DATA SECURITY
Company is in compliance with all applicable legal, statutory, and regulatory information security requirements including the General Data Protection Regulation (GDPR), Standard Contractual Clauses, and the California Consumer Privacy Act (CCPA). Company has implemented and will maintain appropriate administrative, technical and organizational measures to protect personal information. Company’s security program protects personal information against misuse and accidental loss or destruction in accordance with its written security policy.
Specifically, Company will:
- Handle Client personal information in compliance with applicable laws and regulations.
- Process Client personal information only as needed to provide Services. Access to Client personal information is limited to individuals with a need to know.
- Implement and maintain safeguards that ensure the security, confidentiality, reliability, and integrity of Client personal information, including:
- Physical Access Control—no unauthorized access, security badges, alarm system,
- Logical Access Control—strong passwords, need-to-know only access, multi-factor authentication,
- Data Transfer Control—enforced transport layer encryption, Virtual Private Network, and
- Availability Control—backups, virus protection, firewall.
- Promptly notify Client regarding any security incident involving the misuse or accidental or unlawful destruction or disclosure of Client’s personal information unless otherwise instructed by law enforcement or regulatory authority. Company will conduct a thorough investigation and take measures to remediate and prevent future incidents.
- Regularly audit its business processes and security measures, including vulnerability and penetration testing as well as prompt application of security updates.
- Ensure sub-processors are capable of providing the necessary level of protection of any Client personal information they may handle. The following third party sub-processors are used by Company and are considered approved by Client: Box, Inc., Salesforce.com, Marketo, Thought Industries, Inc., and NetSuite, Inc.
- Process any international transfer of Client personal information in compliance with the Standard Contractual Clauses set out by the European Commission.
- Comply with Company security program and policy that meets or exceeds requirements imposed by applicable law and aligns with established industry standards.
- The following information is provided regarding the type of personal information and the purpose for which it is used:
- Nature and Purpose: Company provides training, consulting and facilitation services. Personal information is collected and used to deliver services as agreed upon by the Client and Company.
- Categories of Data Subjects: employees of Client who are participants in training.
- Categories of Data: identification information (such as name, employer); contact information (such as telephone number, email address); job-related information (such as title, office location); IP address or online identifier.
- Special Categories of Data: none.
- Processing Operations: personal information will be processed in accordance with the services agreed upon by the Client and Company.
- Follow industry-standard SDLC (Software Development LifeCycle), which includes OWASP best practices.
- Have independent firms conduct penetration testing to identify and mitigate vulnerabilities.
- Upon termination of the agreement, Company will return or destroy any personal information of Client as directed by Client.
A PDF version of this is available. For further security questions, please reference our security FAQ.