GENERAL DATA PROTECTION REGULATIONS (GDPR)
Statement of Compliance:
Protecting our Customers’ information and their Users’ privacy is extremely important to us. As a cloud-based company entrusted with some of our customers’ most valuable data, we’ve set high standards for security. Our cloud infrastructure utilizes Armor and Rackspace hosted servers and Akamai storage, three industry leading cloud providers that are heavily certified in privacy and security. Armor (Read more about at www.armor.com) is our primary host provider and is fully committed and invested into providing robust privacy and security offerings that includes enhanced intrusion detection capabilities, 24 x 7 monitoring and hardened host facilities. With Armors help, we are able to protect our Customers data, ensure fast disaster recovery, maintain business continuity, offer high availability and in accordance with GDPR and PCI DSS requirements, security incident notifications. This allows CommPartners to meet its obligations and offer contractual assurances.
Protected Data includes: First/Last Name, Remote and Elevate identification numbers, Street Address, an online identifier such as eMail Address, login names/passwords, Credit Card transaction details. Extraneous Sensitive Data such as physical, physiological, genetic, religious, political, mental, economic, cultural or social identity of that natural person is not relevant or required within the ElevateLMS “Software” or anywhere else within the CommPartners infrastructure. CommPartners maintains appropriate technical and organizational measures to comply with industry best practices and all applicable laws, rules, and regulations with respect to its use, handling, security, storage, disclosure (only as permitted by the services provided), and retention of any Protected Data in connection with Software that pertains to or identifies an individual, including name, postal address, and/or e-mail or IP address. Extraneous Sensitive User Data, which may be voluntarily provided by a Customers User, is not a requirement of the system and therefore is not the responsibility of CommPartners. In the course of using the Software, Customer and Users may have the opportunity to store information and material provided by Customer and Users. CommPartners Customers contractually agree that they will not use the Software to store Extraneous Sensitive User Data. CommPartners Customers accept any and all liability for claims arising out of or related to Customer storing Extraneous Sensitive User Data. CommPartners complies with all applicable personal data protection and privacy laws and industry standards, including but not limited to the Payment Card Industry – Data Security Standards. CommPartners does not use Protected Data received or made available or accessible by Customer or any Customer User for any reason not expressly permitted by Customer/User and shall immediately return to Customer any such information in its possession upon request by Customer or termination of the Software.
Where does the Protected Data come from?
In most cases, CommPartners customers/users provide the users first/last name and email address via SSO integrations. In some cases, the User provides the information or the User’s activities create the information.
Is this information shared with third-parties? In cases of credit card transactions, first/last
names, street address are shared with third-party merchant providers PayFlo Pro and Authorize.net. In some cases, test scores, course registrations and outcomes are shared with the Clients database. The servers that host the Software that contains the Protected Data are hosted by Armor. No other data is shared with any other third-party. How this information is used outside of the Elevate application is outside the scope of this assessment.
Commpartners software services recognizes the following GDPR User Rights:
- The right to erasure: You may terminate your User account at any time, in which case we will permanently delete your account and all data associated with it according to the service Terms. In particular, the termination of your account will render the domain as inactive; all account data is kept for 60 days after an account cancellation to ensure that a service re-connection will be as smooth as possible
- The right to restrict processing: Not applicable
- The right to data portability: A Site licensee may export User data at any time through the administration panel of the application. Furthermore, CommPartners will be happy to export your account data to a third party at any time upon your request, which you may send to email@example.com
- The right to object: If a User objects the way in which CommPartners processes their personal data, please contact firstname.lastname@example.org and we will review the processes with you and take appropriate action as needed.
- The right not to be subject to automated decision making including profiling: In no instances is the User personal data subject to automated decision making including profiling.
SUBJECT ACCESS REQUESTS:
All User data is controlled by CommPartners Customer/User. In cases where the Customer is unable to complete a User access request within the scope of the GDPR, the Customer may, at no charge, request CommPartners assistance. This request must be in writing and must contain the full name of the User(s) and a detailed scope of the request including all data elements. Commpartners will respond to the request within 30 days. In cases of extreme or out of GDPR scope requests, CommPartners may charge for the work required or reduce the scope per the GDPR. CommPartners reserves the right to deny the request. If denied, CommPartners will provide a detailed reason for the denial and the Customer retains the right to appeal to the GDPR supervisory panel and/or seek judicial remedies.
LAWFUL BASIS FOR PROCESSING PERSONAL INFORMATION:
Upon Users voluntary consent via the process of creating an account, Users may also opt to process PCI DSS compliant credit card transactions, poll responses, test results, course registrations, and personal content interests within the service. During this voluntary process, a User may temporarily provide access to their credit card information (which is not permanently stored) in order to register for a course or gain access to digital content. After the transaction has been successfully completed, the credit card data is erased from the system. Once a User has acquired access to the content, the User may take a test, respond to a poll, respond to assignments, view videos or other multi-media content or volunteer their personal interest in subject categories. Email notices are sent to the Users on a regular basis reminding or informing them of activities related to them.
A Privacy/Consent Statement feature is provided to all Customers and may be customized to meet each individual Customers Privacy Policies. ElevateLMS enables its customers to explicitly ask for and record Users’ consent for using the service. In particular, each administrator may set up a custom page with “Terms of Service” that is to be shown to each end user when he/she first logs in to the system. In addition and upon completing a registration or payment, it is necessary to accept these terms in order to gain access to the content. This is a systemic method for obtaining consent from the Users. A User may choose not to accept the terms of service and will be denied access to the content.
CommPartners services are not intended for children.
CommPartners shall immediately (and in any event, within twenty-four (24) hours after CommPartners becomes aware that any Protected Customer Data has been disclosed or revealed to, or accessed by, any unauthorized person, whether inadvertently or intentionally) provide Customer(s) with notice of any security breach and for any Protected Customer Data in its possession or control and at its own expense, investigate and take all steps to identify, prevent, and mitigate the effects of such security breach. Further, CommPartners shall promptly provide to Customer a detailed description of the incident, the data accessed, the identity of affected individuals, and such other information as Customer may reasonably request concerning the security breach and conduct any recovery necessary to remediate the impact, and bear any cost or loss Customer may incur as a result of such security breach to the extent such data was under CommPartners’ control or in CommPartners’ possession, including the cost of any notification of any affected consumers required of or undertaken by Customer.
In addition, CommPartners shall process any Protected Data in accordance with Customer’s instructions and only to the extent necessary to carry out the purposes of performing the services provided.
DATA PROTECT BY DESIGN and IMPACT ANALYSIS:
CommPartners is PCI DSS SAQD compliant. This ongoing compliance initiative includes an annual impact analysis and assessment. In addition, the systems are scanned quarterly to ensure that the software/hardware solutions are in compliance with the latest security methods and procedures.
DATA PROTECTION OFFICER:
If you have any questions regarding the security of your data, please contact John Volentine email@example.com
Main Establishment and Supervisory Authority:
CommPartners 7230 Lee Deforest Drive Columbia MD 21046.