Why Sigma: Data Privacy, GDPR and Security

Data Is Your Most Precious Asset — We Keep It Secure

Data security is crucial in data collection and annotation. Data can contain sensitive information and may be subject to privacy regulations. Whether the data contains personal information or information that’s otherwise confidential, it’s essential to keep it secure. Even non-confidential data is a valuable company asset worth protecting, especially when it takes time and resources to obtain and provides a competitive advantage.

Implementing thorough data protection practices requires a combination of technologies, rigorous procedures and other measures to protect data from intentional or accidental destruction, modification, disclosure, or theft. At Sigma, we have the most rigorous data security and privacy procedures in the industry, including cybersecurity and physical security measures. We are ISO27001 and SOC-2, type 2 Certified and 100% GDPR compliant.

Data Privacy and GDPR

The demand for data is growing alongside the advancement of AI applications. As hardware capabilities increase in terms of computational power and storage capacity, we can train AI algorithms with more data in a shorter period of time. Newer and more complex machine learning algorithms are being developed, and data is much more available than in previous decades.

Data can contain personal information, and as the volume of data grows and the ease of accessing it increases, so have concerns about data privacy. Governments are increasingly requiring compliance with more stringent regulations to protect personal data while ensuring that AI technology can continue to progress. The European General Data Protection Regulation (GDPR) is currently, to our knowledge, the strictest data protection regulation.

GDPR Requirements on Data Use

GDPR requires companies and other organizations to use personal information in a way that protects the privacy of the data subject — and it gives each person the right to decide how their personal data is utilized.

GDPR requires companies to:

  • Control the use of personal data, be clear about what the data is going to be used for, and, at the moment of data collection, to explain clearly this use of personal data to the subject so the person can make an informed choice on whether or not to consent to data collection
  • Limit the data collection to the minimum necessary for achieving the goal for which the data is collected and processed
  • Inform data subjects on who the data controller is, how to contact the data controller, the legal basis for processing the data, what categories of personal data are going to be processed, and the data subject’s rights
  • Document how the data protection requirements are met

The above is a general overview of GDPR, rather than a comprehensive description of its requirements. AI and compliance with data privacy relationships can coexist, but GDPR compliance requires expert legal advice in the area.

Another option is outsourcing data collection and annotation to companies, such as Sigma, that are GDPR compliant and have specialized personnel to carry out projects that involve personal data. We have 100% GDPR-compliant internal processes and have legal counsel on staff specialized in internet technology, intellectual property and data privacy compliance. In addition, our in-house security and privacy experts are available to advise you how to design and run annotation projects that involve the use of personal data and fall under GDPR restrictions.

Sigma’s suite of data collection and annotation tools includes technology for data anonymization. These automate the process of removing personal data from an original dataset, or modifying it to remove any identifying information. We can also generate entire datasets with no personal information whatsoever with synthetic data technologies.

ISO27001 Compliance at Sigma

ISO27001 is an international standard for information security that, rather than requiring a predefined set of technologies and procedures, defines a method to establish, implement and maintain a comprehensive information security management system (ISMS) — including continuous improvements. 

To be compliant, companies must:

  • Create a system to continually examine their information security risks and identify potential threats and vulnerabilities and their impact
  • Design and implement technologies that comprehensively control information security and mitigate risks
  • Ensure that the system will meet the organization’s information security needs currently and on an ongoing basis in the future

Sigma is ISO27001 compliant and undergoes periodic external audits and penetration tests to assure that security standards are maintained.

SOC-2 Type II Compliance

System and Organizational Controls (SOC) is a framework developed by the American Institute of Certified Public Accountants (AICPA) to certify that a company has implemented controls to protect against information-related risk. The company is required to undergo regular, independent audits to validate its adherence to the framework.

SOC 2 Type II audits are based on the framework’s Five Trust Service principles: security, privacy, availability, processing integrity and confidentiality. Achieving compliance requires companies not only to design these principles into their information systems, but show that they are effectively operating these controls over time, typically a period of 3-12 months — providing assurance of not just how systems are set up, but how they’re used on a day-to-day basis.

Sigma has been independently audited and obtained the  SOC 2 Type II report confirming our compliance.

Security Measures at Sigma

Sigma is committed to providing the most rigorous security for our customers’ data throughout the collection and annotation process. In addition to our ISO27001 certification, we’ve developed several technologies and protocols to satisfy all our customers’ data security needs.

Cybersecurity includes technologies, processes, tools, and practices that ensure computers, servers, communications, mobile devices, and data are protected from malicious attacks. It also controls and registers access to a company’s electronic resources. In Sigma’s secure facilities, we take measures to isolate secure work devices from any outside influence, including blocking ports, disabling printing and program installation, and severely limiting internet usage.

Learn more about our secure facilities

Physical security, generally speaking, protects people and property. In the context of data, it includes security measures to protect computers, communications, and storage devices physically and prevent on-premise unauthorized access to the data. We’re experts in physical security and have deep experience designing and implementing secure annotation facilities, including 24/7 security cameras, security staff, and metal detectors at entrances.

Want to learn more? Contact us ->

Sigma offers tailor-made solutions for data teams annotating large volumes of training data.
EN