1. Overview

M I Synergy (Pvt) Ltd (“M I Synergy” / “MISYN”) is committed to protecting Personal Data entrusted to us by our Clients, Stakeholders, Employees, Business Partners, and Candidates. M I Synergy does not collect or maintain customer data on its own systems. Instead, we access client data only through secure channels (VPN, Webex, and other approved mechanisms) and only with explicit client authorization.

2. Purpose of Data Protection Policy

The purpose of this policy is to define how M I Synergy ensures compliance with applicable data protection laws while carrying out client engagements. The policy ensures:

• Secure access to client data.
• Restricted use of data for authorized purposes only.
• No local storage, transfer, or retention of client data without written consent.
• Protection of the rights of Data Subjects under relevant laws.

3. Data Protection Principles

M I Synergy upholds the following principles:

• Lawful & Fair Processing – Data is accessed only with client approval.
• Purpose Limitation – Data is used strictly for project purposes defined by the client.
• Data Minimization – Only the minimum required data is accessed.
• Accuracy – Data integrity is ensured by relying on the client’s source systems.
• Retention – M I Synergy does not store customer data. Any temporary working data (logs, screenshots) is deleted immediately after project completion.
• Security – All access is via VPN, Webex, or other client-approved secure channels.
• No Cross-border Transfers – M I Synergy does not transfer client data outside client-controlled systems unless explicitly authorized.

4. Legal Rights of Data Subjects

M I Synergy acknowledges that the rights of Data Subjects (as per applicable data protection laws such as the Sri Lanka Personal Data Protection Act No. 09 of 2022 and client-jurisdiction laws) include:

• Right to be informed
• Right of access
• Right to rectification
• Right to erasure
• Right to restrict or object to processing
• Right to appeal

M I Synergy supports its clients in fulfilling these rights when processing occurs via M I Synergy’s engagement.

5. Types of Data/Information

M I Synergy may access the following types of data (without retaining it):

• Personal Identifiable Information (PII)
• Financial / transactional data (if project-related)
• Health or sensitive data (if project-related)
• Digital system / application data

6. Process of Personal Data

• Lawful Basis – Access only with client authorization and proper contractual agreement.
• Consent – M I Synergy never processes customer data outside approved client projects.
• Access Controls – Only authorized employees are granted access.
• Retention – No retention of client data within M I Synergy systems.

7. Access to Client Data (VPN, Webex & Remote Access)

• Access occurs only through secure VPNs or Webex sessions provided by the client.
• No screenshots, downloads, or local copies are allowed unless explicitly approved.
• All sessions are logged and monitored for compliance.
• Employees are trained to follow client-specific data handling policies.

8. Personal Data Sharing

M I Synergy does not share client data with third parties. Where collaboration with sub-contractors is necessary, client approval is mandatory, and non-disclosure agreements (NDAs) are enforced.

9. Review and Compliance

• M I Synergy appoints a Data Protection Officer (DPO) to oversee compliance.
• This policy is reviewed annually or when legal / operational changes occur.

10. Procedure for Handling Requests, Complaints and Inquiries

Requests or complaints relating to data protection may be directed to:

Head of PMO
M I Synergy (Pvt) Ltd
8B Somadevi Place
Colombo 05
Sri Lanka
📧 Email: misyninfo@misynergy.com

11. Use of Cookies

www.misynergy.com and related product portals may use essential, functional, or analytics cookies to improve user experience.

• Cookies do not store passwords or sensitive personal identifiers.
• Users may disable cookies via browser settings; however, some platform features may be affected.

12. Data Handling & Storage Practices

M I Synergy (Private) Limited does not permanently store or retain personal data of end customers of our client organizations. As a technology solutions and consultancy provider, MISYN operates under a data processor role, accessing data strictly on a need-to-know and time-bound basis, solely for service delivery, support, or diagnostic purposes, and only with prior documented authorization from the client. Once such activity is complete, MISYN does not retain copies of client data unless otherwise contractually required. All access activities are logged and governed under client-approved access control protocols.

13. Data Protection Management Program

While M I Synergy does not hold or maintain customer databases, we implement the governance measures to ensure compliance with data protection standards during solution development, deployment, integration, and support.

14. Governing Law

This Data Protection Policy shall be governed by the Personal Data Protection Act No. 09 of 2022 (As amended) of the Democratic Socialist Republic of Sri Lanka.

15. Effective Date

This Data Protection Policy is effective from 15th of October 2025.

16. Revisions

The Organization reserves the right to review and revise this Data Protection Policy at any time by posting the updated policy with the revision date and number.

17. Definitions

• Organization / MISYN / Company: Refers to M I Synergy (Private) Limited, including its technology platforms, consultancy practices, and affiliated solution frameworks deployed for client organizations.
• Client: Refers to corporate entities such as insurance companies, financial institutions, banks, and other enterprises that engage MISYN to implement, configure, or support software solutions. Clients maintain full ownership and custody of all customer data handled through MISYN-deployed platforms.
• Data Subject: Individuals whose data is processed through the platforms deployed or supported by MISYN. This may include policyholders, insured parties, claimants, financial customers, employees, or any natural person whose data exists within systems owned and controlled by MISYN’s clients.
• Personal Data: Any piece of information related to a Data Subject that can directly or indirectly identify an individual, whether processed temporarily for support purposes or accessed through a MISYN-configured system under client authorization.
• Processing of Data: Any access, configuration, troubleshooting, technical interaction, or system-level handling performed by MISYN strictly on a need-to-know basis, time-bound, and under explicit approval from the client organization. MISYN does not permanently collect, host, or store customer personal data, except where explicitly contracted to do so under a managed service model with defined data governance terms.
• Business Partners / Technology Partners: External service providers, infrastructure vendors, or cloud platform facilitators engaged by MISYN to enable solution delivery. Such engagements occur without transferring or retaining customer personal data, unless mandated by the client under a signed data processing agreement.
• Stakeholders: Individuals or entities with a legitimate interest in MISYN’s service delivery and compliance obligations, including clients, regulatory bodies, auditors, support engineers, authorized project team members, and integration partners.
• Users / Authorized Users: Personnel appointed by the client organization who operate MISYN-deployed platforms. They manage and control data internally and may request MISYN technical intervention for support, configuration, audit log analysis, or platform optimization purposes.
• Candidates / Employees (Internal Data Category): Individuals applying for employment with MISYN or staff members whose data is processed internally for HR, recruitment, and administrative compliance. This internal data is separate from client-controlled customer data.