Custom iOS app development company

Pursuant to UK Legislation, EU-Derived Best Practices, and International Data Protection Standards Company: Binariver Ltd. Registered Office: 27 Old Gloucester Street, London, WC1N 3AX, United Kingdom Company Number: 10620589 Revision Note Date | Approved by the Board of Directors: - Issuance: 16.05.2025 | 31.05.2025 - Revision: 1.1 PREAMBLE Binariver Ltd. (the “Company”), registered in England and Wales (Company Number 10620589), develops IT solutions, including web and mobile applications across multiple domains: - Spokel.com: Real estate listing platform for companies, agencies, and private individuals to publish properties for sale/rent, with customer search and contact features. - Flowido.com (Flowido App): ERP system for business process management (e.g., finance, HR, supply chain). - Binariver.com and App: Tailored AI-driven business ERP assistance and on-premises applications for customized enterprise solutions. - iDatacode.com: Barcode-generating app for business operations (e.g., inventory, logistics). - iOS Business Applications: Various business-focused apps on the Apple App Store (e.g., productivity, workflow management). - Medical Device Applications: Diagnostic and monitoring apps with AI integration. - Other Apps: Business operations documents, AI-driven tools. Serving corporate and private customers globally, with key markets in the UK, EU, USA (California), Canada, Argentina, Brazil, Japan, Australia, India, and other countries, the Company emphasizes cross-border data transfers. This Compliance and Governance Model ensures adherence to UK laws (e.g., UK Bribery Act 2010, Criminal Finances Act 2017, Modern Slavery Act 2015, UK GDPR/Data Protection Act 2018, Companies Act 2006, UK Medical Devices Regulations 2002), EU-derived standards (e.g., EU GDPR, EU AML Directives, EU MDR 2017/745), and international data protection laws (e.g., CCPA/CPRA, PIPEDA, LGPD, APPI, PDPL, Australian Privacy Act, Indian DPDP Act). The Model prevents corporate offenses, promotes ethical conduct, and mitigates legal, financial, and reputational risks, with tailored measures for real estate, ERP, AI, barcode, medical device, and iOS app risks, including UK-EU data disclosure conflicts. 0. DEFINITIONS - Company: Binariver Ltd., registered at 27 Old Gloucester Street, London, WC1N 3AX, Company Number 10620589. - Board: The Company’s Board of Directors, comprising a Chair, CEO, CFO, and two non-executive directors (as of May 2025). - High-Risk Activity: Activities prone to offenses under UK or international law (e.g., bribery, data breaches, AI bias, tax evasion, medical device non-compliance, ERP data misuse, barcode app vulnerabilities). - Code of Conduct: The Company’s ethical guidelines (Attachment B). - Recipients: Directors, employees, contractors, suppliers, and third parties acting for the Company. - Compliance Officer: Individual overseeing compliance, reporting to the Board. - Data Protection Officer (DPO): Individual ensuring compliance with UK GDPR and international data laws. - Stakeholder: Individuals or entities affected by the Company’s activities (e.g., corporate clients in real estate/ERP/healthcare, private users of Spokel.com/Flowido/iDatacode/iOS apps). - Client Types: Corporate clients (e.g., real estate agencies, businesses using ERP/AI, healthcare providers) and private individuals (e.g., Spokel.com users, iOS app users). PART I - GENERAL FRAMEWORK 1. UK AND INTERNATIONAL COMPLIANCE FRAMEWORK: OVERVIEW 1.1. CORPORATE LIABILITY IN THE UK UK law imposes corporate liability for: - Bribery (UK Bribery Act 2010). - Facilitation of tax evasion (Criminal Finances Act 2017). - Corporate manslaughter (Corporate Manslaughter and Corporate Homicide Act 2007). - Modern slavery (Modern Slavery Act 2015). - Data protection breaches (UK GDPR/Data Protection Act 2018). - Medical device non-compliance (UK Medical Devices Regulations 2002). 1.2. KEY OFFENSES Relevant offenses include: - Bribery: In contracts for Spokel.com listings, Flowido ERP, Binariver AI solutions, iDatacode, or medical apps, especially in Japan, Brazil, India. - Tax Evasion: Facilitation via cross-border app sales or subscriptions. - Modern Slavery: Supply chain risks (e.g., hardware for medical devices/iDatacode from India). - Data Protection: Breaches in Spokel.com (listing/contact data), Flowido (business data), Binariver (AI/ERP data), iDatacode (barcode data), iOS apps (user data), or medical apps (health data). - Fraud/Money Laundering: Via app transactions, listing payments, or ERP subscriptions. - Health and Safety: Workplace risks in London office/remote setups. - Environmental Offenses: E-waste from IT/medical device operations. - IP/AI Ethics: IP theft or biased AI algorithms, notably in Japan for Spokel.com/Binariver/medical apps. - Medical Device Non-Compliance: Failure to meet UK/EU standards (e.g., EU MDR 2017/745). 1.3. ADEQUATE PROCEDURES The Model includes: - Risk assessments for high-risk activities (e.g., data transfers, medical device certification, ERP data security, barcode app vulnerabilities). - Policies/controls per Attachment A: Customer Jurisdiction Compliance Framework. - Due diligence on suppliers/clients (e.g., real estate agencies, ERP vendors, iOS app partners). - Tailored training (e.g., GDPR for EU, CCPA for California, MDR for healthcare, AI ethics for Binariver). - Monitoring/auditing, including UK-EU data disclosure conflict resolution. 1.4. OFFENSES COMMITTED ABROAD The UK Bribery Act, Criminal Finances Act, and UK GDPR apply extraterritorially. International laws (e.g., CCPA, LGPD, APPI, CLOUD Act, EU MDR) apply per Attachment A. 1.5. CORPORATE GOVERNANCE AND MODIFYING EVENTS The Companies Act 2006 governs restructuring. The Board (Chair, CEO, CFO, two non-executives) oversees compliance. 2. BINARIVER LTD. AND ITS INTERNAL CONTROL SYSTEM 2.1. CORPORATE GOVERNANCE SYSTEM Binariver Ltd. develops: - Spokel.com: Real estate listings for sale/rent by agencies, companies, and individuals. - Flowido.com (Flowido App): ERP for business processes (e.g., finance, HR, supply chain). - Binariver.com and App: AI-driven ERP assistance and on-premises enterprise solutions. - iDatacode.com: Barcode-generating app for inventory/logistics. - iOS Business Applications: Productivity/workflow apps on the Apple App Store. - Medical Device Applications: AI-integrated diagnostic/monitoring apps. - Other Apps: Business operations, AI tools. The Board, aligned with the UK Corporate Governance Code 2018, ensures compliance for corporate clients (e.g., real estate agencies, ERP users, healthcare providers) and private users (e.g., Spokel.com customers, iOS app users). 2.2. GENERAL PRINCIPLES OF INTERNAL CONTROL Controls ensure: - Compliance with UK/international laws (e.g., EU MDR, CCPA). - Risk management (e.g., AI bias, ERP data breaches, barcode app vulnerabilities). - Operational efficiency. - Reliable reporting. - Asset protection (e.g., listing data, ERP configurations, barcode IP). 2.3. OUTSOURCING Outsourced tasks (e.g., cloud hosting for Spokel.com/Flowido, barcode app development, medical device manufacturing in India) require contracts per Attachment A. 2.4. LEGAL REPRESENTATION AND DEFENSE Directors or appointed counsel represent the Company, with protocols for UK-EU data disclosure conflicts (see Section D). 3. STRUCTURE OF THE COMPLIANCE AND GOVERNANCE MODEL 3.3. STRUCTURE - General Framework: Legal obligations, governance, controls. - Specific Areas: Offense-specific measures. Attachments: - A: Customer Jurisdiction Compliance Framework - B: Code of Conduct - C: Whistleblowing Policy - D: Sample SCCs/DPAs - E: Risk Register 4. COMPLIANCE OVERSIGHT 4.1. ROLE AND RESPONSIBILITIES - Compliance Officer: Oversees Model, audits, regulator liaison. - DPO: Manages UK GDPR, CCPA, EU MDR, etc., per Attachment A, with oversight for Spokel.com, Flowido, Binariver, iDatacode, and iOS apps. 4.2. INFORMATION FLOWS AND REPORTING Reports to contact@binariver.com or project-specific channels (e.g., dpo@spokel.com, dpo@flowido.com). Jurisdiction-specific protocols (e.g., 72-hour GDPR breach reporting, CCPA deletion requests). 4.3. WHISTLEBLOWING Per Attachment C, a PIDA 1998-compliant policy supports anonymous reporting via wsb.binariver.com, or project-specific channels, aligned with EU Whistleblowing Directive. 5. DISCIPLINARY AND SANCTION SYSTEM 5.1. MEASURES FOR EMPLOYEES Per ACAS Code, sanctions vary: - UK/EU: Warnings to dismissal (e.g., GDPR, MDR breaches). - USA: Termination for CCPA violations. - Japan/India: Disciplinary action respecting local labor laws. 5.2. MEASURES FOR DIRECTORS Board action, including removal. 5.3. MEASURES FOR THIRD PARTIES Contracts include termination/damages for breaches (e.g., LGPD, MDR, Spokel.com listing misuse, Flowido data breaches). 6. DISSEMINATION, ADOPTION, AND UPDATING 6.1. DISSEMINATION AND TRAINING - Training: Annual, multilingual (English/Japanese/Hindi/Portuguese): - Developers: GDPR, CCPA, EU MDR, AI ethics (Japan focus), barcode app security. - Sales: Anti-bribery (Brazil, India), Spokel.com/Flowido compliance. - Managers: CLOUD Act, LGPD, UK-EU data conflict protocols. - Dissemination: Model on intranet, emailed, shared with third parties (e.g., Spokel.com advertisers, Flowido clients). 7. ADOPTION Adopted 31.05.2025, published on website. 8. UPDATING Annual review by Compliance Officer/DPO/Board, or upon legal changes (e.g., DPDP Act, CCPA amendments). PART II – SPECIFIC COMPLIANCE AREAS SECTION I - GENERAL CONDUCT AND CONTROL PRINCIPLES 1. GENERAL PRINCIPLES: - Act with integrity, transparency. - Protect sensitive data (e.g., Spokel.com listing data, Flowido business data, Binariver AI outputs, iDatacode barcode data, iOS app user data, medical app health data). - Ensure all apps comply with jurisdiction-specific laws. 2. PREVENTIVE PROCEDURES: - 2.1. Financial Resource Management: Segregation of duties, audit trails. - 2.2. Third-Party Due Diligence: Vetting for modern slavery, AML, GDPR, MDR, app-specific compliance. - 2.3. Cross-Border Data Transfer and Cybersecurity: SCCs/DPAs (Attachment D), encryption, audits. - 2.4. Contract and Procurement Management: Transparent bidding, MDR compliance checks. - 2.5. Gifts and Hospitality: £50 limit, registered. SECTION II - SPECIFIC OFFENSE PREVENTION A. BRIBERY AND CORRUPTION - Risks: Contracts for Spokel.com listings, Flowido ERP, Binariver AI, iDatacode, iOS apps, medical apps in Brazil, India. - Controls: Anti-bribery policy, due diligence. - Reporting: To Compliance Officer. B. TAX EVASION - Risks: Cross-border sales/subscriptions for Spokel.com, Flowido, Binariver, iDatacode, iOS apps. - Controls: HMRC-compliant processes, KYC. - Reporting: To HMRC. C. MODERN SLAVERY AND HUMAN TRAFFICKING - Risks: Supply chains for medical devices, iDatacode hardware (India, Australia). - Controls: Annual Statement, supplier audits. - Reporting: Via whistleblowing. D. DATA PROTECTION AND CROSS-BORDER DATA TRANSFERS - Risks: Breaches in Spokel.com (listing/contact data), Flowido (business data), Binariver (AI/ERP data), iDatacode (barcode data), iOS apps (user data), medical apps (health data), UK-EU data disclosure conflicts. - Controls: - Compliance with Attachment A (e.g., UK GDPR, CCPA, EU MDR). - SCCs/DPAs (Attachment D), DPIAs for sensitive data. - Cybersecurity: ISO 27001, penetration testing. - Project-Specific: - Spokel.com: Consent for listing data sharing with advertisers. - Flowido: Secure ERP data storage, role-based access. - Binariver: AI output auditing, on-premises data isolation. - iDatacode: Barcode data encryption. - iOS Apps: Apple App Store privacy compliance. - UK-EU Data Disclosure Conflict Procedure: - Scenario: UK authorities demand EU customer data (e.g., Spokel.com inquiries, Flowido business data, medical app health data) threatening prosecution, but disclosure conflicts with EU GDPR (Art. 48). - Risks: UK prosecution vs. EU GDPR fines (€20M or 4% turnover). - Procedure: 1. Notify DPO immediately. 2. Verify UK legal basis (e.g., Data Protection Act 2018, S.115). 3. Consult EU client for consent/exemption. 4. Engage legal counsel to balance UK vs. EU obligations. 5. Minimize disclosure (e.g., pseudonymization). 6. Notify EU DPA of potential breach. 7. Document decision. 8. Escalate to Board for high-risk cases. - Mitigation: EU data stored in EU-based servers, encrypted, with conflict clauses in DPAs. - Reporting: Breaches to ICO (UK GDPR), CPPA (CCPA), EU DPAs, or other authorities per Attachment A. E. FRAUD AND FINANCIAL CRIMES - Risks: Money laundering via Spokel.com payments, Flowido subscriptions, or iOS app purchases. - Controls: AML checks, transaction monitoring. - Reporting: To NCA, FINTRAC, or equivalent. F. HEALTH AND SAFETY - Risks: Office/remote workplace incidents. - Controls: Risk assessments, Health and Safety at Work Act 1974. - Reporting: To HSE. G. ENVIRONMENTAL COMPLIANCE - Risks: E-waste from IT/medical device operations. - Controls: Environmental Protection Act 1990, recycling. - Reporting: To Environment Agency. H. INTELLECTUAL PROPERTY AND AI ETHICS - Risks: AI bias in Japan (e.g., Spokel.com recommendations, Binariver AI, medical apps), IP theft in Flowido/iDatacode. - Controls: EU AI Act-aligned guidelines, bias audits, IP agreements. - Reporting: To Compliance Officer. I. MEDICAL DEVICE COMPLIANCE - Risks: Non-compliance with UK Medical Devices Regulations 2002 or EU MDR 2017/745. - Controls: - Certification: UKCA (UK) or CE (EU) marks. - Quality Management: ISO 13485. - Post-Market Surveillance: Report adverse events per MDR Art. 87. - Reporting: To MHRA (UK), EU competent authorities. Attachment A: Customer Jurisdiction Compliance Framework Purpose: Groups customers by legislation framework, covering data protection, anti-bribery, AML, modern slavery, and medical device regulations, aligned with all Binariver projects. 1. United Kingdom - Laws: UK GDPR, UK Bribery Act, Criminal Finances Act, Modern Slavery Act, Money Laundering Regulations, UK Medical Devices Regulations 2002. - Key Provisions: UK GDPR Art. 5 (processing), Art. 33 (breach notification); Medical Devices Reg. S.9 (UKCA marking). - Alignment: Consent, 72-hour ICO reporting, UKCA certification, KYC, Modern Slavery Statement, project-specific compliance (e.g., Spokel.com listings, Flowido ERP security). - Authority: ICO, MHRA, HMRC, NCA. 2. European Union - Laws: EU GDPR, EU AML Directives, EU Whistleblowing Directive, EU MDR 2017/745. - Key Provisions: GDPR Art. 44-50 (transfers), Art. 48 (no unauthorized transfers); MDR Art. 10 (QMS), Art. 87 (incident reporting). - Alignment: SCCs, EU representative, CE marking, national whistleblowing compliance, data minimization for all apps. - Authority: National DPAs, EU MDR competent authorities. 3. United States (California) - Laws: CCPA/CPRA, CLOUD Act, FTC Act. - Key Provisions: CCPA S.1798.100 (rights); CLOUD Act S.103 (data access). - Alignment: Opt-out mechanisms, DPAs for CLOUD Act (encryption, notifications), privacy notices, app-specific opt-outs (e.g., Spokel.com, iOS apps). - Authority: CPPA, FTC. 4. Canada - Laws: PIPEDA, AML/ATF Act. - Key Provisions: PIPEDA Principle 4.7 (security), S.10.1 (breach reporting). - Alignment: Consent, OPC reporting, AML checks, project-specific consent (e.g., Flowido, iDatacode). - Authority: OPC, FINTRAC. 5. Argentina - Laws: PDPL, Anti-Corruption Law. - Key Provisions: PDPL Art. 12 (transfers). - Alignment: DPAs, anti-corruption training, app-specific data security. - Authority: AAIP. 6. Brazil - Laws: LGPD, Anti-Corruption Law. - Key Provisions: LGPD Art. 33 (transfers). - Alignment: SCCs, data rights, anti-corruption due diligence, user consent for all apps. - Authority: ANPD. 7. Japan - Laws: APPI, Penal Code (anti-bribery). - Key Provisions: APPI Art. 24 (transfers). - Alignment: Consent, bilingual notices, AI bias audits for Spokel.com/Binariver/medical apps, anti-bribery training. - Authority: PPC. 8. Australia - Laws: Privacy Act 1988 (APPs), AML/CTF Act 2006. - Key Provisions: APP 8 (transfers). - Alignment: BCRs/contracts, APP security, AML checks, data minimization for all apps. - Authority: OAIC, AUSTRAC. 9. India - Laws: DPDP Act 2023, IT Act 2000, Prevention of Corruption Act. - Key Provisions: DPDP S.16 (transfers). - Alignment: Consent, SCCs, anti-corruption training, app-specific compliance (e.g., iDatacode). - Authority: DPA (TBD), CBI. 10. Other Countries - Laws: UK GDPR (baseline), ISO 27001, OECD Anti-Bribery Convention. - Key Provisions: UK GDPR Art. 44 (transfers). - Alignment: SCCs/DPAs, risk assessments, consent mechanisms for all apps. - Authority: ICO (default). Attachment B: Code of Conduct Purpose: Defines ethical standards, covering all Binariver projects. 1. Integrity: Avoid bribery, fraud. 2. Data Protection: Comply with Attachment A (e.g., GDPR, CCPA, app-specific data). 3. AI Ethics: Ensure fairness in Spokel.com recommendations, Binariver AI, medical apps. 4. Anti-Bribery: £50 gift limit, registered. 5. Confidentiality: Protect listing data, ERP configurations, barcode data, health data, IP. 6. Medical Device Compliance: Adhere to UKCA/CE standards. 7. App-Specific Compliance: Ensure lawful operation of Spokel.com, Flowido, Binariver, iDatacode, iOS apps. 8. Reporting: Use Attachment C channels. 9. Sanctions: Per Section 5. Implementation: Signed by employees, shared with third parties (e.g., Spokel.com advertisers, Flowido clients). Attachment C: Whistleblowing Policy Purpose: Ensures confidential reporting, per PIDA 1998 and EU Whistleblowing Directive. 1. Scope: Bribery, data breaches, AI bias, MDR violations, app-specific misuse (e.g., Spokel.com listings, Flowido data). 2. Channels: Anonymous via whistleblowing.binariver.co.uk, whistleblowing.spokel.com, or project-specific channels. 3. Process: - Review within 7 days. - Investigate within 30 days, with feedback. - Jurisdiction-specific reporting (e.g., MHRA for MDR, ICO/CPPA for data breaches). 4. Protections: No retaliation, confidentiality. 5. Training: Multilingual, annual. Attachment D: Sample SCCs/DPAs Purpose: Ensures lawful cross-border data transfers, covering all projects. 1. SCCs: - Based on EU GDPR SCCs (2021), UK GDPR-adapted. - Clauses: Exporter/importer roles, data rights, security, UK-EU conflict protocols, app-specific consent (e.g., Spokel.com listings, Flowido data). - Used for EU, USA, Argentina, Brazil, India, Australia. 2. DPAs: - Specifies: Data types (e.g., listing, ERP, barcode, health data), purposes, security, breach notification. - Includes CLOUD Act safeguards, UK-EU conflict clauses (e.g., GDPR Art. 48). - Tailored to CCPA, LGPD, APPI, DPDP Act. Implementation: Signed, DPO-reviewed. Attachment E: Risk Register (Updated) | Risk | Jurisdiction | Likelihood | Impact | Mitigation | |-||-||-| | Data Breach | UK/EU | Medium | High | Encryption, DPIAs, 72-hour reporting | | UK-EU Data Disclosure Conflict | UK/EU | Low | High | Conflict procedure (Section D), EU server storage | | AI Bias | Japan | Low | High | Bias audits, EU AI Act guidelines | | Bribery | Brazil/India | Medium | Medium | Anti-bribery training, due diligence | | CLOUD Act Access | USA | Low | High | DPAs, client notifications | | MDR Non-Compliance | UK/EU | Low | High | UKCA/CE certification, ISO 13485 | | Listing Data Misuse | All | Medium | Medium | Consent mechanisms, third-party vetting | | ERP Data Breach | All | Medium | High | Role-based access, encryption | | Barcode App Vulnerability | All | Low | Medium | Penetration testing, encryption | Notes and Alignment - All Projects Included: Updated to cover Spokel.com, Flowido.com, Binariver.com, iDatacode.com, iOS business apps, and medical device apps, with specific risks (e.g., ERP data breaches, barcode vulnerabilities) and controls. - Spokel.com Privacy Policy Alignment: - User Types: Simple Users (browsing/searching) and Professional Users (publishers, ERP clients) match. - Data Processing: Purposes (A-E) align with Privacy Policy, with legal bases (consent, contract) and optional nature. - Storage Duration: 10-year retention (unless deleted) matches, with CCPA/MDR exceptions. - Recipients: Third-party liability (e.g., agencies, ERP vendors) and authority disclosures align. - Transfers: SCCs/DPAs and jurisdiction-specific safeguards (Attachment A) reflect Privacy Policy. - Rights: Data subject rights align with UK GDPR, CCPA, and other laws. - UK-EU Conflict: Procedure (Section D) matches Privacy Policy, with app-specific data (e.g., Flowido, iDatacode). - Jurisdictions: Attachment A aligns with Privacy Policy’s Customer Jurisdiction Compliance Framework. - Date: Updated to 16 May 2025, 12:15 PM BST, with approval on 31.05.2025. - Attachments: Updated to reflect all projects (e.g., barcode compliance in Code of Conduct, ERP risks in Risk Register).