Data Policy
Edge operates in accordance with the following principles relating to Client Data:
Our business, your data
Edge integrates into the business systems of its clients to access Client Data to enable the Client to get a better view of its business metrics and derived insight. Edge acknowledges that Client Data and information and their management is critical to Client’s business. This policy does not form part of our Terms and Conditions but uses the same defined terms and sets out how Edge intends to manage Client Data.
Categorise and manage
Every piece of Client Data Edge receives, and the data Edge derives from it is assigned a category which determines how Edge manages that data.
Categories
Public:
Public data may be shared with anyone. Primarily only users of the Edge Product, but potentially with the public also. For example, aggregated and anonymised figures, national averages.
Shared:
Edge will share this data only with other Clients that use the Edge Product. Typically, those who have themselves committed to sharing the same type of data.
Private:
Only the Client to whom it belongs can view this data. For example, that client’s delivery price and margins.
Data Edge receives from retailers and assigned categories:
Deliveries (volumes and prices per liter)
How much fuel is delivered to a Client’s Covered Site and how much that client pays for it [Private]
Private
Sales volumes
How much fuel client is selling at any of its Covered Sites or across Client’s portfolio of Covered Sites [Private]
Private
Sales (or pole) prices
A client’s sales price and that Client’s competitors’ sale prices [Shared]
Shared
Margin
A client’s margin, per Covered Site, per week, per day, per litre [Private]
Private
Data Edge device, and assigned categories:
Wholesale fuel price predictions
Derived from past fuel price changes, current trends, industry events etc [Shared]
Shared
National average sales volumes
Aggregated and anonymised to regional or national figures [Shared]
Shared
National average sales (or pole) prices
Aggregated and anonymised to regional or national figures [Public]
Public
National average margin
Aggregated and anonymised to regional or national figures [Public]
Public
Policy on data aggregation:
The primary principle is that any aggregated data released by Edge must be anonymised so that the source of the data cannot be identified from the data by reverse engineering.
This involves:
- – having a sufficiently large sample size (number of petrol filling stations); and
- – having sufficient diversity of sources so that no source and the approximate data from that source can be identified by reverse engineering; and
- – having no source or group of sources which contribute to the data in a way that significantly skews the data (a very large or very small volume outlier).
All three criteria must be satisfied for the data to be both meaningful and anonymised, and therefore usable.
EdgePetrol would not expect data to be useful, usable or necessarily anonymised if any one of the above contributes more than twenty five percent (25%) of the sample size or data.
Policy on PCI-DSS account data
EdgePetrol does not acquire, hold, or process account data as defined by the Payment Card Industry Data Security Standard (PCI-DSS), and maintains measures to prevent the acquisition of such data, and instructs and trains its staff not to seek to acquire such data.
The Client acknowledges and accepts its responsibility, and responsibility for any of its agents and third-party service providers, to not share account data either by electronic transfer, or by grant of system access to cardholder data environment (CDE), or through any other means of communications with EdgePetrol, and to maintain systems to ensure compliance.
Non-compliance by the Client will amount to a breach of the standard terms and conditions pursuant to which notice of termination may be given if not remedied in accordance with the terms. These obligations also apply under the GDPR and other data protection systems and both EdgePetrol and the Client mutually warrant compliance.
PCI-DSS Compliance: Our responsibilities as a Third-Party Service Provider (PCI-DSS Requirement 12.9.1 & 12.8.2a)
EdgePetrol does not store, process, or transmit any account data as defined by PCI-DSS. However, as a TPSP, EdgePetrol also recognises its responsibility to ensure that its operations do not compromise the security of its customers’ cardholder data environments. This section outlines EdgePetrol’s compliance with PCI-DSS Requirements 12.9.1 and 12.8.2a, ensuring that EdgePetrol:
- As a third-party service provider (TPSP), acknowledges its responsibilities to support its clients’ PCI-DSS compliance efforts;
- Maintains written agreements with all of its TPSPs, where security of any Cardholder Data Environments (CDE) might be affected, including the TPSP’s own CDE and / or that of any of EdgePetrol’s customers.
To support this, EdgePetrol implements robust security measures, provides the necessary compliance information to customers, and incorporates clear contractual obligations regarding security responsibilities:
- EdgePetrol is responsible for maintaining secure operations that do not compromise the security of its client’s cardholder data environment (CDE).
- EdgePetrol will not intentionally acquire, store, process, or transmit account data and will implement appropriate safeguards to ensure compliance with this policy.
- EdgePetrol will notify clients if any activity, incident, or service delivered by EdgePetrol could affect the security of the client’s account data and / or cardholder data environment (CDE)
- EdgePetrol will maintain written agreements with all of its TPSPs, where security of any Cardholder Data Environments (CDE) might be affected, including the TPSP’s own CDE and / or that of any of EdgePetrol’s customers.
- Written agreements include acknowledgments from TPSPs that they are responsible for the security of account data the TPSPs possess or otherwise store, process, or transmit on behalf of the entity, or to the extent that they could impact the CDE of another entity.
egarding security responsibilities:
- – EdgePetrol is responsible for maintaining secure operations that do not compromise the security of its client’s cardholder data environment (CDE).
– EdgePetrol will not intentionally acquire, store, process, or transmit account data and will implement appropriate safeguards to ensure compliance with this policy.
– EdgePetrol will notify clients if any activity, incident, or service delivered by EdgePetrol could affect the security of the client’s account data and / or cardholder data environment (CDE)
PCI-DSS Compliance: Support for PCI-DSS Compliance (Requirement 12.9.2)
To further support its customers’ PCI-DSS compliance efforts, EdgePetrol agrees to the following upon request from a customer or third party service provider:
- EdgePetrol will provide its PCI-DSS compliance status, including any documentation that demonstrates EdgePetrol’s adherence to applicable security standards, such as its PCI-DSS Attestation of Compliance (AOC) or relevant evidence confirming the implementation of security controls.
- EdgePetrol will work with its clients to facilitate their PCI-DSS compliance. This includes providing timely information, participating in discussions related to compliance, and collaborating to resolve any security issues that may arise from services provided by EdgePetrol.
TRUSTED BY
