This section introduces our compliance framework and provides information on compliance with applicable laws and regulations, as well as the policies and procedures we maintain to protect customer data.
Grepp, Inc. maintains a rigorous compliance framework to adhere to applicable regulations, industry standards, and best practices.
We hold ISO 27001, ISO 27701, and KISA ISMS certifications, which formally demonstrate our commitment to information security, privacy information management, and GDPR-compliant data processing.
Certifications held
ISO/IEC 27001:2022, DNV
ISO/IEC 27701:2019, DNV
ISMS, KISA (Korea Internet & Security Agency)
ISO 27001 is an international standard that specifies the requirements for implementing an Information Security Management System (ISMS). This certification demonstrates that Grepp, Inc. is serious about protecting customer data and managing information security risks.
ISO 27701 is an extension of ISO 27001 that specifies the requirements for a Privacy Information Management System (PIMS). This certification demonstrates Grepp, Inc.'s commitment to protecting personal and sensitive information, enhancing transparency, and complying with data protection laws.
Monito is designed to support GDPR compliance. The GDPR gives citizens of the European Union meaningful control over their personal data. We are committed to protecting your personal data and respecting your rights to privacy and transparency.
Our GDPR-compliant data processing is built on three independently audited frameworks.
ISO/IEC 27001:2022 (Certification Body: DNV)
Establishes ISMS controls that protect critical information from unauthorized access, leakage, and loss, directly supporting Article 32 of the GDPR, which requires technical and organizational security measures.
ISO/IEC 27701:2019 (Certification Body: DNV)
Extends ISO 27001 into the domain of privacy information management (PIMS). ISO 27701 is widely recognized as a practical implementation framework that maps directly to GDPR obligations such as the lawful basis for processing, data subject rights, and data breach notification.
To demonstrate GDPR-compliant data processing, we maintain the following processes and documentation.
Privacy Policy
We publish a Privacy Policy on our website that discloses the categories of personal data collected, the purposes of processing, the legal basis, retention periods, and sub-processors.
Data Subject Rights Procedures
In accordance with Articles 15 through 21 of the GDPR, we provide procedures for data subjects to exercise their rights of access, rectification, erasure (the right to be forgotten), restriction of processing, and data portability. Requests are handled within 30 days of receipt.
Cookie Consent Management
In accordance with the GDPR and the ePrivacy Directive, we obtain consent before installing non-essential cookies, and users can manage or withdraw their consent at any time.
Data Processing Agreement (DPA)
As a data processor handling personal data on behalf of its enterprise customers (data controllers), Grepp, Inc. enters into a Data Processing Agreement (DPA) in line with Article 28 of the GDPR upon request.
Biometric Data Processing and Explicit Consent
Given the nature of its remote proctoring service, Monito processes personal data such as facial images, video, screen recordings, and ID document images during the test-taking process. Such data is processed only within clearly defined purposes — exam proctoring, identity verification, and cheating prevention — and access permissions and retention periods are managed separately by processing purpose. Where facial images or video data are classified as special-category personal data or high-risk processing under applicable law, Monito processes them on the legal basis of separate, explicit consent. Processing for additional purposes, such as AI training, is kept distinct from core processing, is carried out on the basis of separate opt-in consent, and the relevant data is deleted without delay upon withdrawal of consent.
International Transfers of Personal Data
Monito is a service based in the Republic of Korea. Under the European Commission's adequacy decision for the Republic of Korea, transfers of personal data from the EU/EEA to Korea may be carried out lawfully without additional transfer mechanisms such as Standard Contractual Clauses (SCCs). Monito also uses certain global infrastructure and sub-processors to deliver its service, which may involve transfers outside the EU. For such transfers, we apply appropriate technical and organizational safeguards, including Standard Contractual Clauses under Article 46 of the GDPR, contractual data protection obligations, access controls, and encryption.
Data Protection Impact Assessment (DPIA)
Monito applies a risk-based approach to processing activities that may pose a high risk to the rights and freedoms of data subjects, such as remote proctoring, identity verification, video processing, and AI-based analysis. When new features are introduced or the purpose of processing changes significantly, we conduct a Data Protection Impact Assessment (DPIA) and document the results, mitigation measures, and residual risks for regular review. In particular, for areas that may be deemed high-risk — such as systematic monitoring, large-scale video processing, ID verification, and the use of data for AI training — we focus our assessment on the necessity and proportionality of the purpose, data minimization, retention periods, access permissions, and safeguards for data subject rights.
Sub-processor Management
We use third-party sub-processors to provide certain functions of the Monito service. Each sub-processor is contractually bound to data protection obligations equivalent to those in the customer DPA. Our key sub-processors are disclosed in our Privacy Policy.
Data Type | Key Items | Retention Period |
Enterprise member account | Email, name, mobile phone number, service usage records | Deleted upon contract termination (service usage records: 2 years) |
Test-taker ID verification | ID document image (masked), facial image | Facial comparison: destroyed immediately after identity is confirmed ID document image (masked): retained in storage for 35 days |
Exam recording (proctor review) | Webcam video, screen recording | Retained for 35 days for standard test-takers |
Exam recording (AI training) | Recording data exclusively for separately opted-in test-takers | Retained for 3 years for separately consenting test-takers (deleted immediately upon withdrawal of consent) |
Payment information | Masked card number, email, transaction history | Retained for 5 years under the Act on E-Commerce and related laws |
Customer support | Name, email, phone number | Retained for 3 years under consumer transaction laws |
Marketing | Name, email, phone number, and information collected upon marketing opt-in consent | Retained for up to 2 years per the period specified at consent and destroyed immediately once the purpose is fulfilled, or destroyed immediately upon withdrawal of marketing consent |
Our data retention and deletion procedures conform to ISO 27001 and 27701 and the other certifications we hold.
After contract termination, customer data is permanently deleted. However, exceptions to the above deletion principle may apply to data subject to statutory retention obligations under applicable law, backup and audit log retention, or data based on customer-specific settings or separate consent.