Shared Performance Privacy Statement
What does Shared Performance do with my personal data – The data within SPAttain is not shared by Shared Performance. The data resides only within the SPAttain data base and archive backups. In the case where the customer installs SPAttain in their environment the data will reside in the customers environment and not on SPAttain servers and the data is not available to Shared Performance. The data is hosted within our secure third party data center hosting environment. The third party is not authorized to access the Shared Performance customer data.
What data is stored – The data stored is limited to the data entered into the system by the customer and the cookie and web tracking data mentioned above. All customer entered data is securely stored within the customer database. The exception to the above is the data that is backed up for archival recovery purposes.
Use of data – As between Shared Performance and Customer, Customer exclusively owns all rights, title and interest in and to all Customer Data. Customer Data shall always be deemed Confidential Information under the Agreement between both parties. Shared Performance shall not access Customer’s User accounts, including Customer Data, except to respond to service or technical problems or at Customer’s request. Notwithstanding the foregoing, Customer acknowledges and agrees that SP may access and use Customer Data solely for statistical and data analysis purposes and only information in the aggregate and without any personally identifiable information for industry or other categorical classifications, provided that Customer’s name is not used or disclosed and SP does not publish information specific to Customer, the Customer Data or the Users. Customer may not and shall ensure that the Users and Customer Business Partners do not provide SP any Personal Data that is subject to the General Data Protection Regulations of the European Union (as such term is defined therein).
Is my data shared – Customer data is not shared.
How do you protect my data – All customer data is stored and protected in the Shared Performance SPAttain systems which are which are hosted in secure data centers or secured and hosted directly in our customers data centers. The use of the reasonable security practices as outlined in the Security and Compliance section as well as restricted role based access adequately protects your data from unauthorized access. When SPAttain is installed in our clients data centers our clients secure the environment to their own specific requirements.
Where will my personal data be processed – The processing takes place within the secure hosted data center environment or within our clients data center when installed within their own data center.
Transfers of personal data – SPAttain or Shared Performance do not transfer data out of the secure hosted data center environment. Transfer of data is restricted to your access to your data. Viewing of the data on your screen and generation and distribution of reports and logs as initiated by the customer is the only method of data transfers.
Security and Compliance
Security – Shared Performance is dedicated to comply with reasonable and appropriate security best practices and controls to protect our customers data and privacy. This commitment begins with the use of secure hosted data center environment that is ISO 27001 and SOC2 type II certified annually. Shared Performance conducts application vulnerability penetration tests prior to each major revision release. Shared Performance offers multiple production architectures based upon the security requirements of their clients. These architectures range from secured implementations in the secure hosted data center environment with dedicated virtual environments for each client as well as deployments within our clients owned data centers. Dedicated physical server deployments within the secure hosted data center environments are available for our customers who require non-shared deployment architectures.
Policy – The foundation the security policies are based upon the Critical Internet Security controls. These controls create a foundation of global accepted best practices and also enables support for various regulatory standards including but not limited too; NIST, ISO27001/2, HIPAA, SSAE16, PCI DSS and various others.
Certification and use of 3rd party security organizations – The secure hosted data center infrastructure supporting SPAttain is ISO 27001 and SOC2 type II certified annually. The SPAttain application both the web and client are tested prior to any major revision release by 3rd party application penetration testing service providers.
General Data Protection Regulation
GDPR – Use of SPAttain within the European Union (EU) and the European Economic Area (EEA) is limited to the use of SPAttain within the secure hosted data center infrastructure. The data within SPAttain in the EU secure hosted data center environment will never be transferred outside of the EEA. An alternative to this model will include the user of EU Model Contracts between Shared Performance and the EU customer.
Data owner details – The Shared Performance customer is the “data owner” of all the data entered within SPAttain. Shared Performance will retain the ownership rights to SPAttain as the “tool” that processes the data.
Data process details – The processing of data is a process performed by SPAttain under the direction of the “user” which is the data owner. This limits the processing of data including all functions such as but not limited to logging, reporting, etc. to the instructions give by the “data owner” using the system “SPAttain”. This insures both the data owner and the data process are the “customer” of Shared Performance.
Data Subject Rights – You can request from Shared Performance at any time for the termination of your contact and the purging of your data. Upon request you obtain a copy of your data from the database prior to the purging.