Summary of Data and Information Security Policies
ALUMinate Inc. (“ALUMinate”, “we”, “us”, “our”) is committed to protecting the privacy of all proprietary and confidential information of its clients and constituents (“Protected Data”). This summary describes our policy (“Policy”) regarding how we collect, use, process and transmit Protected Data.
Protected Data for purposes of our Policy includes all personally identifiable information as such term is defined in various data privacy statutes and regulations, including NIST Special Publication 800-122, the General Data Protection Regulation and the California Consumer Privacy Act. This information may be comprised of Protected Data and any confidential information provided to us by our data vendors, by our clients, by other third parties or derived from our internal work.
Qualified Data Vendors
We evaluate our data vendors for their ability to deliver relevant data and information, and we inquire and review their privacy policies to ensure that an appropriate level of care and protection is given to any Protected Data we provide to them in the course of our engagements. We provide them with only that information that is necessary for them to meet the requirements of our agreements with them. We require that they execute a confidentiality agreement with us and agree to delete all Protected Data we have transmitted to them at the conclusion of an engagement.
All transfers of Protected Data to and from our data vendors and clients shall use secure transfer protocols such as SFTP, FTP and password protected files.
Data Storage and Use
We store and process Protected Data using third party applications, including Google Cloud Platform, Amazon Web Services, Box and Google Drive. Critical files are backed-up in multiple sites. We do not possess or maintain our own servers or storage arrays. Our people are required to retain all Protected Data in these environments, and they are prohibited from downloading Protected Data onto their laptops or personal computing devices, other than to conduct analysis or services pursuant to client engagements. All company devices are protected with commercial grade anti-virus and file encryption software. At the conclusion of any client engagement, we delete all Protected Data and confidential information provided by client or by a data vendor relating to that client’s constituents, unless client agrees to allow us to retain the data for use in future engagements. In certain client agreements, ALUMinate is granted the right to retain certain non-individualized, aggregated information derived from client engagements solely for its own use in developing new or improved solutions and services.
Access Control Policy
Client Protected Data and confidential information are accessible only by those ALUMinate employees and contractors who have a “need to know” or validated “need to access.” Password control and multi-factor authentication are employed. All employees have executed a “Computing Devices and Storage Media Affirmation” document that specifies the actions and acknowledgements required of the employee with respect to management of data, devices, passwords and files that are used in performing client services. All employees and contractors also execute a “Nondisclosure and Assignment of Inventions Agreement” in which employees agree to comply with confidentiality and data use restrictions designed to secure all Protected Data and confidential information during their time of service with ALUMinate and for a period after their service has ended.
Requests Under Data Privacy Laws and Regulations
Under various state, federal and foreign statutes and regulations, individuals have the right to request that: (i) we provide them with a statement describing all “personal identifying information (PII)” in our possession, and (ii) we delete their PII and certify to its deletion. Upon receiving a request that meets the requirements of an applicable law, we will use reasonable efforts to comply with the request(s) and inform our client to which the PII relates, of our intention to comply with the request.
Data Breach Reporting and Emergency Operations Plan
Our Policy provides procedures to respond to any actual or suspected data breaches or nefarious actions that could impact the privacy of our data and that of our clients. We maintain a cyber-risk policy.
Appointment of Security Officer and Periodic Policy Reviews
We have appointed a security officer to monitor and approve activities conducted under the Policy to ensure compliance, and we conduct periodic reviews of the Policy to evaluate its effectiveness and compliance with all statutes and regulations.