We are Quadrant 2, Inc. ("Q2", “we”, “us” and “our”). We provide a service for the creation, sharing of messages, images and playing of videos (the “Services”) through our software applications (the “Software”), and through our website at prompt.quadrant2.us (the “Site”), electronic mail, texts, and other forms of electronic communications. The videos may be hosted by third parties (“Media Services”).
Each person or entity who uses our Services is referred to as a “user” or “you” or “your”. If you subscribe to any of our Services, we will refer to you as a “registered user”. If you don’t register with us, we will refer to you as an “unregistered user”.
This document is our statement of our privacy practices (“Privacy Statement”). Among other things, it explains how we and some of the companies we work with collect, use, share and protect the information you provide to us (“your Content” or “User Content”). The User Content may include any personally-identifiable information, including without limitation name, address, telephone numbers, electronic mail and postal addresses, personal health information, personal financial information, and other sensitive information that identifies or is uniquely associated with an individual (collectively, “Personal Data”). This Privacy Statement also discusses your choices about the collection, storage and use of your Personal Data.
Any Content that is not Personal Data is referred to as “Non-Personal Data.”Non-Personal Data includes information about how users use the Services, what Services users select, how users respond to service offerings, how users share information with others, what users say they like and dislike, allof which we aggregate into larger data sets that do not identify individuals (“Behavioral Data”).
Q2 works with other companies in the industry, directly and indirectly (collectively, “Partners”). This Privacy Statement does not apply to any Partners or to any other websites, mobile applications, individuals, businesses or organizations. This Privacy Statement does not apply to any Personal Data or other Content collected via any means other than the Services.
By using our Services, you consent to the collection, transfer, analysis, transformation, storage, disclosure and other uses of your Content, including your Personal Data, as described in this Privacy Statement.
1. Information We Collect
As noted above, we collect Content from you while providing the Services. Some of the Content is Personal Data that we use to contact you and our Partners, and which is necessary to provide the Services. Other Content we collect from you includes Behavioral Data and other Non-Personal Data that we aggregate, share, and use to improve our Services, the services of our Partners, and others in the industry.
We collect many different types of information from you, both directly and indirectly.
Information you provide us directly.Registration information. When you create or modify an account, or subscribe to our Services, you may provide Personal Data to us, such as your user name, age or age-range (to confirm the user as an adult), password, postal address and email address.
Payment information. Currently, we are not taking any payments. If we begin to collect payments, we will then use a third-party payment processor (“Processor”) to process your payments, so we do not store your credit card numbers or other payment information. Please note that any Processor does store and process your credit card numbers and other payment information in accordance with the Processor’s privacy policies and privacy statement, and subject to applicable law.
Profile information.You may provide us with additional profile information that you choose to make public or share with other users. You may also provide information to customize your account, such as a telephone number for the delivery of short message system (“SMS”) or text messages. Each individual user may connect with other users and third parties to share their videos and other Personal Data and Content. Similarly, Partners and other third parties may provide their Personal Data and Content to the Services to attract and communicate with users, share videos and other Content. We may use your contact information and other Personal Data to send you information about our Services, or to market to you. You may use your account settings to customize notifications from us. If you email us, we may keep your message, email address and contact information to respond to your request.
Location Information. We may ask for your postal address or your geographic location information, especially if you place an order for Services with us. When you post User Content to our website or to social media, you may provide your location information, including global positioning system (“GPS”) data or other location information embedded in or accompanying the User Content (e.g., in tags or captions) or embedded in the User Content.
Communications between you and Q2. We may send you emails, SMS or text messages, and other electronic communications for sales and delivery, account verification, notices of changes/updates to features of the Services, technical and security notices, and for other purposes. We may collect and store these communications.Information we gather from your use of our Services.
Emails.We collect and may save private emails sent to us by users, and we may share your emails with any third parties or other users. Any public posts on Services may be viewed by any user and is public to anyone who visits the Services. You may elect to disclose certain Personal Data and Non-Personal Data. The information you submit to any public forums is not confidential or private, and Q2 does not protect it. All information you choose to provide publicly, including information that identifies you or others, can be read, collected, or used by other users and by other third parties, and could be used to send you unsolicited messages and for other purposes.
Social Media.In addition to media that we control, you may post comments, photographs, drawings and other User Content on third party social media, such as Slack, Facebook, SnapChat, Instagram and Twitter, each of which enforces its own terms of use and privacy policy for its service. As noted in the Terms and our other online documents, we may use and copy the User Content you post. More to the point, your User Content may contain Personal Data about you and other people in the form of names, email addresses, personal health information, and location information. You should also be aware that a photograph, drawing or other image of a person may be Personal Data to the extent the person may be recognized in and identified by the photograph or drawing, and medical or other healthcare information may be gleaned from any medical conditions, disorders or diseases are discussed or portrayed in the User Content. We may collect and use User Content and the Personal Data contained in the User Content to market our Services.
Analytics.We use third-party analytics tools to help us measure traffic and usage trends and other Non-Personal Data for the Services. These tools collect information sent by your device or our Services, including the web pages you visit, add-ons, and other information that assists us in improving our Services. We collect and combine this analytics information with analytics information from other users so that it cannot be used to identify any particular individual user.
Metadata.Metadata is usually technical data that is associated with other data, including User Content. For example, metadata can describe how, when and by whom an item of User Content was collected and how that User Content is formatted. Q2 may collect and store metadata, including about each user’s public posts on the Services.
Links.Q2 may keep track of how you interact with links across our Services, including our email notifications and third-party Services by redirecting clicks or through other means. We do this to help improve our Services, to provide more relevant local data, and to be able to share aggregate click statistics such as how many times a particular link was clicked on.
Device Identifiers.We may access, collect, monitor, store on your device, or remotely store one or more "device identifiers." Device identifiers are small data files or similar data structures stored on or associated with your computer, phone or other device, which uniquely identifies your device. A device identifier may be data stored in connection with the device hardware, data stored in connection with the device's operating system or other software, or data sent to the device by Q2. A device identifier may deliver information to us or to a third-party partner about how you browse and use the Services and may help us or others provide reports or personalized Content and ads. Some features of the Services may not function properly if use or availability of device identifiers is impaired or disabled.
Log Data.Our servers automatically record information ("log data”) created by your use of the Services. Log Data may include information such as your Internet Protocol (“IP”) address, browser type, operating system, the referring web page, pages visited, location, your mobile carrier, device and application IDs, search terms, and cookie information. We receive log data when you interact with our Services, for example, when you visit our website, sign into our Services or interact with our email notifications. Q2 uses log data to review how we provide our Services and to measure, customize, and improve the Services.
2. How We Store Your Information
We currently provide the Services from within the United States, and we store all User Content, including Personal Data, that we currently collect and retain on servers located inside the United States.
In the future, we may store Personal Data and other User Content on servers located outside the United States, but we have no plans to do so at this time.Certain types of User Content you submit to us might reveal your gender, ethnic origin, nationality, age, religion, sexual orientation, or other Personal Data or sensitive information about you or others.
By using our Services, or by submitting your Personal Data to us, you consent to the collection, storage, processing and onward transfer of your Personal Data as stated in the current version of this Privacy Statement and the current version of our other online documents, including the Terms of Service .
3. How We Use Your Information
We share and use your Personal Data in the following circumstances:
Opt-in with Your Consent. We may ask for your permission to share your Personal Data with other people and organizations outside of Q2, including to help conduct studies or provide you with other services. As with any opt-in procedure, you are under no duty to agree to a request that you opt-in.
Partners and Affiliates of Q2. We may share your Personal Data with Partners and with our Q2 affiliates (meaning entities controlled by, controlling or under common control with Q2) as necessary to sell and provide the Services. However, any Personal Data stored in one country or jurisdiction would not be forwarded to another country or jurisdiction, except in compliance with applicable laws and regulations.
Cookies: Cookies are unique identifiers that we transfer to your device to enable our systems to recognize your device and to provide features and remember your personalization choices. We use cookies to make it easier to access and use our Services. The help feature on most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether. Additionally, you can disable or delete similar data used by browser add-ons, such as Flash cookies, by changing the add-on's settings or visiting the website of its manufacturer. Because cookies allow you to take advantage of some of the Services’s essential features, we recommend that you leave them turned on. Cookies are also used to display particular Content and to set session identifiers for visitors who voluntarily join user areas.
Opt-out Email or Postal Address. If you supply us with your postal or email address you may receive periodic mailings from us with information on new products and services or upcoming events. If you do not want to receive such mailings, please let us know by sending an email to us at the “opt-out” address, below. We will remove your name from the list we use internally. Opting-out of these emails does not mean we remove your email from our system entirely, because we still retain your email addresses for other purposes.
Service Providers. We may employ third party companies and individuals to facilitate our Services (e.g., payment processing, maintenance, analysis, audit, marketing and development). These third parties may have limited access to your Personal Data only to perform these tasks on our behalf and are obligated to Q2 not to disclose or use your Personal Data for other purposes.Required by Law. We may access, preserve and share your Personal Data in response to a legal request (such as a search warrant, court order or subpoena). We may also access, preserve and share Personal Data when we have a good faith belief it is necessary to: detect, prevent and address fraud and other illegal activity; to protect ourselves, you and others, including as part of investigations; and to prevent death or imminent bodilyharm. Information we receive about you may be accessed, processed and retained for an extended period of time when it is the subject of a legal request or obligation, governmental investigation, or investigations concerning possible violations of our terms or policies, or otherwise to prevent harm.
National Security and Intelligence Activities. We may release your Personal Data to authorized federal officials for intelligence, counterintelligence and other national security activities when required by law. For example, under current law in the United States, certain federal 5 officials may require that we provide Personal Data and other Content in response to a national security letter, subpoena, demand, or court order. In some cases, we would be required not to tell you that we complied with that letter, subpoena, demand, or court order. Where permitted by applicable law, we reserve the right to comply with, or to fight or quash, any such letter, subpoena, demand, or court order.
Change of Control. If we sell or otherwise transfer part or the whole of Q2 or our assets to another organization (e.g., a merger, acquisition, or reorganization), your Personal Data such as user name and email address, User Content and any other information collected through the Services maybe among the items sold or transferred. You will continue to own your User Content, but the license you grant to us in the Terms may be transferred to others.
Non-Personal Data. We may share Non-Personal Data publicly and with publishers, researchers or connected sites. For example, we may share aggregated Non-Personal Data publicly to show trends about the general use of our Services. Non-Personal Data includes aggregated or collective information about multiple users that does not reflect or reference an individually-identifiable user.
Other. In addition to some of the specific uses of information we describe in this Privacy Statement above, we may use Personal Data that we receive to: Help you efficiently access your information after you sign in.
Remember information so you will not have to re-enter it during your visit or the next time you visit the Services.
Provide personalized Content and information to you and others, which, in the future, could include online ads or other forms of marketing.
Provide, improve, test, and monitor the effectiveness of our Services.
Develop and test new products and features.
Monitor metrics such as total number of visitors, traffic, and demographic patterns.
Diagnose or fix technology problems.
4. Your Right to Review, Request Changes, and Disclose Personal Data
Subject to applicable laws and regulations, each user may inspect and receive a copy of his or her Personal Data as stored in the Services. In rare circumstances, we may deny a request, and we may provide you with an 6 explanation. If we deny your request, you may request a review by another professional, who will be chosen by Q2, and we will comply with the outcome of the review.
Subject to applicable laws and regulations, the Personal Data you provide to us remains completely under your control. If you believe the Personal Data we have is incorrect or incomplete, you may in writing request an amendment to your Personal Data. We will approve or deny each request, and notify you of our decision. If approved, we will amend the Personal Data. We will also make a reasonable effort to notify people to whom the Personal Data was released. In the case of a denial, we will provide the reason for the denial and instructions on how to appeal.
Any information or User Content that you voluntarily disclose for use of the Services, such as your user name, your Personal Data or your User Content, may become available to the public if you release it to other users or to thegeneral public. Once you have shared your Personal Data or your User Content with other people, or otherwise made it public, that Personal Data and your User Content may be re-shared by others.
5. Children
Our Services are not directed to persons under age 13. If you are the parent or guardian of a person under 18, and you become aware that your young person has provided us with Personal Data or User Content without your express consent, please contact us at prompt.quadrant2.us and we will remove the information or User Content, and we will terminate the young person’s account. You may then establish an account that you manage for your child or guardian.
6. Changes to this Privacy Statement
We may modify our Privacy Statement from time to time on prior written notice sent to the email address we have for you. For any user who has not provided us with an email address, the revised Privacy Statement will become effective when posted on the Services. If you choose not to be subject to a revised version of this Privacy Statement, then you may terminate your account with us.
7. Different Locations, Different Laws
The laws and regulations that address privacy rights and responsibilities (collectively, “Laws”) are different from one to another. Indeed, some of the Laws do or do not apply depending on different factors, including:
Location or residence of the user.
Location or residence of the individual that is the subject of the Personal Data (“Data Subject”).
Location or residence of the person or organization that employs or contracts with the Data Subject.
Location of each server or other machine where the Personal Data is received, stored, processed or forwarded to.
Location of the relevant office of Q2.
Several of the Laws that concern unregistered users, registered users, and Q2 arediscussed in this Section, but these are not all of the Laws that may apply. In addition, if there is any conflict or ambiguity between the statements made in this Privacy Statement and an applicable Law, then the Law will control.
7.1 United States Federal Laws
Several of the federal Laws in the United States may apply to the Personal Datacollected by us.
Currently, all Personal Data of users resident in the United States is stored on servers and other machines physically located within the United States.
7.1.1 Health Insurance Portability and Accountability Act (“HIPAA”)
Currently, HIPAA does not apply to the Services as we are neither a covered entity nor business associate (as those terms are used in HIPAA).
7.1.2 Children’s Online Privacy Protection Act (“COPPA”)
Currently, COPPA does not apply to the Services. Each registered user and other user must be 13 years of age or older. As noted in this Privacy Statement, if we learn of any registered user is under the age of 18, or if any parent or guardian of a user under the age of 18 contacts us, we will close that user’s account and remove all information provided by the individual from our Services.
7.2 State Laws in the United States
Individual states in the United States have passed and enforce information privacy and security laws.
7.2.1 Your California Privacy Rights
If you are a California resident, California Civil Code Section 1798.83 permits you to request information regarding the disclosure of your Personal Data by us to third parties for the third parties’ direct marketing purposes. To make such a request, please send an email to prompt.quadrant2.us , or send us postal mail at:
Attn: Privacy, Quadrant 2, Inc., 29 Usonia Road, Pleasantville, NY 10570-2624.
Pursuant to California Civil Code Section 1798.83(c)(2), we do not currently share users’ Personal Data with affiliate companies or others outside Q2 for those parties’ direct marketing use, unless a user elects that we do so.
If you are a California resident under the age of 18, and a subscriber of any site where this Privacy Statement is posted, California Business and Professions Code Section 22581 permits you to request and obtain removal of content or information you have publicly posted. To make such a request,please send an email with a detailed description of the specific content or information to prompt.quadrant2.us . Please be aware that such a request does notensure complete or comprehensive removal of the content or information you have posted and that there may be circumstances in which the law does not require or allow removal, even if requested.
By submitting any Personal Data or other User Content to us, or placing anyorder with us, you consent to the storage, processing, use and onward transfer of your Personal Data and User Content to us in the United States.
8. Use of Email Addresses and Other Contact Information
We collect the email addresses of those who voluntarily provide them to us,including unregistered users and registered users. You may receive subscription, editorial and other messages from the Services or from us. If you do not want to receive email from us in the future, please let us know at prompt.quadrant2.us
9. Contact Us
If you have questions or concerns about this Privacy Statement, please contact us online at prompt.quadrant2.us , or by postal mail addressed to:
Attn: Privacy, Quadrant 2, Inc., 29 Usonia Road, Pleasantville, NY 10570-2624.
Revision Date and History
These Terms were last revised: July 6, 2018.
Prior versions of this Privacy Statement are listed below:
None.
Q2 – Written Information Security Policy (“WISP”)
We are Quadrant 2, Inc. (“Q2,” “we”, “us,” and “our”). We provide users with the ability to create, distribute, and share videos online, including via mobile applications, websites, electronic mail, texts and other communications (collectively, the “Services”). Some of the Services are provided via our parent site at prompt.quadrant2.us (the “Q2 Site”) and via our software applications (the “Software”).
The objectives of this comprehensive written information security program ("WISP") include defining, documenting, and supporting the implementation and maintenance of the administrative, technical, and physical safeguards Q2 has selected to protect the personally-identifiable information and sensitive information (“Personal Data”) it collects, creates, uses, and maintains. This WISP has been developed in accordance with the requirements of the Massachusetts Data Security Regulation and other similar laws.
In the event of a conflict between this WISP and any legal obligation or other Q2 policy or procedure, the provisions of this WISP shall govern, unless the Information Security Coordinator specifically reviews, approves, and documents an exception (see Section 3 of this WISP).
1. Purpose
The purpose of this WISP is to:
1.1 Ensure the security, confidentiality, integrity, and availability of personal and other sensitive information Q2 collects, creates, uses, and maintains.
1.2 Protect against any anticipated threats or hazards to the security, confidentiality, integrity, or availability of such information.
1.3 Protect against unauthorized access to or use of Q2-maintained personal and other sensitive information that could result in substantial harm or inconvenience to any customer or employee.
1.4 Define an information security program that is appropriate to Q2's size, scope, and business; its available resources; and the amount of personal and other sensitive information that Q2 owns or maintains on behalf of others, while recognizing the need to protect both customer and employee information.
2. Scope
This WISP applies to all employees, contractors, officers, and directors of Q2. It applies to any records that contain personal and other sensitive information (“Personal Data”) in any format and on any media, whether in electronic or paper form.
2.1 For purposes of this WISP, "Personal Data" includes without limitation an individual’s first and last name, or first initial and last name, in combination with any one or more of the following data elements, or any of the following data elements standing alone or in combination, if such data elements could be used to commit identity theft against the individual:
2.1.1 Social Security number, driver's license number, or other government-issued identification numbers, including any passport number, or tribal identification number.
2.1.2 Account number, or credit or debit card number, with or without any required security code, access code, personal identification number, or password that would permit access to the individual's financial accounts.
2.1.3 Any personally identifiable financial information or consumer list, description, or other grouping derived from personally identifiable financial information, where “personally identifiable financial information” includes any information:
2.1.3.1 A consumer provides Q2 to obtain a financial product or service.
2.1.3.2 About a consumer resulting from any transaction involving a financial product or service with Q2.
2.1.3.3 Information Q2 otherwise obtains about a consumer in connection with providing a financial product or service.
2.1.4 Health information, including information regarding the individual's medical history or mental or physical condition, or medical treatment or diagnosis by a health care professional created or received by Q2. “Health information” includes any information which identifies or for which there is a reasonable basis to believe the information can be used to identify the individual and which relates to the past, present, or future physical or mental health or condition of the individual, the provision of health care to the individual, or payment for the provision of health care to the individual.
2.1.5 Health insurance identification number, subscriber identification number, or other unique identifier used by a health insurer.
2.1.6 Biometric data collected from the individual and used to authenticate the individual during a transaction, such as an image of a fingerprint, retina, or iris.
2.1.7 Electronic mail (“email”) or other communications address with any required security code, access code, or password that would permit access to an individual's personal, medical, insurance, or financial account.
2.1.8 Q2 considers to be highly confidential information that, if accessed by or disclosed to unauthorized parties, could cause significant or material harm to Q2, its customers, or its business partners.
3. Information Security Coordinator.
3.1 Q2 has designated a Chief Privacy Officer to implement, coordinate, and maintain this WISP, and who will also either serve as or supervise the "Information Security Coordinator".
3.2 The Information Security Coordinator shall be responsible for initial implementation of this WISP, including:
3.2.1 Assessing internal and external risks to Personal Data and maintaining related documentation, including risk assessment reports and remediation plans (see Section 4).
3.2.2 Coordinating the development, distribution, and maintenance of information security policies and procedures (see Section 5).
3.2.3 Coordinating the design of reasonable and appropriate administrative, technical, and physical safeguards to protect personal [and other sensitive] information (see Section 6).
3.2.4 Ensuring that the safeguards are implemented and maintained to protect Personal Data throughout Q2, where applicable (see Section 6).
3.2.5 Overseeing service providers that access or maintain Personal Data on behalf of Q2 (see Section 7).
3.2.6 Monitoring and testing the information security program's implementation and effectiveness on an ongoing basis (see Section 8).
3.2.7 Defining and managing incident response procedures (see Section 9).
3.2.8 Establishing and managing enforcement policies and procedures for this WISP, in collaboration with Q2 human resources and management (see Section 10).
3.3 The Information Security Coordinator will also be responsible for employee, contractor, and (as applicable) stakeholder training, including:
3.3.1 Providing periodic training regarding this WISP, Q2's safeguards, and relevant information security policies and procedures for all employees, contractors, and (as applicable) stakeholders who have or may have access to Personal Data;
3.3.2 Ensuring that training attendees formally acknowledge their receipt and understanding of the training and related documentation, through written acknowledgement forms.
3.3.3 Retaining training and acknowledgment records.
3.4 Reviewing the WISP and the security measures defined herein at leastannually, or whenever there is a material change in Q2's business practices that may reasonably implicate the security, confidentiality, integrity, or availability of records containing Personal Data (see Section 11).
3.5 Defining and managing an exceptions process to review, approve or deny, document, monitor, and periodically reassess any necessary and appropriate, business-driven requests for deviations from this WISP or Q2's information security policies and procedures.
3.6 Periodically reporting to Q2 management regarding the status of the information security program and Q2's safeguards to protect Personal Data.
4. Risk Assessment.
4.1 As a part of developing and implementing this WISP, Q2 will conduct a documented risk assessment periodically or whenever there is a material change in Q2's business practices that may implicate the security, confidentiality, integrity, or availability of records containing Personal Data.
4.2 The risk assessment shall:
4.2.1 Identify reasonably foreseeable internal and external risks to the security, confidentiality, integrity, or availability of any electronic, paper, or other records containing Personal Data.
4.2.2 Assess the likelihood and potential damage that could result from such risks, taking into consideration the sensitivity of the Personal Data.
4.2.3 Evaluate the sufficiency of relevant policies, procedures, systems, and safeguards in place to control such risks, in areas that include, but may not be limited to:
4.2.3.1 Employee, contractor, and (as applicable) stakeholder training and management.
4.2.3.2 Employee, contractor, and (as applicable) stakeholder compliance with this WISP and related policies and procedures.
4.2.3.3 Information systems, including network, computer, and software acquisition, design, implementation, operations, and maintenance, as well as data processing, storage, transmission, retention, and disposal.
4.2.3.4 Q2's ability to prevent, detect, and respond to attacks, intrusions, and other security incidents or system failures.
4.3 Following each risk assessment, Q2 will:
4.3.1 Design, implement, and maintain reasonable and appropriate safeguards to minimize identified risks;
4.3.2 Reasonably and appropriately address any identified gaps.
4.3.3 Regularly monitor the effectiveness of Q2's safeguards, as specified in this WISP (see Section 8).
5. Information Security Policies and Procedures.
5.1 As part of this WISP, Q2 will develop, maintain, and distribute information security policies and procedures in accordance with applicable laws and standards to relevant employees, contractors, and (as applicable) other stakeholders.
5.2 Q2 will establish policies regarding:
5.2.1 Information classification.
5.2.2 Information handling practices for Personal Data, including the storage, access, disposal, and external transfer or transportation of Personal Data.
5.2.3 User access management, including identification and authentication (using passwords or other appropriate means).
5.2.4 Encryption.
5.2.5 Computer and network security.
5.2.6 Physical security.
5.2.7 Incident reporting and response.
5.2.8 Employee and contractor use of technology, including Acceptable Use and Bring Your Own Device to Work (BYOD).
5.2.9 Information systems acquisition, development, operations, and maintenance.
5.3 Q2 will detail the implementation and maintenance of Q2's administrative, technical, and physical safeguards (see Section 6).
6. Safeguards.
6.1 Q2 will develop, implement, and maintain reasonable administrative, technical, and physical safeguards in accordance with applicable laws and standards to protect the security, confidentiality, integrity, and availability of Personal Data that Q2 owns or maintains on behalf of others.
6.2 Safeguards shall be appropriate to Q2's size, scope, and business; its available resources; and the amount of Personal Data that Q2 owns or maintains on behalf of others, while recognizing the need to protect both customer and employee information.
6.3 Q2 shall document its administrative, technical, and physical safeguards in Q2's information security policies and procedures (see Section 5).
6.4 Q2's administrative safeguards shall include, at a minimum:
6.4.1 Designating one or more employees to coordinate the information security program (see Section 3).
6.4.2 Identifying reasonably foreseeable internal and external risks, and assessing whether existing safeguards adequately control the identified risks (see Section 4).
6.4.3 Training employees insecurity program practices and procedures, with management oversight (see Section 3).
6.4.4 Selecting service providers that are capable of maintaining appropriate safeguards, and requiring service providers to maintain safeguards by contract (see Section 7).
6.4.5 Adjusting the information security program in light of business changes or new circumstances (see Section 11).
6.5 Q2's technical safeguards shall include maintenance of a security system covering its network (including wireless capabilities) and computers that, at a minimum, and to the extent technically feasible, supports secure user authentication protocols, including:
6.5.1 Controlling user identification and authentication with a reasonably secure method of assigning and selecting passwords (ensuring that passwords are kept in a location or format that does not compromise security) or by using other technologies, such as biometrics or token devices.
6.5.2 Restricting access to active users and active user accounts only, including preventing terminated employees or contractors from accessing systems or records.
6.5.3 Blocking access to a particular user identifier after multiple unsuccessful attempts to gain access or placing limitations on access for the particular system.
6.6 Q2’s technical safeguards may also include secure access control measures, including:
6.6.1 Restricting access to records and files containing Personal Data to those with a need to know to perform their duties.
6.6.2 Assigning unique identifiers and passwords (or other authentication means, but not vendor-supplied default passwords) to each individual with computer or network access that are reasonably designed to maintain security.
6.6.3 Encryption of all Personal Data traveling wirelessly or across public networks.
6.6.4 Encryption of all Personal Data stored on laptops or other portable or mobile devices [, and to the extent technically feasible, Personal Data stored on any other device or media (data-at-rest)].
6.6.5 Reasonable system monitoring for preventing, detecting, and responding to unauthorized use of or access to Personal Data or other attacks or system failures.
6.6.6 Reasonably current firewall protection and software patches for systems that contain (or may provide access to systems that contain) Personal Data.
6.6.7 Reasonably current system security software (or a version that can still be supported with reasonably current patches and malware definitions) that (1) includes malicious software ("malware") protection with reasonably current patches and malware definitions, and (2) is configured to receive updates on a regular basis.
6.7 Q2's physical safeguards shall, at a minimum, provide for:
6.7.1 Defining and implementing reasonable physical security measures to protect areas where Personal Data may be accessed, including reasonably restricting physical access and storing records containing Personal Data in locked facilities, areas, or containers.
6.7.2 Preventing, detecting, and responding to intrusions or unauthorized access to Personal Data, including during or after data collection, transportation, or disposal.
6.7.3 Secure disposal or destruction of Personal Data, whether in paper or electronic form, when it is no longer to be retained in accordance with applicable laws or accepted standards.
7. Service Provider Oversight.
Q2 will oversee each of its service providers that may have access to or otherwise create, collect, use, or maintain Personal Data on its behalf by:
7.1 Evaluating the service provider's ability to implement and maintain appropriate security measures, consistent with this WISP and all applicable laws and Q2's obligations.
7.2 Requiring the service provider by contract to implement and maintain reasonable security measures, consistent with this WISP and all applicable laws and Q2's obligations.
7.3 Monitoring and auditing the service provider's performance to verify compliance with this WISP and all applicable laws and Q2's obligations.
8. Monitoring.
Q2 will regularly test and monitor the implementation and effectiveness of its information security program to ensure that it is operating in a manner reasonably calculated to prevent unauthorized access to or use of Personal Data. Q2 shall reasonably and appropriately address any identified gaps.
9. Incident Response.
Q2 will establish and maintain policies and procedures regarding information security incident response (see Section 5). Such procedures shall include:
9.1 Documenting the response to any security incident or event that involves a breach of security.
9.2 Performing a post-incident review of events and actions taken.
9.3 Reasonably and appropriately addressing any identified gaps.
10. Enforcement.
Violations of this WISP will result in disciplinary action, in accordance with Q2's information security policies and procedures and human resources policies.
11. Program Review.
Q2 will review this WISP and the security measures defined herein at least annually, or whenever there is a material change in Q2's business practices that may reasonably implicate the security, confidentiality, integrity, or availability of records containing Personal Data. Q2 shall retain documentation regarding any such program review, including any identified gaps and action plans.
12. Effective Date and Revision History.
This WISP is effective as of July 6, 2018.
Prior versions of this WISP are listed below:
None.