processing means any operation or set of operations performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, sharing, transmission, retention, deletion, or destruction.
  • Data Subject means the natural person to whom the personal data relates.

4. Policy Statement

Mosaiq is committed to protecting personal data and processing it responsibly, securely, and only for legitimate business purposes. Personal data shall be processed only to the extent necessary for authorized activities and in accordance with applicable legal, contractual, and internal requirements.

All personnel handling personal data must do so with due care, maintain confidentiality, and apply appropriate administrative, technical, and organizational safeguards to protect such data against unauthorized access, disclosure, alteration, loss, misuse, or destruction.

5. Principles for Processing Personal Data

Mosaiq shall process personal data in accordance with the following principles:

5.1 Lawfulness and Fairness

Personal data must be collected and processed for legitimate, defined, and authorized purposes, and only where there is a valid legal, contractual, regulatory, or operational basis to do so.

5.2 Purpose Limitation

Personal data shall only be used for the specific business purposes for which it was collected or for other compatible and authorized purposes.

5.3 Data Minimization

Only the minimum personal data necessary to fulfill the intended purpose shall be collected, accessed, used, or shared.

5.4 Accuracy

Reasonable steps must be taken to ensure that personal data is accurate, complete, and, where appropriate, kept up to date for the purposes for which it is used.

5.5 Storage Limitation

Personal data shall be retained only for as long as necessary to fulfill the purpose for which it was collected, or as required by law, regulation, contract, or legitimate business need.

5.6 Integrity and Confidentiality

Personal data must be protected through appropriate security measures designed to preserve its confidentiality, integrity, and availability.

5.7 Accountability

Mosaiq personnel are responsible for complying with this Policy and for handling personal data in accordance with internal controls, assigned responsibilities, and applicable requirements.

6. Collection of Personal Data

Mosaiq shall collect personal data only when necessary for legitimate business, operational, legal, regulatory, contractual, or service-related purposes. Personal data collection should be limited to what is relevant and proportionate for the intended purpose.

Whenever applicable, individuals from whom personal data is collected should be informed, through appropriate notices, agreements, policies, or other communications, of the relevant privacy terms governing such processing.

7. Use of Personal Data

Personal data may only be accessed and used by authorized personnel for legitimate and approved purposes related to Mosaiq’s business activities. Personnel must not use personal data for personal purposes, unauthorized business purposes, or any activity inconsistent with applicable requirements or this Policy.

Access to personal data must follow the principle of least privilege and be limited to those who require such access to perform their roles.

8. Storage and Protection of Personal Data

Mosaiq shall maintain reasonable administrative, technical, and organizational safeguards to protect personal data against unauthorized or unlawful access, use, disclosure, alteration, destruction, or loss. Such safeguards may include, as applicable:

  • role-based access controls;
  • authentication and password requirements;
  • encryption or secure transmission methods where appropriate;
  • secure storage locations and systems;
  • logging and monitoring of relevant system activity;
  • restricted access to production environments and data repositories;
  • secure backup and recovery controls;
  • endpoint and infrastructure protection measures; and
  • confidentiality obligations for personnel and third parties.

Physical and electronic records containing personal data must be stored securely and protected against inappropriate access.

9. Sharing and Disclosure of Personal Data

Personal data may only be shared internally or externally when there is a legitimate business need and an appropriate legal, contractual, regulatory, or operational basis for doing so.

Before sharing personal data with third parties, Mosaiq shall take reasonable steps, as applicable, to ensure that such third parties are authorized to receive the data and are subject to appropriate confidentiality, security, and data protection obligations.

Personal data must not be disclosed to unauthorized individuals, entities, or public channels. Special care must be taken when sending personal data by email, file transfer, messaging systems, shared folders, or external platforms.

10. Retention and Disposal

Personal data shall be retained only for as long as necessary to fulfill the relevant business purpose or to satisfy legal, regulatory, contractual, audit, or evidentiary requirements.

When personal data is no longer required, it must be securely deleted, destroyed, anonymized, or otherwise disposed of using methods appropriate to the nature of the data and the storage medium. Paper documents containing personal data must be securely shredded or destroyed. Electronic records must be securely deleted or rendered inaccessible in accordance with applicable internal procedures and system capabilities.

11. Confidentiality and Employee Responsibilities

All Mosaiq personnel who access or handle personal data are responsible for protecting its confidentiality and using it only in accordance with this Policy and related internal requirements.

Personnel must:

  • handle personal data only for authorized purposes;
  • avoid unnecessary copying, downloading, printing, or sharing of personal data;
  • store documents and files containing personal data securely;
  • ensure confidential information is masked or redacted before sharing where appropriate;
  • report any suspected privacy or security incident promptly;
  • complete required privacy and security training and awareness activities; and
  • comply with applicable internal policies, procedures, and access requirements.

Failure to comply with this Policy may result in disciplinary action, contractual consequences, or other appropriate measures, subject to applicable law and internal governance.

12. Sensitive Personal Data

Where Mosaiq processes sensitive personal data, enhanced care and safeguards must be applied due to the higher risk associated with such information. Access to sensitive personal data must be strictly limited to authorized personnel with a legitimate need to know, and additional security or handling controls may be implemented depending on the type of data and applicable requirements.

13. Data Subject Rights

Where required by applicable law, Mosaiq shall support the exercise of data subject rights relating to personal data processed by the company. Such rights may include, as applicable, the right to request access, correction, deletion, restriction, objection, portability, or other rights established by law.

Requests relating to personal data should be directed through the appropriate internal channel for review and response in accordance with applicable legal and operational requirements.

14. Incident Reporting and Response

Any actual or suspected loss, unauthorized access, disclosure, misuse, alteration, or destruction of personal data must be reported promptly through established internal incident reporting channels. Mosaiq shall review, investigate, and respond to privacy-related incidents in accordance with its incident response procedures and applicable legal, regulatory, or contractual obligations.

Where required, remediation measures, containment actions, escalation, documentation, and notifications shall be carried out in accordance with the nature and severity of the incident.

15. Training and Awareness

Mosaiq shall provide privacy and information security awareness to relevant personnel to promote proper handling of personal data and compliance with this Policy. Training and awareness activities may include onboarding materials, recurring training, internal communications, policy acknowledgements, and targeted guidance based on role or business need.

Personnel are expected to remain familiar with applicable privacy and data protection requirements relevant to their duties.

16. Third Parties and Service Providers

Where third parties process personal data on behalf of Mosaiq or receive personal data from Mosaiq, reasonable due diligence and contractual safeguards should be applied, as appropriate, to ensure that such parties protect the data in a manner consistent with applicable requirements and Mosaiq’s expectations.

Third-party access to personal data should be limited to what is necessary and reviewed periodically where applicable.

17. Governance and Review

This Policy shall be reviewed periodically and updated as necessary to reflect changes in legal, regulatory, contractual, operational, or risk requirements, as well as changes in Mosaiq’s business activities and data processing practices.

Management is responsible for supporting the implementation of this Policy, and all personnel are responsible for complying with it within the scope of their roles.

18. Related Documents

This Policy should be read together with other applicable internal documents, which may include, as applicable:

  • Information Security Policy
  • Access Control Policy
  • Data Retention and Disposal Guidelines
  • Incident Response Procedures
  • Employee Confidentiality Obligations
  • Secure Development and Change Management Procedures
  • Vendor and Third-Party Risk Management Requirements

19. Exceptions

Any exception to this Policy must be reviewed and approved through the appropriate internal governance process. Exceptions must be documented, justified, and subject to appropriate compensating controls where necessary.