BROKERBACKOFFICE.COM DATA POLICY
Updated: 12/7/2015
Data Management and Security
- Access, Use, & Legal Compulsion. Unless it receives Recipient’s prior written or electronic consent, Provider: (i) will not access or use personally identifiable data in electronic form collected through the Services from Recipient’s customers or other third parties, or collected or accessible directly from Recipient, (collectively, “Agency Data”) other than as necessary to facilitate the Services; and (ii) will not give any third party access to Agency Data. Notwithstanding the foregoing, Provider may disclose Agency Data as required by applicable law or by proper legal or governmental authority. Provider will give Recipient prompt notice of any such legal or governmental demand and reasonably cooperate with Recipient in any effort to seek a protective order or otherwise to contest such required disclosure, at Recipient’s expense. Provider will collect and use activity based Data such as usage information gathered throughout the usage of the Service including but not limited to:
- Site usage statistics.
- De-Identified Sales Data information.
- De-Identified Demographical data tied to production information through the Service.
- De-Identified Demographical data tied to Agency Data through the Service.
- De-Identified Demographical data tied to Recipient’s Users through the Service.
- Each Party’s Warrantees.
- The Provider will provide a securely hosted environment with encryption standards informed by SSAE 16 SOC1 standards. These standards include but are not limited to:
- 256-bit SSL encryption.
- Multi-layered Firewalls.
- Role-based authentication for access to data (RBAC).
- Assurances that data is secured with the latest patches and virus protection.
- Master Audit Log for record of securely accessed data.
- Vulnerability assessments.
- The Recipient warrants that it will comply with insurance regulations and other federal regulations including;
- Title V of the Gramm-Leach-Bliley Act (“GLB”) (15 U.S.C. 6801, et seq.);
- The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including its implementing privacy regulations at 45 C.F.R. Parts 160 – 164 and its implementing security regulations at 45 C.F.R. Parts 160, 162, and 164;
- The various state and federal restrictions on the use of electronic mail and the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (15 U.S.C. § 7708) (“CAN-SPAM Act”).
- The Provider will provide a securely hosted environment with encryption standards informed by SSAE 16 SOC1 standards. These standards include but are not limited to:
- Recipient’s Rights. Recipient possesses and retains all right, title, and interest in and to Agency Data, and Provider’s use and possession thereof is primarily as Recipient’s agent. Recipient may access and copy any Agency Data in Provider’s possession at any time by logging in to the Service. Provider will facilitate such access promptly after Recipient’s request. Provider will retain historical de-identified data pertaining to sales data, including; de-idnetified demographical data on Users and customers to assist in the reporting of the Service, but will not link data directly to an outside source.
- Retention & Deletion. Provider will retain any Agency Data in its possession until Erased (as defined below) pursuant to this section. Provider may Erase: (i) all copies of Agency Data 90 days after collection thereof; (ii) any or all copies of Agency Data promptly after Recipient’s written request; and (iii) all copies of Agency Data no sooner than 30 business days after termination of this Agreement and no later than 90 business days after such termination. Notwithstanding the foregoing, Recipient may at any time instruct Provider to retain and not to Erase or otherwise delete Agency Data, provided Recipient may not require retention of Agency Data for more than 90 business days after termination of this Agreement. Provider will retain de-identified Agency Data that is used in support of the Service, including but not limited to company and product production information as well as demographically information collected during the use of the Service. (“Erase” and “Erasure” refer to the destruction of data so that no copy of the data remains or can be accessed or restored in any way.)
- Individuals’ Access. Provider will not allow any of its users to access Agency Data, except to the extent that a user needs access in order to facilitate the Services. Provider will perform a background check on any individual it gives access to Agency Data. Such background check will include, without limitation, a review of the individual’s criminal history, if any. Provider will not grant access to Agency Data if the background check or other information in Provider’s possession would lead a reasonable person to suspect that the individual has committed identity theft or otherwise misused third party data or that the individual presents a threat to the security of Agency Data.
- Testing & Audits. Provider may test the Service management systems both scheduled and at random throughout each year, including without limitation via unannounced penetration tests, and Recipient will cooperate with such tests as Provider reasonably requests. Provider may provide such report to Recipient promptly after receipt thereof, and such report will be considered Confidential Information disclosed by Provider.
- Leaks. Provider will promptly notify Recipient of any actual or potential exposure or misappropriation of Agency Data (any “Leak”) that comes to Provider’s attention. Provider will cooperate with Recipient and with law enforcement authorities in investigating any such Leak, at Provider’s expense. Provider will likewise cooperate with Recipient and with law enforcement agencies in any effort to notify injured or potentially injured parties, and such cooperation will be at Provider’s expense, except to the extent that the Leak was caused by Recipient. The remedies and obligations set forth in this Subsection (h) are in addition to any others Recipient may have.
- Non-Disclosure. Recipient agrees not to disclose any portion of the Service to an outside source with out the express written consent of the Provider. Breach of this agreement may result in immediate termination of the Recipient’s access to the Service.