Privacy Shield Policy

Updated November 2020

Overview

Introduction: Torus Sphere, in order to provide its product and services has to collect certain information about individuals and organizations. This can include customers, suppliers, contact and employees as well as other individuals with which Torus Sphere has a relationship. This document outlines how data must be collected, handled and stored to meet data protection standards.

Torus Sphere complies with the EU-U.S. Privacy Shield Frameworks and the Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States. Torus Sphere has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.  If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view Torus Sphere's certification, please visit https://www.privacyshield.gov/.

Why does this policy exist?

The data protection policy ensures:

  • Compliance with data protection law
  • Protects right of customers and partners
  • As a document of how Torus Sphere stores and processes data
  • Help protect against data breach

Applicability

  • The policy applies to all offices of Torus Sphere
  • All staff, interns and volunteers
  • All contractors, suppliers and other individuals working on behalf of Torus Sphere

Applies to all data Torus Sphere holds relating to identifiable individuals. This can include:

  • Names
  • Postal addresses
  • Email addresses
  • Telephone numbers
  • Any other information relating to individuals

Risks

This policy is designed to protect Torus Sphere and its customers from security risks.

Reputational damage  Torus Sphere could suffer if unauthorized access is gained to sensitive data

Breaches of confidentiality.  For example, information being distributed inappropriately

Failure to offer choice.  Individuals should have a choice in how Torus Sphere uses data relating to them.

General Data Protection (GDPR)

The General Data Protection Regulation describes how organizations like Torus Sphere must collect, handle and store personal information. It contains these 9 principles:

Lawfulness, fairness and transparency – Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.

Purpose limitation – Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data minimization – Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy – Personal data shall be accurate and, where necessary, kept up-to-date.

Storage limitation – Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

Integrity and confidentiality – Personal data shall be processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing against accidental loss, destruction or damage, using appropriate technical or organizational measures.

Accountability – The controller shall be responsible for, and be able to demonstrate compliance with the GDPR.

Liability for Onward Transfers

Torus Sphere, Inc. complies with the Privacy Shield’s Principle regarding accountability for onward transfers.  Torus Sphere, Inc. remains liable under the Principles if its onward transfer recipients process Personal Data in a manner inconsistent with the Principles, unless Torus Sphere, Inc. proves that it was not responsible for the event giving rise to the damage.

Dispute Resolution

Within the scope of this privacy notice, if a privacy complaint or dispute cannot be resolved through Torus Sphere, Inc.’s internal processes, Torus Sphere, Inc has agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure.

Subject to the terms of the VeraSafe Privacy Shield Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe under the Privacy Shield Dispute Resolution Procedure, please submit the required information to VeraSafe here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/

The Federal Trade Commission is the statutory body having jurisdiction to investigate claims against our organization regarding possible unfair or deceptive practices and violations of laws or regulations relating to privacy.

To the extent allowed by law, Customers located or residing outside the United States of America, or otherwise not subject to the laws or jurisdiction of this Country, irrevocably agree all disputes arising out of or in connection with this Agreement shall be finally settled by binding arbitration under the Rules of Arbitration of the International Chamber of Commerce by one arbitrator appointed in accordance with the said Rules. The language of the arbitral proceedings shall be English (or as determined between the Parties). Judgment upon any award(s) rendered by the arbitrator may be entered in any court having jurisdiction thereof. The arbitrator is authorized to include in the award an allocation to any Party of such costs and expenses, including reasonable attorneys’ fees, as the arbitrator shall deem reasonable.

Responsibilities

All Torus Sphere employees have a responsibility to adhere to the policy.

The  Executive Leadership Team (ELT) is ultimately responsible for ensuring Torus Sphere meets its legal obligations.

The  Executive is responsible for:

  • Updating the Team on data protection risks and issues
  • Reviewing all data protection policies
  • Handling data protection questions
  • Dealing with request for data Torus Sphere holds about them
  • Approving contracts with 3rd parties that may handle sensitive data

The  CTO is responsible for:

  • Ensuring all systems, services and equipment used for storing data is appropriately secured
  • Evaluating any third-party services used to store or process data

The  Marketing Manager is responsible for:

  • Data protection statements attached to email and written communications
  • Dealing with data protection queries from media outlets
  • Ensuring marketing initiatives adhere to data protection principles

Storage of Data

For paper storage, sensitive documents should be stored in a locked drawer or filing cabinet when not in use.

Data stored on-line or on local servers and devices (electronically) must be protected from unauthorized access, accidental deletion, and malicious attempts to access.

  • Data should be protected by strong passwords, changed regularly and not shared
  • Data stored on removable media, should be kept securely when not in use and all disks encrypted
  • Data should only be stored on designated drives and servers and only shared on approved cloud computing services
  • Servers containing personal data should be located in a secure area
  • Data should be backed up frequently, those backups should be encrypted and tested regularly
  • Data should not be saved on unsecured laptops or mobile devices
  • Adding, modifying, and deleting user accounts and access is handled by the end user, within the Glew application

Data stored in the Amazon Redshift warehouse will have additional security measures:

  • Inside of the AWS platform, sensitive data is encrypted at rest and in-transmission, from the time of fetching the data, to interstitial storage, and then by the final data store
  • Amazon S3 is used to store the data for long-term archival storage. Amazon Redshift is used as the warehouse data storage. Glew adheres to the weekly maintenance upgrade schedule set forth for Amazon Redshift. See here for security information: https://docs.aws.amazon.com/security/
  • Access to the source code is limited to the developers that are actively working on the project. This access is determined and periodically reviewed by the security lead and executive management

Data Usage

  • When working with sensitive data, employees should ensure screens are locked when unattended
  • Sensitive data should not be shared by email in unencrypted form
  • Employees should not save copies of data to personal devices
  • Cookies are only utilized for authentication and configurations set by each user within glew.io. All data is encrypted and minified

Accuracy of Data

It is important Torus Sphere ensure the accuracy of relevant data.

  • Do not create unnecessary copies of data
  • Ensure data is updated promptly as required
  • If inaccuracies are discovered they should be addressed immediately

Subject Access Requests

All individuals who are the subject of personal data held by Torus Sphere are provided these rights:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to be forgotten
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling.

Subject Access Requests should be made by e-mail.

It is the aim of Torus Sphere to process requests relating to these rights within 14 days.

The identity of requester will be verified before information is distributed.

Disclosing Data

In certain circumstances, the regulations allow data to be disclosed to law enforcement agencies

without consent of the data subject. Torus Sphere will disclose data in these circumstances, after ensuring the request is legitimate after notifying the Board and the company’s legal advisers where necessary.  

TORUS SPHERE appropriately secures its information from unauthorized access, loss, or damage while supporting the open, information-sharing needs of its business purposes.

To ensure the security of client data, TORUS SPHERE employees shall only access client data when necessary and with prior authorization either from the client or from TORUS SPHERE’s management.

Access to TORUS SPHERE’s client data shall be limited to those employees whose duties require such access and only for when they have a legitimate need for a job-related purpose

Classification Levels

All TORUS SPHERE’s Information is classified into one of four levels based on its sensitivity and the risks associated with disclosure. The classification level determines the security protections that must be used for the information.  TORUS SPHERE also adheres to industry guidelines that identify Personally Identifiable Information (PII), also known as Sensitive Personal Information (SPI).

PII, as used in information security and privacy laws, is defined as any information that can be used to distinguish or trace an individual’s identity, such as social security number, date and place of birth, mother’s maiden name, national identification number, passport number, vehicle registration plate number, driver’s license number, face, fingerprints,  handwriting, credit card numbers, identity, bank account numbers, genetic information, telephone number, login name, screen name, nickname, or handle

When combining information, the classification level of the resulting information must be re-evaluated independently of the source information’s classification to manage risks.

The classification levels are:

Restricted

TORUS SPHERE’s Information classified Personally Identifiable Information is Restricted. PII includes but it is not limited to:

  • Social security number
  • Financial information
  • Driver’s license number
  • State Identity card number
  • Credit card number
  • Passports
  • Biometrics information
  • Citizenship and legal status
  • Medical information
  • TORUS SPHERE’s client data

Confidential

TORUS SPHERE’s Information is classified as Confidential if it falls outside the Restricted classification and is not intended to be shared freely within or outside TORUS SPHERE due to its sensitive nature and/or contractual or legal obligations.

Sharing of Confidential information may be permissible if necessary to meet the legitimate business needs of TORUS SPHERE. Unless disclosure is required by law (or for purposes of sharing between law enforcement entities), when disclosing Confidential information to parties outside TORUS SPHERE, the proposed recipient must agree (i) to take appropriate measures to safeguard the confidentiality of the information and (ii) not to disclose the information to any other party.

Unrestricted

TORUS SPHERE’s Information is classified as Unrestricted if it falls outside the Restricted and Confidential classifications, and is not intended to  be freely shared outside of TORUS SPHERE.

The presumption is that unrestricted information will remain within TORUS SPHERE. However, this information may be shared outside of TORUS SPHERE if necessary to meet the legitimate business needs of TORUS SPHERE and the proposed recipient agrees not to re-disclose the information without the consent from TORUS SPHERE.

Publicly Available

TORUS SPHERE Information is classified as Publicly Available if it is intended to be made available to anyone inside and outside of TORUS SPHERE.

Responsibilities

TORUS SPHERE staff and third-party associates are expected to:

  • Understand the information classification levels defined in the Information Security Policy.
  • As appropriate, classify the information for which one is responsible accordingly.
  • Access information only as needed to meet legitimate business needs.
  • Not divulge, copy, release, sell, loan, alter or destroy any TORUS SPHERE Information without a valid business purpose and/or authorization.
  • Protect the confidentiality, integrity, and availability of TORUS SPHERE's Information in a manner consistent with the information's classification level and type.
  • Handle information in accordance with the TORUS SPHERE Information Protection Standards and Procedures and any other applicable TORUS SPHERE standard or policy.
  • Safeguard any physical key, ID card, computer account, or network account that allows one to access TORUS SPHERE Information Systems.
  • Discard media containing TORUS SPHERE's Information in a manner consistent with the information’s classification level, type, and any applicable TORUS SPHERE retention requirement. This includes information contained in any hard copy document (such as a memo or report) or in any electronic form like magnetic devices or optical storage medium (such as a memory stick, flash drive, CD, hard disk, magnetic tape, or disk).
  • Contact Human Resources (HR) department prior to disclosing information generated by TORUS SPHERE or prior to responding to any litigation or law enforcement subpoenas, court orders, and other information requests from private litigants and government agencies.

Enforcement

An employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment. A violation of this policy by a temporary worker, contractor, or vendor may result in the termination of their contract or assignment with TORUS SPHERE

Definitions

Term Definition Authorization – The function of establishing an individual's privilege levels to access and/or handle information.

Confidentiality – Ensuring that information is kept in strict privacy.

Integrity – Ensuring the accuracy, completeness, and consistency of information.

TORUS SPHERE's Information – Information that TORUS SPHERE collects, possesses, or has access to, regardless of its source. This includes information contained in hard copy documents or other media, communicated over voice or data networks, or exchanged in conversation.