KEIRUS Platform Client Data Policy
Last modified: 12/20/2022
KEIRUS Global LLC (KEIRUS or "We" or “Us”) respects its Users and their data and is committed to protecting them through our compliance with this policy. This policy describes the types of information we may collect from you as our Client, the Employer, or that employees may provide when those employees visit the KEIRUS Platform at learn.KEIRUSglobal.com (our "Platform") and our practices for collecting, using, maintaining, protecting, and disclosing that information. KEIRUS strives to adhere to current best business practices with respect to privacy and data collection. Please read this policy carefully to understand our policies and practices regarding user information and how we will treat it.
What We Collect and How We Collect It
We collect several types of information from and about users of our Platform (“Client Data”), including information: (i) By which Users may be personally identified, such as name, email address, telephone number, topics of interest and any other identifier by which users may be contacted online or offline ("personal information"); and (ii) personal data may be any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. Personal data is basically any information about a user that allows the user to be identified and covers name and basic contact information but may also include the less obvious such as identification numbers, location data and other online identifiers (e.g. social media account handles or usernames); and (iii) information and data from and about the Employer.
We collect this Client Data: (i) Directly from the Employer when provided to KEIRUS; (ii) Automatically as employees navigate through the Platform. Information collected automatically may include usage details, IP addresses, learning content accessed; and (iii) From Employee activity on the Platform, such as training completion, training evaluations, community engagement, resource library engagement and assessment results.
The Client Data we collect on or through our Platform may include: (i) Information that users provide by filling in forms on our Platform. This includes information provided at the time of accessing a subscription to use our Platform or posting material; (ii) Records and copies of users’ correspondence (including email addresses), if users contact KEIRUS; and (iii) Details, including records and copies, of communications and interactions employees have on our Platform.
We use Client Data that we collect about users or that Employer provides to KEIRUS, including any personal information or personal data to provide, analyze, administer, enhance and personalize our services, to process assessments, and to communicate with users.
How long will KEIRUS Keep Client Data
Client Data will be kept: (i) For the duration of the Employer’s KEIRUS subscription; and (ii) Once the Employer’s KEIRUS subscription ends or is cancelled, all identifying information of Employer and employee users will be scrubbed from the Client Data, creating “anonymized data”. KEIRUS will store, use, and analyze the anonymized data indefinitely for continuous improvement and identification of trends that support product improvements.
Disclosure of Information
We may disclose aggregated information about our users, and anonymized data, without restriction. We share raw data back with the client and develop summary reports to determine learning progress. Additionally, KEIRUS may use data from the platform for public presentations, research and/or white papers. Identifying company and user information will always be removed.
KEIRUS has implemented measures designed to secure Client Data from accidental loss and from unauthorized access, use, alteration, and disclosure. All information you, the Employer, provides to us is stored on our secure servers behind firewalls. KEIRUS shall perform its obligations under this policy in accordance with industry best practices which protect Employer information and data, including through the implementation of the technical and organizational measures described below. KEIRUS shall train its employees and relevant third parties (such as contractors) on these policies and on related information security aspects; and require its employees, and relevant third parties, to follow these policies. KEIRUS has issued, and shall implement and maintain, internal policies that (i) require its employees to keep Client Data confidential and to comply with KEIRUS’s technical and organizational measures established to protect Client Data; (ii) govern, at a minimum, use of computers, portable devices, e-mail, and internet; (iii) instruct on procedures to follow that protect company information and Personal Data; and (iv) specifically instruct its employees and contractors not to share or disclose passwords.
If KEIRUS is to decommission, or dispose of, any computer, portable device, mobile device or other equipment (“Asset”) containing Client Data, KEIRUS shall ensure either (i) that the Asset is irretrievably destroyed or (ii) that the Client Data or relevant information held on the Asset is deleted and rendered irrecoverable prior to decommissioning, or disposing of, the Asset.
DATA PRIVACY
KEIRUS shall maintain and enforce procedures relating to the transmission and protection of information and Client Data, including: (1) maintaining guidelines for retention and disposal of business correspondence and other records; (2) maintaining policies regulating the downloading, use and retention of third party software and data; (3) ensuring the information security of Client Data that is electronically transmitted between systems (whether at KEIRUS’s or other parties’ facilities); (4) managing removable and portable media in accordance with Good Security Practice, including as appropriate: (i) ensuring their secure transport, erasure and disposal; and (ii) storing back-up media in a remote location, at a sufficient distance to escape any damage from a disaster at the main site; (5) protecting Client Data in transit and at rest using Good Security Practices such as encryption and access controls; (6) restricting access to Client Data to those personnel who need access for the purposes of providing the services, and ensuring that such personnel process such Client Data only to the extent necessary for the purposes of providing the services; (7) returning all Client Data to the Client where KEIRUS no longer requires access to, or use of, such Client Data for the purposes of providing the services;
REPORTS
KEIRUS shall take appropriate measures to ensure that (i) it complies with this Information Security schedule; and (ii) the measures it takes in compliance with this Client Data Policy are effective to achieve Good Security Practice. To the extent that KEIRUS’s activities in connection with this Policy involve a web-based solution (the "Platform”) (iii) KEIRUS shall perform security assessments (including performing tests) of such Platform no less frequently than annually and discuss the results with the Client upon request. (iv) KEIRUS shall provide the Client, (or such other period as the Client may agree), with quarterly comprehensive reports regarding (v) the access permissions of all persons with access to the Client Data; and (vi) audit trails of all persons with access to the Client Data. KEIRUS shall, within a reasonable period, notify the Client if KEIRUS experiences a security event that negatively affects the confidentiality or integrity of Client Data .
ACCESS CONTROLS
KEIRUS shall: (1) process Client Data only (a) through devices (including servers, workstations (such as desktop computers and laptop computers), and handheld mobile devices (e.g. PDAs, smartphones etc.)) effectively controlled by KEIRUS; or (b) within KEIRUS controlled -applications; and, in both cases, adequately protect the Client Data at rest and in transit; and keep a list of the locations of the centers where its personnel process Client Data under its control.
SYSTEM CONTROLS
To the extent that Client Data are processed in a KEIRUS System, and to the extent that KEIRUS accesses Client Data in a Client system and can exercise such control over the system, KEIRUS shall: (1) Restrict access to any Client systems that contain Client Data, including by: (a) restricting the number of persons with privileged access; (b) restricting access by users to only those parts of the Client system to which they need access to perform their job; and (c) restricting the time during which they may exercise access; (2) Review user access privileges used by or on behalf of KEIRUS to access the Client systems with the frequency required by KEIRUS’ security policies and in any event no less frequently than annually; (3) Ensure that personnel who have access to the Client system act responsibly and with due care; (4) Maintain access control lists to production systems and the permissions granted to user accounts; (5) Disable or revoke a user’s access rights when the user no longer needs such access rights; (6) Have a process to ensure that access rights to Platform, and to Client Systems to which KEIRUS (either itself or through a third party) has granted access, are revoked from the time the employment ends; (7) Where KEIRUS requires access to, or copies of, any Client Data for the purposes of software development or testing, protect the Client Data with the same system access restrictions as apply for Client Data in the Platform; (8) Client Data can only be accessed and downloaded onto a KEIRUS managed device to a KEIRUS employee; (9) Maintain specifications of technical and organizational resources (covering computer system authentication, authorization and account) required to ensure the confidentiality, integrity and availability of the Client Data that are processed; (10) Ensure that master versions of Client Data are located only on network servers that satisfy all of the following conditions: (i) they are effectively controlled by KEIRUS; (ii) they are secure; and (iii) they have restricted system access; and (11) Install and maintain up-to-date adequate protection against malicious software. KEIRUS shall control access to KEIRUS Systems by: (i) having a process to ensure that access rights to the Platform, and to Client systems to which KEIRUS (either itself or through a third party) has granted access, are revoked from the time the employment ends; (12) maintaining security with regard to the internet through firewalls and other measures that address unauthorized attempts to access applications, sites or services that are available through the internet, or to access data transmitted over the internet; (13) restricting access to Platform features (including configuration settings) and other tools relevant for system security to authorized personnel; (14) applying cryptographic protection measures to data used for authentication (e.g. hash passwords using industry accepted and generally secure algorithms); (15) provisioning and de-provisioning user accounts; enabling authentication and single-sign-on that require a valid individual user ID/account and password; (16) enforcing a password policy that (a) requires that each password comprises 9 or more characters and contains at least three of the following four character groups: (i) lowercase letters (a through z); (ii) upper case letters (A through Z); (iii) numerals (0 through 9); and (iv) special characters (such as !, $, #, %): and (b) makes passwords automatically expire within pre-defined intervals; after expiry, a new password must be created; (17) automatically disabling user accounts after 4 invalid login attempts; (18) automatically locking idle individual logon sessions after a set period of up to 15 minutes; and (19) managing user rights, logins and passwords.
SERVICE CONTINUITY
KEIRUS shall (1) detect, track, escalate and resolve any actual (or potential) incidents, failures, security events or other operational risks in a timely manner; (2) test, approve and deploy changes to Platform in a controlled manner with only minimal disruption to the Client; (3) plan, implement and regularly test the appropriate organizational and technical measures necessary to sustain or rapidly recover the services being provided to the Client in the case of any reasonably foreseeable disruptive event; and ensure that any stand-by or alternative location used for the purposes of KEIRUS Platform’s continuity is subject to information security controls at least equivalent to those in force at the facility from which KEIRUS usually operates the relocated processes.
©2024 KELLEY JOHNSON ENTERPRISES LLC