Skip to content
Get a free demo

Data Protection Policy

1. Introduction

AssessTEAM is committed to protecting the privacy and security of personal information. This policy outlines how we collect, use, store, disclose, and protect personal data in accordance with applicable data protection laws, including the California Consumer Privacy Act (CCPA), other relevant state laws, and, where applicable, the General Data Protection Regulation (GDPR) of the European Union. It also acknowledges various sectoral laws at the federal level. As AssessTEAM operates primarily on the Microsoft Azure platform, Azure’s data security policies also apply to our data handling practices. These policies can be reviewed at: https://www.microsoft.com/en-us/TrustCenter/Security/default.aspx

2. Data Collection and Use

AssessTEAM collects and processes personal data for the following legitimate business purposes:

  • Providing our performance management and evaluation services to customers.
  • Managing customer accounts and subscriptions.
  • Communicating with customers about our services, updates, and important notices.
  • Improving our platform, services, and user experience through data analysis.
  • Complying with legal and regulatory obligations.

We collect only the minimum necessary data required for these purposes and use it only for the stated purpose (purpose limitation). We obtain consent from individuals before collecting and processing their data, except where otherwise permitted by law.

3. Data Security

AssessTEAM implements appropriate technical and organizational measures to safeguard personal data from unauthorized access, use, disclosure, alteration, or destruction. These measures include:

  • Data Encryption: All data is encrypted in transit using 256-bit SSL/TLS encryption. Sensitive data, including certain fields within assessment information, job goals, project details, and timesheets, is also encrypted at rest.
  • Access Control: Access to personal data is strictly limited to authorized personnel who require it for their legitimate job functions. Strong passwords and two-factor authentication are enforced for all users.
  • Secure Infrastructure: Our platform is hosted on Microsoft Azure, which provides robust physical and digital security controls and holds numerous compliance certifications.
  • Regular Security Audits: We conduct regular vulnerability scans and penetration testing to identify and address potential security weaknesses. We also perform periodic security audits to ensure ongoing compliance with industry best practices.
  • Firewall: All access to and from the cloud is protected by application-level firewalls to ensure network security.
  • Data Breach Response Plan: AssessTEAM maintains a comprehensive data breach response plan, which outlines the steps to be taken in the event of a security incident. This plan includes procedures for incident detection, containment, investigation, notification, and recovery (see Section 8 for details).
  • Employee Training: All employees receive mandatory, comprehensive data protection and security awareness training upon hiring and annually thereafter.
4. Data Subject Rights

AssessTEAM respects the rights of data subjects under applicable data protection laws. These rights may include:

  • Right to Access: Individuals have the right to request access to the personal data we hold about them.
  • Right to Rectification: Individuals can request that we correct any inaccurate or incomplete personal data.
  • Right to Erasure (“Right to be Forgotten”): Individuals can request that we delete their personal data under certain circumstances.
  • Right to Restrict Processing: Individuals can request that we restrict the processing of their personal data under certain circumstances.
  • Right to Data Portability: Individuals can request to receive their personal data in a structured, commonly used, and machine-readable format.1
  • Right to Object: Individuals can object to the processing of their personal data2 under certain circumstances.
  • Right to Non-Discrimination: Individuals will not be discriminated against for exercising their rights.

Data subjects can exercise these rights by contacting us at [email protected]. We will respond to such requests within the timeframes required by law.

5. Data Retention

AssessTEAM retains personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable laws3 or regulations. Our data retention periods are determined based on the following criteria:

  • Account Information: Retained for the duration of the customer relationship and for 7 years after the account is closed for legal and accounting purposes.
  • Assessment Information, Job Goals, Project Details: Retained for the duration of the customer relationship and for 3 years after its archival or deletion for potential dispute resolution, unless a longer period is required by specific contractual agreements.
  • Timesheets: Retained for the duration of the customer relationship and 7 years after the project completion for compliance with labor and tax regulations.
  • Communication Data: Retained for 2 years after the last communication for customer service and quality assurance purposes.
  • Marketing Data: Retained until the individual opts out of marketing communications or for 2 years of inactivity.
  • Website Usage Data: Anonymized or aggregated data is retained for analytical purposes indefinitely. Raw data is retained for 1 year.

After the applicable retention period, data is securely deleted or anonymized.

6. Third-Party Data Processors

AssessTEAM may engage reputable third-party service providers to assist in providing our services. These providers may process personal data on our behalf and are contractually obligated to comply with applicable data protection laws and to implement appropriate security measures. We conduct due diligence on all third-party processors before engaging their services.

Examples of third-party processors we may use include:

  • Cloud Service Providers: Microsoft Azure (for hosting and data storage).
  • Payment Processors: Stripe, PayPal (for processing payments).
  • Email Service Providers: AWS SES for sending transactional and marketing emails.
  • Analytics Providers: Google Analytics (for website and platform analytics).
7. International Data Transfers

AssessTEAM primarily stores and processes data within the United States. However, if data is transferred to or processed in countries outside of Canada or the European Economic Area (EEA), we will ensure that appropriate safeguards are in place to protect the data, such as:

  • Adequacy Decisions: Transferring data only to countries deemed to provide an adequate level of data protection by the European Commission or the Canadian government.
  • Standard Contractual Clauses: Implementing approved standard contractual clauses in our agreements with third-party processors.
  • Binding Corporate Rules: Relying on approved binding corporate rules for intra-group transfers.
8. Data Breach Response Plan

In the event of a data breach involving personal data, AssessTEAM will take the following steps:

  • Containment: Immediately take steps to contain the breach and prevent further unauthorized access.
  • Investigation: Conduct a thorough investigation to determine the nature and scope of the breach, the types of data affected, and the individuals impacted.
  • Notification: Notify affected individuals and relevant regulatory authorities (e.g., the Office of the Privacy Commissioner of Canada, and Data Protection Authorities in the EU) without undue delay, and in accordance with the timeframes specified by applicable laws (e.g., within 72 hours under GDPR where feasible, and as required by PIPEDA). Notifications will include information about the nature of the breach, the data affected, the likely consequences, the measures taken to mitigate the breach, and contact details for further information.
  • Remediation: Implement appropriate measures to address the cause of the breach and prevent future occurrences.
  • Cooperation: Cooperate fully with regulatory authorities and law enforcement agencies as required.
9. Policy Review and Updates

This Data Protection Policy will be reviewed and updated at least annually, or more frequently as needed to reflect changes in our business practices, technology, or legal requirements.

10. Contact Information

If you have any questions or concerns about this Data Protection Policy or our data handling practices, please contact our Data Protection Officer:

Narayan Kosi [[email protected]]

11. U.S. Data Privacy Laws

AssessTEAM is committed to complying with applicable U.S. data privacy laws at both the federal and state levels. While the U.S. does not have a single, comprehensive federal data protection law like the GDPR, several federal laws address specific sectors or types of information:

  • Electronic Communications Privacy Act (ECPA): Protects electronic communications from unauthorized interception and access.
  • Computer Fraud and Abuse Act (CFAA): Prohibits unauthorized access to computer systems.
  • Children’s Online Privacy Protection Act (COPPA): Regulates the collection and use of personal information from children under4 13.
  • Health Insurance Portability and Accountability Act (HIPAA): Protects the privacy and security of health information (not directly applicable to AssessTEAM unless handling protected health information).
  • Gramm-Leach-Bliley Act (GLBA): Regulates the handling of nonpublic personal information by financial institutions (may be applicable if handling certain financial data).

State Laws:

  • California Consumer Privacy Act (CCPA): Grants California residents specific rights regarding their personal information, including the right to know what data is collected, the right to delete data, and the right to opt-out5 of the sale of their data. AssessTEAM will comply with CCPA requirements for California residents.
  • Other State Laws: Many other states have enacted or are considering data privacy laws (e.g., Virginia, Colorado, Nevada). AssessTEAM will monitor and comply with these laws as they come into effect.
12. Responsibilities
  • Board of Directors: Ultimately responsible for ensuring AssessTEAM meets its legal obligations regarding data protection.
  • Data Protection Officer (Narayan Kosi):
    • Keeps the board updated about data protection responsibilities, risks, and issues.
    • Reviews and updates data protection procedures and policies.
    • Provides data protection training and guidance to staff.
    • Handles data protection inquiries from staff and customers.
    • Manages subject access requests.
    • Approves contracts with third parties handling sensitive data.
    • Oversees compliance with data protection laws.
  • IT Team:
    • Ensures all systems, services, and equipment used for storing data meet acceptable security standards.
    • Conducts regular security checks, scans, and penetration testing.
    • Evaluates third-party services for data security and compliance.
    • Manages data extraction and deletion requests.
    • Implements and maintains security measures (encryption, access controls, firewalls).
  • Executive Board of Directors:
    • Approves data protection statements in communications.
    • Addresses data protection queries from journalists or media outlets.
    • Ensures marketing initiatives comply with data protection principles.
  • All Staff:
    • Complete mandatory data protection training.
    • Adhere to this policy and related procedures.
    • Report any suspected data breaches or security incidents immediately to the Data Protection Officer.
    • Use strong, unique passwords and enable two-factor authentication.
    • Do not share personal data informally or with unauthorized individuals.
    • Seek guidance from their line manager or the Data Protection Officer when unsure about any data protection matter.
13. General Staff Guidelines
  • Access: Only access data that is necessary for your work.
  • Sharing: Do not share data informally. Use approved methods and ensure the recipient is authorized.
  • Training: Complete all required data protection training.
  • Security: Use strong passwords, do not share them, and enable two-factor authentication.
  • Disclosure: Do not disclose personal data to unauthorized individuals.
  • Assistance: Seek help from your manager or the Data Protection Officer if you are unsure about any aspect of data protection.
14. Data Protection Principles

AssessTEAM adheres to the following data protection principles:

  • Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and transparently,6 informing individuals about how their data will be used.
  • Purpose Limitation: We collect and process personal data only for specified, explicit, and legitimate purposes.
  • Data Minimization: We collect only the minimum amount of personal data necessary for the intended purpose.
  • Accuracy:8 We take reasonable steps to ensure that personal data is accurate and kept up to date.
  • Storage Limitation: We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by9 law.
  • Integrity and Confidentiality: We implement appropriate technical and organizational measures to protect personal data from unauthorized10 access, use, disclosure, alteration, or destruction.11
15. Data Storage and Security Practices
  • Paper Records: Stored securely in locked drawers or filing cabinets when not required. Shredded and disposed of securely when no longer needed.
  • Electronic Records:
    • Protected by strong passwords and two-factor authentication.
    • Stored only on approved cloud services (Microsoft Azure).
    • Not stored directly on laptops or mobile devices.
    • Separation of customer data is enforced through dedicated domains (e.g., customername.www.www.assessteam.com).
    • Regular backups are performed and tested.
  • Data Use:
    • Computer screens are locked when unattended.
    • Data is not shared informally.
    • Data is encrypted before electronic transfer.
    • Data is not transferred outside the approved cloud platform.
    • Centralized access and updates are enforced.
  • Data Accuracy:
    • Data is updated as inaccuracies are discovered.
    • Customers are provided with easy means to update their information.
16. Subject Access Requests

Individuals can submit subject access requests (SARs) to [email protected]. We will verify the requester’s identity before processing any SAR. We will respond to SARs within the timeframe required by applicable law (e.g., one month under GDPR, and in accordance with PIPEDA’s requirements).

17. Disclosing Data for Other Reasons

AssessTEAM may disclose personal data to law enforcement agencies without the consent of the data subject when required by law. In such cases, the Data Protection Officer will verify the legitimacy of the request and seek legal advice if necessary.

18. Amendments to this Policy

AssessTEAM reserves the right to amend this Data Protection Policy at any time. The most current version will always be posted on our website.

This revised policy is more detailed and incorporates the suggestions for improvement. It is essential to regularly review and update this policy to ensure it remains compliant with evolving laws and best practices. Remember to consult with legal counsel to ensure that your policy is fully compliant with all applicable regulations in your jurisdiction.

Menu