Data Privacy
The security and privacy of data shared with ClearlyRated is of utmost importance to us. We have taken the following steps to ensure that the privacy and security of all data shared with ClearlyRated is maintained:
- Adoption of the CIS Controls framework to assess our information security posture and guide to future improvements and updates to the security of all our systems
- Our platform is hosted in a managed server environment with Rackspace in their Chicago datacenter where strict physical access is controlled and can be verified through a variety of certifications maintained by Rackspace, including SOC2
- Implemented an industry standard Information Security Program and Policy that all employees are trained on and required to follow
- Self certify into the EU-U.S. and Swiss-U.S. Privacy Shield programs
- Fully GDPR compliant privacy policy and implementation of standard contractual clauses with all vendors that we depend on for our platform
- Through certification into Privacy Shield we have documented the data flow throughout our platform to ensure GDPR and CCPA erasure requests can be successfully completed
- Applied industry best practices on the storage and security of the data within our database servers and employee computers, including full hard drive encryption of all employee computers
- Restricted access to all servers that store confidential information to the small number of employees needed to maintain those systems
- All transfer of data is fully encrypted at all times
Any further questions relating to privacy and confidentiality of personal information can be directed to Nathan Goff the Chief Technology Officer at ClearlyRated. He can be contacted at ngoff@clearlyrated.com.
GDPR and CCPA Compliance Statement
First and foremost as an organization we have always taken very seriously the protection of the data our clients entrust us with. From the beginning of ClearlyRated we have had in place security measures and policies that address the protection of all of the data our clients share with us. It is core to our DNA to balance the needs of our clients and the customers they serve, which we believe that balance is in the best interest of both parties. This doesn’t stop when it comes to the privacy and protection of our clients customer data.
All of our servers are located within the US so all data processing is happening here. To address the transfer of EU data to US servers we became certified under the EU-US Safe Harbor framework in 2010 and to show compliance with GDPR we have certified into the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks.
In the context of a satisfaction survey our clients have a legitimate interest in gathering feedback from their clients or employees to assess how that relationship is going. Therefore, we believe all satisfaction survey related data falls under the ‘legitimate interest’ category of the GDPR and we are a 'Service Provider' within the CCPA framework. It therefore does not require any additional consent to collect feedback with our tools so long as no questions are added to the survey that could be used primarily for sales and marketing purposes.
Here is what we have done to be in compliance with both GDPR and CCPA:
- Completed a full inventory and mapping of how all personally identifiable data makes it into our system and how it flows through it
- Updated our privacy policy to be GDPR and CCPA compliant
- Submitted privacy policy to the FTC as part of our application to self-certify into Privacy Shield. Certification was accepted and approved.
- Completed audit of all of our 3rd party vendors that come into contact with data in the process of providing services to us and confirmed that they are Privacy Shield certified
- Completed documenting process for responding to requests from individuals to know what data we have on them
Technology Environment Details
At ClearlyRated, we take information security very seriously. This sheet provides technical details for ClearlyRated’s survey system.
Servers
- All production survey fielding and reporting applications are hosted on leased dedicated hardware with Rackspace in their Chicago datacenter
- All leased managed server hardware employs industry best practices for hardware redundancy around disks, power, and network
- Read about Rackspace's data center for full details on their data center and the certifications it has received. Sampling of some of the certifications this datacenter has received are: SOX, HITRUST, PCIDSS, ISO 2700-1
- Application and database servers are dedicated to those functions and do not operate both on the same server
- All of these servers are dedicated and managed hardware not within cloud or shared hosting environments
- All production servers run a supported and managed version of Red Hat Enterprise Linux
Networking
- All production server hardware is behind a managed Cisco firewall
- Only ClearlyRated leased hardware is attached to the firewall
- Industry standard protocols are followed to provide very limited direct access to firewall and the servers behind it
- DNS services and attack mitigation is managed by Cloudflare
- Full details on Rackspace's network uptime SLA
Redundancy
- All production application servers have managed backups on a daily basis
- All production database servers have a real-time replica with daily full backups
- Rackspace managed services provides redundancy to all other aspects of the infrastructure
- Emailing infrastructure provided by Mailgun
- All email sent on a dedicated IP
- Email certification provided by ReturnPath