Data Processing Policy
This policy applies to all users who have legitimate need to access sensitive data including but not limited to the processing of data for customers and colleagues.
In the course of providing services, Sphera may receive, store, and manage sensitive data on Sphera systems. Due to contractual, legal, and regulatory obligations, Sphera must maintain strict confidentiality of such data at all times. This policy communicates Sphera’s expectations with respect to the transmittal, storage, processing, retention, protection, and disposal of sensitive data provided to Sphera in the course of doing business. This policy, effective as of October 1, 2019, states the policies of Sphera Solutions, Inc., a Delaware corporation (“Sphera”), regarding Personal Information.
Users – Sphera employees, contractors, partners, candidates, or any third party that does business with Sphera.
Sensitive Data – Any data that is classified as Restricted or as Client data.
The use of Sensitive data should always be treated with the utmost care and is governed according to Sphera’s Data Classification policy. As the safeguarding of Sensitive Data is critical to Sphera’s business, all questions regarding proper care of Sensitive Data should be directed to Sphera’s Data Protection Officer at firstname.lastname@example.org.
3 Sensitive Data
3.1 Data Protection
Sphera will comply with data protection law and principles outlined in the General Data Protection Regulation(“GDPR”), which means that Sensitive Data will be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes and not used in any way that is incompatible with those purposes.
- Accurate and kept up to date.
- Maintained only for as long as necessary.
- Kept securely and protected against unauthorized or unlawful processing and against loss or destruction using appropriate technical and organizational measures.
Sphera follows best practices and has processes in place that follow GDPR guidelines. All Sensitive Data held within the company is under the control of Sphera’s Data Classification Policy which covers the handling of any internal or Sensitive Data within the organization.
3.2 Data Transmittal
When transmitting Sensitive Data in Sphera systems, the following requirements are adhered to in order to maintain data confidentiality:
- Process Sensitive Data only for the purposes specifically authorized strictly in accordance with the Services provided and in compliance with Applicable Data Protection Laws
- Prior to transmittal to Sphera, Sensitive Data should be scrubbed, to eliminate transmittal of data not pertinent to the original purpose.
- Sensitive Data containing Personably Identifiable Information (PII) Data or Payment Card Industry (PCI) Data should only be transmitted to Sphera when it is determined the use of such data is critical to accomplishing a specific task.
- Sensitive Data must be encrypted at all times using NIST approved encryption algorithms and key lengths.
- When using symmetric encryption, key exchange must be done in a secure fashion, using a communication channel separate from the channel used for data exchange.
- Electronic data transmittal must use a secure file transfer protocol (e.g. SFTP).
- Data transmittal using physical media must be done via secure courier and the data must be encrypted with NIST approved encryption algorithms.
- Sensitive Data contained on physical media should be destroyed following Sphera’s Data Destruction policy.
- Cooperate in any investigation by a governmental or regulatory authority or any internal investigation regarding the processing of sensitive data.
3.3 Data Storage
While engaged in projects that require storage of Sensitive Data on Sphera systems, data storage should adhere to the following requirements:
- Installation of Sensitive Data on systems not owned by Sphera must be approved by Sphera’s Chief Information Security Officer.
- If not done prior to transmittal, Sensitive Data should be scrubbed immediately upon storage, to eliminate storage of data not related to the orignally purpose of processing.
- Sensitive Data must be stored in a manner that ensures it is sufficiently segregated from other data, to ensure proper access controls.
- Hard disks containing Sensitive Data must use disk level encryption consistent with current industry best practices.
- All systems housing Sensitive Data must have active Anti-Virus Protection and must adhere to Sphera’s Vulnerability Management policy.
- Sphera Colleagues must not store Sensitive Data on their company desktop or mobile device.
3.4 Data Privacy
Sphera ensures it only uses third parties other personnel who:
- Are bound to observe data and telecommunications secrecy under Applicable Data Protection Laws,
- Have received appropriate training on their responsibilities,
- Are required to keep Sensitive Data strictly confidential and subject to confidentiality obligations that survive the termination of the Representative’s and other personnel’s engagement. Sphera shall not permit any person to process Sensitive Data who is not under such a duty of confidentiality.
- Sphera shall not disclose any Sensitive Data to any third-party without prior written consent.
- Sphera shall not engage or permit any third-party or subcontractor to access or process Sensitive Data without prior notice, except that Sphera may use the specified Sphera Representatives and Sub processors to provide and support Sphera in accordance with the provisions in this policy.
3.5 Data Access
To ensure confidentiality of Sensitive Data processed by Sphera, access to Sensitive Data must be strictly enforced at all times.
- Access to Sensitive Data must only be granted to Sphera Colleagues who have a legitimate purpose for such data access.
- Access to Sensitive Data is to be granted such that only the minimum access rights required to accomplish an assigned task or role is met.
- Sphera Colleagues accessing Sensitive Data must use unique credentials and adhere to Sphera’s Password policy.
- Sphera Colleagues should not leave their computers unattended while having an open connection to a system containing Sensitive data.
- Sphera Colleagues must terminate connections to systems housing Sensitive Data immediately upon completion of work.
- All access to PII Data and PCI Data must be logged.
3.6 Data Retention and Destruction
Sphera recognizes that the efficient management of its data and records is necessary to support its core business functions, to comply with its legal, statutory and regulatory obligations, to ensure the protection of personal information and to enable the effective management of the organisation.
This policy and related documents meet the standards and expectations set out by contractual and legal requirements and has been developed to meet the best practices of business records management, with the aim of ensuring a structured approach to document control.
Effective and adequate records and data management is necessary to:
- Ensure that the business conducts itself in a structured, efficient and accountable manner
- Ensure that the business realises best value through improvements in the quality and flow of information and greater coordination of records and storage systems
- Support core business functions and provide evidence of conduct and the appropriate maintenance of systems, tools, resources and processes
- Meet legislative, statutory and regulatory requirements
- Deliver services to, and protect the interests of, users in a consistent and equitable manner
- Assist in document policy formation and managerial decision making
- Provide continuity in the event of a disaster or security breach
- Protection personal information and data subject rights
- Avoid inaccurate or misleading data and minimise risks to personal information
- Erase data in accordance with the legislative and regulatory requirements
Information held for longer than is necessary carries additional risk and cost and can breach data protection rules and principles. The Company only ever retains records and information for legitimate or legal business reasons and always comply fully with the data protection laws, guidance and best practice.
It is important that Sensitive Data is disposed of properly upon completion of the defined project for which the data was processed.
- All copies of Sensitive Data must be securely deleted.
- All Sensitive Data stored on removable media must be deleted following Sphera’s Data Destruction policy.
3.7 What kinds of information does Sphera process?
We process a different kind of information depending on how you are engaging with us. These data include Personal Information, Usage Information, and User Generated Information.
- Personal Information is any data that identifies or describes you or another individual. Personal Information often relates to an individual’s person, communications, movements and surroundings, and behaviors online and in the real world. This information need not directly connect to a known or identifiable individual. Data associated with proxies for individuals like a device serial number or an account number can also be Personal Information when it describes or otherwise relates to the person, communications, movements and surroundings, and behaviors of the person or people who use the device, account, or other proxy. Some examples of Personal Information we may process include your name and contact information, your government ID numbers, your payment card or bank information, photos of you, and so on. We obtain Personal Information by collecting it directly from you, such as through online forms on our websites or through our product registration and User service systems; through reports created using our products and services; through automated methods integrated into our products, services, and websites; and from third parties we have contracted with.
- Usage Information is data generated by your use of a Sphera product, service, or website. When you visit a Sphera website, your browsing generates information like logs that include information about what pages you visited, what content you interacted with, and when you visit pages and interact with elements on them. Sphera products and services and their associated software like web portals, mobile applications, and other tools may also generate information when you use them. We may collect this information and use it as described in this policy. This information can include data about how often you use our products, performance related information like crashes and memory consumption, information about how you interact with our user interfaces, and other information related to the way our products and services are performing.
- Our websites, products, and services, as well as the tools, applications, and software associated with them, may let you create your own content and upload it to your Sphera products or incorporate it into work product generated by your use of Sphera services. This User Generated Information varies depending on what products, services, or websites you are interacting with but examples include messages you send to us via our websites; search queries; photos, videos, and sound recordings you create with our mobile applications; and reports, charts, and other documents you create using our products; and the work product produced by engaging Sphera services. User Generated Information may also include Personal Information, for example when a user of one of our products submits a report relating to an incident you and others may have been involved in.
3.8 What do we do with information we process?
When we process information, we do so in order to fulfill our legitimate business purposes. These include:
- Delivering requested functionality. Many features of our products, services, and websites process information in response to your requests. For example, when you create an account, we collect Personal Information like your email address, password, and profile information so you can log into our websites and use our products and services. If you use our websites to communicate with us, we collect Personal Information and User Generated information like your name, contact information, and message content and make it available to the people who will be responding to you. When you browse our websites or use our tools, applications, and other software we collect User Generated Information you make available to us in order to incorporate it into reports and other documents you wish to create (which are themselves User Generated Information). If you use LinkedIn’s EasyApply to apply to a job opening, we’ll receive a link to your profile. This is used by our HR and Recruiting team to help us efficiently assess your skills and qualifications for the role you’ve applied for.
- Protecting our rights. When we license software products to you, we reserve the right to collect Personal Information like your account credentials and information about the computers and mobile devices you use to access licensed products and Usage Information like the number of unique users logging into our software in order to monitor compliance with the terms of our license agreements with our users.
- Supporting our users. We collect Usage Information like errors that occur when you use our products, services, and websites and logs that describe when and how you interact with our user interfaces so we can better diagnose and resolve technical problems you may experience.
- Improving our products, services, and websites. We may use Personal Information we have collected to ask you to participate in surveys, focus groups, and other forums where we will solicit feedback about your user experience. We may also collect and use anonymous Usage Information about errors and interactions with our user interfaces and excerpts from User Generated Information like support and service requests. We use this information to identify, prioritize, and develop patches, enhancements, and other improvements to our products, services, and websites as well as to create new products and services responsive to our users’ needs.
- Promoting our products, and services. We use Personal Information we collect from our websites, events we sponsor online and in person, from downloads of publications we make available ourselves or through partners to identify potential users for our products and services and to contact them to initiate sales efforts. We also use Personal Information we have collected from existing users along with Usage Information about how their users interact with our products and services and User Generated Information like issues you have raised with our support teams to identify other Sphera products and services our users might be interested in and to reach out to them to discuss new business. We may supplement Personal Information we have collected with information we get from third parties in order to improve our data about potential leads.
3.9 How do we secure information we process?
When we collect and store information on our systems as described in this policy, we apply reasonable and appropriate administrative, physical, and technical safeguards to detect and prevent unauthorized access, disclosure, use, and loss of Personal and User Generated Information. These safeguards include monitoring and auditing of our IT infrastructure, encryption of files in transit and at rest, strong password policies, limiting access to User Generated and Personal Information to personnel with a legitimate business purpose, and where applicable, data protection training for our personnel. When our users choose to host our products within their own networks, Personal and User Generated Information are wholly User controlled and subject to their individual security practices.
In the event that we discover or reasonably suspect that there has been unauthorized access, disclosure, use, loss, or other processing of your Personal or User Generated Information (a “security incident”) we will notify you by email address we have on file within a reasonable period of time.
No safeguards are 100 percent effective. While our safeguards offer a reasonable and appropriate level of protection to information that we process, we do not warrant or guarantee that data we process will never be affected by a security incident.
Cookies, web beacons, and similar local objects are small files that record or collect information. Our websites place them on your computer when you visit them. Our service providers collect information that these local objects place on your computer and use that information as described by this policy. We also use local objects to record personalized preferences like saving your login information for the next time you visit our site or to set language preferences. You can learn more about the way we use local objects by reviewing our Cookies Policy.
3.11 What do we do with children’s Personal Information?
Our products, services, and websites are not intended for use by children. We never intentionally collect information from children. If we discover that we have collected a child’s Personal Information intentionally we will delete it.
3.12 Who do we share information with?
We will make information we have collected available to third parties under the following circumstances:
- Where required by law. We will make information available to government agencies who serve us with valid legal process. If this information includes Personal Information or your proprietary User Generated Information, we will notify you of governmental requests for information where permitted to do so by law.
- Where we have relationships with service providers. We may partner with third parties in the ordinary course of our business to perform services or provide product functionality on our behalf. Examples include recruitment software providers; payment processors; hosting providers; marketing and market research providers; resellers of our products and services; data brokers who help us supplement our records with publicly available information; and call center and other service providers supporting our User service personnel. Our contracts with service providers require them to implement reasonable and appropriate safeguards for information we share with them and limit their rights to use that information to purposes consistent with this policy.
- In order to protect our rights or the rights of third parties. We may share information with legal counsel, auditors, and related service providers in the course of evaluating or pursuing potential claims involving enforcement of our or third parties’ contractual and other legal rights. We will take steps to ensure that we disclose only the information necessary for this purpose and impose confidentiality obligations and use restrictions consistent with this policy where appropriate.
- With Sphera affiliates around the world. We have personnel and operations in countries around the world who work together to deliver products and services and process information as described in this policy. These affiliates may be located in countries other than the one where you reside, including the United States. Laws governing processing of information, including Personal Information, vary from country to country and may differ from the laws applicable in your home country. All Sphera affiliates and personnel comply with the terms of this policy when processing information. Your use of our products, services, and websites constitutes your permission for us to share information with our affiliates without restriction.
3.13 Special Category Data
Owing to the products, services or treatments that we offer, Sphera sometimes needs to process sensitive personal information (known as special category data) as carrying out the performance of a contract on behalf of the controller. Where such information is processed, we will only do to on behalf of the controller only for the specified purpose.
3.14 What are my rights under this policy?
You have the right to access, modify, and object to the processing of Personal Information we have collected from you. Your Personal Information is available by logging into your account. You can update your information whenever you like. You also have the right to restrict any information we process and can make other changes or delete your account and the Personal Information associated with it by contacting us via the Sphera Customer Network.
You have the right to export Personal Information and Customer Generated Information we process for you as a Customer. Your customer care representative can assist you with these requests.
You have the right to opt into and out of receiving marketing communications from us. When we collect Personal Information, we will give you the opportunity to decide whether or not you want to receive marketing communications from us. No matter what you decide, you will have the opportunity to change your mind later. Your decisions with respect to marketing communications will not affect your ability to receive communications that are based on existing business relationships like customer satisfaction outreach, acknowledgement of transactions, customer service follow-up, and so on.
You have the right to lodge a compliant with the supervising authority where applicable.
You have the right to withdrawal your consent at any time.
You have a right to be notified of changes to this policy. If we make material changes that affect the rights and/or responsibilities described in this policy, we will publish notice of changes to our websites. Sphera users will also receive notices via the Sphera Customer Network. If you continue to use our products, services, or websites we will consider that acceptance of the changes.
3.15 Data Subject Request
Upon request, and to the extent such information is available to Sphera, Sphera shall provide reasonable cooperation and assistance reasonably requested to fulfill obligations under the GDPR to perform data protection impact assessment(s) related to the use of services.
3.16 Client Responsibilities
Client shall, as a condition precedent to Sphera Processing any Sensitive data,
- Inform all Data Subjects concerned of the Processing of their Personal Data pursuant to the Agreement(s) and, where required by Applicable Data Protection Laws, such Data Subjects have given their unambiguous consent to such processing in accordance with Applicable Data Protection Laws.
- Grant Sphera Representatives and Sub processors the right to process Sensitive Data in accordance with the services being carried out.
4 User Data
Sphera is committed to protecting and respecting it’s Users privacy. This section (along with any other documents mentioned) lays out how sensitive data is collected, the various ways in which it is provided, and how Sensitive Data flows throughout Sphera. Please read the following section carefully.
4.1 The Categories of Data Sphera Collects
Sphera will collect, use, and store the following categories of personal data that is necessary for employment at Sphera Solutions:
- Any information on the submitted resume
- Data provided to Sphera from the online job portal
- Onboarding documents
- Personal information e.g. First/Last name
- Contact details e.g. Telephone number
- Address information
- Current office and Job information e.g. Current Job Title
- Emergency contacts
- Tax forms and relevant supporting documents
4.2 How does Sphera collect Personal Data?
Sphera collects personal data about users from the following sources:
- Directly from the user
- From publicly accessible sources, such as LinkedIn, etc., where Sphera collects a user’s full name, email, work history, and other data included in the social media profile
4.3 How does Sphera use Personal Data?
Sphera will use the personal data to:
- Assess if the user’s skills will be able to fulfill the role that they applied to.
- Carry out background and reference checks where applicable.
- Communicate relevant recruitment process details via email or phone.
- Validate employment eligibility.
- Enroll in employment benefits and payroll.
- Used for future job opportunities.
It is in Sphera’s legitimate interests to decide whether to hire a user as it would be beneficial to select a suitable colleague to fill that role.
4.4 Special Category Data
Owing to the products, services or treatments that we offer, Sphera sometimes needs to process sensitive personal information (known as special category data) about you in order for you to become an employee at Sphera. Where we collect such information, we will only request and process the minimum necessary for the specified purpose and identify a compliant legal basis for doing so
4.5 How do I contact you with questions or requests relating to this policy?
If you are a registered Sphera User, the best way to contact us is to via the Sphera Customer Network. Our Customer service team will open a case number and get your question or request to the right personnel who can assist you. They will also track progress of your case to ensure that it gets resolved. If you don’t have an account on the Sphera Customer Network, you can use the “Contact Us” form on the home page.
Additionally, you may reach us at our privacy offices via email at: email@example.com.