BriteCore RFI

Privacy Policies

Privacy and information security are top priorities at IWS. The purpose of our privacy policy is to inform and protect carriers and individuals by setting limits on how information in BriteCore can be accessed, used, or shared with others. The scope of our privacy policy includes the protection of the confidentiality, integrity and availability of sensitive information. We establish security through the use of administrative, technical, and physical safeguards.

Questionnaire

  1. Is personal information collected directly from individuals as a service to the client? If yes, describe the information collected.

    No.

  2. If the service provider hosts and/or maintains (as a service to the client) data about an individual, does the organization provide appropriate controls to ensure the privacy of that data? If yes, describe. If no, explain reason.

    Yes. It is Intuitive Web Solutions policy to ensure that every employee maintains the confidentiality of any personal data held by the company in whatever form. Employees are bound by this policy in addition to a non­disclosure agreement, which is signed upon employment acceptance with Intuitive Web Solutions.

  3. Is personal information - provided by the client - shared with other third parties within the US only? If yes, describe.

    Yes. We currently don't work with any vendors outside the US. Any data sharing with a third party vendor would be at client request.

  4. Is personal information - provided by the client - shared with other third parties outside of the US? If yes, list countries.

    No.

  5. Are there appropriate contractual controls to ensure that personal information shared with other third parties is appropriately protected by the third party? If yes, describe. If no, explain reason.

    Yes. Vendor relationships are requested by the client to add functionality to the BriteCore system. One example would be a payment vendor such as Authorize.net. In the case that the client wishes to work with such a vendor, the client would need to obtain contractual agreements with the vendor prior to integration.

  6. Are there documented controls and procedures to appropriately safeguard personal information about individuals? If yes, describe. If no, explain reason.

    Yes, ask to see SOC report, PCI SAQ-D, and encryption policy for more details.

  7. Does the information security program address the protection of personal information separately from other information (such as proprietary business information)? If yes, describe. If no, explain reason.

    Yes, ask to see SOC report, PCI SAQ-D, and encryption policy for more details.

  8. Does the information security function regularly communicate and collaborate with the privacy function (if the two functions are separate)? If yes, describe. If no, explain reason.

    Yes, ask to see SOC report, PCI SAQ-D, and encryption policy for more details.

  9. Is there a process for ensuring the accuracy and currency of personal information at the direction of the client? If yes, describe. If no, explain reason.

    Yes, personal information is managed by the client.

  10. Is there a process to ensure that the personal information provided by an individual is limited for the purposes described in the organization's privacy notice? If yes, describe. If no, explain reason.

    Yes. Within the scope of IWS we have such controls and agreements. Information provided to your company will fall under your internal controls.

  11. Are employees, contractors, volunteers (and other parties, as appropriate) regularly monitored for privacy compliance? If yes, describe. If no, explain reason.

    Yes. Ask to see SOC report, PCI SAQ-D, and acceptable data-use policy for more details.

  12. Are third-party service providers regularly monitored for privacy compliance? If yes, describe. If no, explain reason.

    No. We have no direct relationship with third-party service providers. These are all obtained at the request of the client and so such safeguards are best performed by in-house IT and security staff.

  13. Are appropriate sanctions applied to employees, contractors, volunteers (and other parties, as appropriate) who violate privacy policies?

    Yes. If an employee were to violate our privacy and non-disclosure agreements we would respond with termination and legal action.

  14. Is there a process for employees, contractors, volunteers (and other parties, as appropriate) to notify privacy compliance personnel of an actual or suspected privacy breach?

    Yes. We have access to an ethics hotline provided by third-party at the request of IWS.