Fenergo respects your privacy and is committed to protecting personal data in accordance with applicable data protection laws. This Privacy Notice explains how Fenergo processes personal data when acting as a Data Processor on behalf of its clients in connection with the provision and operation of its Software-as-a-Service (SaaS) solutions.
This Notice applies where Fenergo provides SaaS solutions to regulated financial institutions and other organisations (“Clients”).
Under this SaaS model, Fenergo acts as a Data Processor, processing client personal data solely in accordance with the documented instructions of the Client, who may act as either a Data Controller or a Data Processor, depending on its relationship with the underlying data subjects and processing activities. Importantly, Fenergo's SaaS solutions are deployed in a client-managed AWS tenancy, ensuring that the Client maintains ownership and control over its environment and associated personal data. By default, Fenergo does not have access to client data stored within the client's tenant unless explicitly authorised for technical support or maintenance purposes.
Personal data processed within the SaaS solution may include identification and contact data (e.g., names, email addresses), regulatory and compliance data, and transaction or onboarding-related information. This information is provided and controlled entirely by the Client or its authorised users. Fenergo does not collect personal data directly from individuals.
Fenergo may also process limited pseudonymised cookie, telemetry, log, and analytics data generated by the operation of its SaaS solutions. This processing is undertaken solely to maintain system security, monitor performance, support analytics, and enhance platform reliability, on the lawful basis of legitimate interests. Retention, security, and data handling practices are managed in line with Fenergo's established security and privacy frameworks, which ensure compliance with applicable data protection requirements.
Client personal data uploaded to the services is processed strictly to provide the contracted SaaS services, application support, maintenance, and compliance with agreed security obligations.
Clients have exclusive administrative control over their individual tenant, user their permissions, and client personal data. Fenergo does not access or use client personal data except:
Fenergo uses approved subprocessors (such as Amazon Web Services) in connection with the provision and operation of its Software-as-a-Service (SaaS) solutions. All subprocessors are subject to contractual data protection obligations consistent with applicable data protection law and are listed on the Fenergo Third Party List available on our Fenergo SaaS Document Portal. Fenergo maintains and regularly updates this list of approved Subprocessors used in connection with the Fenergo Platform. By signing up via the Fenergo Webform, Fenergo clients will receive email notifications whenever changes are made to the list.
We make Artificial Intelligence (AI) capabilities available within our SaaS solutions to enhance automation, accuracy, and efficiency in a secure and responsible manner. All AI capabilities are designed under Fenergo's SaaS AI Control Framework or equivalent, which ensures that the use of AI is transparent, explainable, and can be subjected to human oversight and client-defined controls as required under applicable law. Fenergo does not allow training on client personal data, does not make independent business or regulatory decisions on behalf of client, and these capabilities are designed to support our clients within clearly defined, privacy-protective boundaries. This approach reflects our commitment to trustworthy AI prioritising fairness, accountability, and data minimisation across all AI-enabled capabilities in our SaaS solutions.
Personal data is hosted in the AWS region selected by the Client. International transfers can occur in limited circumstances, for example, where clients elect to use subprocessors operating in different regions. All subprocessors are subject to contractual data protection obligations consistent with applicable data protection law and are listed on the Fenergo Third Party List available on our Fenergo SaaS Document Portal.
Fenergo implements industry-leading security measures including encryption, role-based access controls, and continuous monitoring consistent with ISO 27001 and SOC 2 Type 2 certification. Security within the SaaS environment follows a shared responsibility model. Fenergo is responsible for the implementation and operation of the information security program and the protection measures described in the agreement. The Client is responsible for properly implementing access and use controls and configuring certain features and functionalities of the Fenergo SaaS that clients may elect to use in the manner they deem to be adequate to maintain appropriate security, protection, deletion, and backup of client personal data.
As Data Processor, Fenergo does not have a direct relationship with data subjects whose information is processed in the SaaS service. If a data subject submits a request (e.g., access, erasure, or correction) to Fenergo, Fenergo will direct the requester to the relevant Client (the Data Controller) and will not contact the Client to disclose receipt of such requests. Clients are responsible for fulfilling DSARs under applicable privacy laws, and Fenergo will provide support as required under applicable law.
Fenergo retains any client personal data only for the duration of the contractual relationship. Clients have full control over personal data deletion within their tenancy using the functionality provided in the platform. Upon termination of the contract, personal data will be removed in line with contractual commitments.
For privacy-related questions, please contact:
Attn: Data Protection Officer
Fenergo Limited
Email: DataProtection@fenergo.com
This Notice will be reviewed periodically to ensure continued compliance with applicable data protection laws and to reflect updates to our SaaS delivery model.