The purpose of this policy is to describe the treatment of client or prospect information provided to or accessed by Avalution Consulting (“Avalution”) employees and/or those working on behalf of Avalution such as contractors, consultants, and vendors.
The Use of Client Information by Avalution
Avalution is granted access to private, sensitive and/or non-public client information through the normal course of business. Access to this information is important to the ability of Avalution to deliver effective, customized and valued services to clients. Avalution will not use the information obtained or accessed through the normal course of delivering services for purposes other than those agreed to with the client in the statement of work or at the time of collection. Avalution does not disclose client information to third parties unless necessary for the delivery of services listed in a statement of work or contract as required by law or regulatory requirements, in which case Avalution would require the explicit consent of the client to do so. No client information shall be collected that is not needed for the delivery of services. Any inquiries or complaints in regards to this policy should be directed to [email protected].
Collection and Use of Marketing Information by Avalution
In addition to client information collected as part of delivery of services and solutions, Avalution may also collect marketing data from both clients and prospects for use in delivery of sales and marketing. This information is limited to the individual’s name, title, company name, address, e-mail, and phone number. This information will be used solely for marketing purposes and will not be directly shared with third-parties. It is possible that this information may be stored in third-party systems that are used to enable marketing communications; access to this information, however, will be restricted to Avalution employees.
This information will be collected in accordance with local statutory regulations and will be transparent about the nature, purpose, and extent of processing operations associated with the data. Persons who voluntarily supply their contact information to Avalution may receive future communications. Persons who wish to amend or update their details or who do not wish to receive further correspondence may contact Avalution and ask that their details to be changed or to be removed.
- To facilitate delivery of functionality in our web-based Catalyst software.
- To enhance the user experience during visits to our corporate web site.
These cookies do not proactively monitor user activity and are designed solely to improve the use and functionality of Catalyst and our web site. Some cookies may be “persistent” in nature in order to deliver a more responsive browsing experience. Anonymous, aggregated cookie data may be used for the purpose of usage analysis, quality control and improvement of user experience. You will be notified (and can prevent the use) of cookies during the initiation of your first session, and can subsequently modify or disable cookie functionality by accessing your browser preferences.
Retention of Personal Information
Avalution retains the information collected from clients and web site users for as long as the information is relevant to the executive of business contracts or for other business purposes, or until the user requests that we remove the data.
Catalyst Data retention and data destruction policies
- Backups for US Main disaster recovery are set up using active-passive cloud replication. A master/slave database cluster writes data in real time to a backup cluster in an alternate AWS zone. Alerts are set up to notify us immediately if the replication cluster is out of sync with the primary cluster.
- Backups for non-US disaster recovery purposes are stored in an encrypted Amazon S3 container for up to one year. Upon termination of a Catalyst contract, client data is removed within 24 hours. Backups are run hourly, and are controlled by a script run from our servers. An alert is set up to notify us if an hour has gone by and a backup was not performed.
- Destruction of unused Amazon hardware is performed by Amazon.
- Backups stored on AWS are retained for 1 year; after one year, Amazon’s service is configured to destroy the backups.
Information Security and Integrity
The security, integrity and confidentiality of non-public information are extremely important to Avalution. Avalution has implemented technical, administrative and physical security measures that are designed to protect such information from unauthorized access, disclosure, use and modification. Access to information is limited to those employees, contractors, consultants, and vendors that need to access the information to perform their duties. All employees are required to sign a non-disclosure agreement to work at Avalution. Consultants, contractors and vendors that perform work on behalf of Avalution are required to enter into a non-disclosure agreement and are expected to adhere to this policy and any others governing the actions of Avalution’s employees.
Avalution’s need to collect, maintain, use, or disseminate personal information about individuals is limited to use in delivering services to clients or marketing/sales services to prospects. Personal information will not be collected that is not needed and agreed to for these purposes. Avalution personnel and third parties that perform work on behalf of Avalution have a responsibility to protect an individual’s privacy when collecting, maintaining, using or disseminating personal information about an individual.
Avalution’s Privacy Program
Privacy Program Roles and Responsibilities
Program Sponsor – Provides sponsorship and oversight to the Privacy Program. The sponsor is a senior-level manager and responsible for reviewing and validating all program activities, strategy options and organizational changes that may affect the privacy program.
Program Coordinator – Provides day-to-day management for the Privacy Program. The coordinator is responsible for approving program activities and strategy options. The coordinator also requests resources to enable successful implementation and maintenance of program activities.
Avalution Employees – Responsible for understanding their role in the Privacy Program and familiarity with this policy and program details.
Agents of Avalution Consulting
Any party acting as an agent of Avalution Consulting will be required to adhere to the same principles and policies set forth in this document.
Privacy Program Activities
Analysis of Information Needs
Privacy Risk Identification and Assessment
Avalution will implement and maintain procedures to identify and assess risks to information security and integrity. Avalution will identify and monitor the locations where sensitive information is stored. The risk identification and assessment will include the identification of sources of risk, impact of the risk and potential mitigation strategies. The risk identification and assessment will be conducted on all new projects with the potential to impact privacy risks.
There are several reasonable and foreseeable internal and external risks to the security and integrity of personal information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of the security and confidentiality of personal and confidential information. These risks may include, but are not limited to:
- Unauthorized access of personal information by individuals not approved for access
- Compromised system security
- Interception of data during transmission
- Loss of data integrity
- Physical loss of data
- Poor audit trails
- Unauthorized access of personal information by employees
- Unauthorized transfer of personal information to third parties or employees not approved for access
- Unauthorized transfer of personal information by third parties
The management and control of privacy risks shall be accomplished by 1) the development of policies, procedures, and standards which address identified privacy risks; 2) the development of training opportunities and informational materials to assist in the implementation of these policies, procedures and standards; and 3) monitoring, auditing and otherwise evaluating business areas for compliance with privacy policies, procedures, and standards.
Implementation of Client Information Security and Integrity Procedures and Controls
Avalution implements and maintains digital and physical security procedures and safeguards to restrict access to sensitive information to only those people that need access to perform their duties. Please be aware that despite Avalution’s best efforts, no security measures are perfect or impenetrable. Any employee, consultant, contractor, or vendor that becomes aware of any breach of information security and integrity will immediately notify the Avalution Managing Consultant or Director for the project. The Avalution Managing Consultant or Director will then take action to mitigate the potential for further breaches and take the necessary steps to notify the client and resolve the situation.
Review of Client Information Security and Integrity Procedures and Controls
Training and Awareness
EU-US Privacy Shield Compliance
Avalution has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-euconsumers/ for more information and to file a complaint. Finally, as a last resort and in limited situations, EU individuals may seek redress from the Privacy Shield Panel, a binding arbitration mechanism.
United States Governing Authority
The United States Federal Trade Commission (FTC) is the enforcement authority with jurisdiction over this compliance with the Privacy Shield.
While Avalution protects personal information in the same way as all confidential information we store, many of our clients are concerned about compliance with GDPR. Avalution is compliant with GDPR. Below are some details of specific compliance measures:
- Avalution maintains a registry of personal information that is collected and stored in Catalyst and maintains a list of processing activities associated with this data.
- Security controls (described in the following section) are validated and attested to via an independent SOC 2 compliance audit.
- Avalution has established data processing agreements with sub-processors of our data.
- Avalution has established data destruction processes to support the ‘right to be forgotten’
- Data Protection Impact Assessments are performed prior to major system changes.
- Avalution has established data retention policies for deleted data.
- Catalyst does not collect or store any information other than the information provided by the client or explicitly stipulated in the business contract.
Data collected at our EU data centers is not transferred outside of the EU. However, if a transfer was necessary (e.g., a company wishing to move its data to the US) it would be governed by the Privacy Shield agreement in place between the United States and European Union. Avalution is self-certified Privacy Shield registrant with the US Department of Commerce. If Privacy Shield is invalided, Avalution will determine additional remedies to regulate data transfers between the EU and US.
EU Data Subject Rights
Avalution recognizes the rights of EU residents when collecting, storing and processing their personal information. In cases where the collection of this information is required in performance of contracted services, the terms of the contract may supersede the individual’s right to privacy. However, in instances where the collection of data is not bound by a contract, the data subject’s rights will be enforced:
- Avalution will be transparent about the purpose, nature and scope of data processing at the time of data collection.
- Avalution will obtain explicit and uncoerced consent from the data subject to collect their information.
- Avalution will not share the data subject’s information with third-parties without their consent.
- Avalution will maintain records of how the data subject’s information has been used for processing.
- Avalution will, upon verified request from the data subject, make available to them all of their personal information that has been collected and stored.
- Avalution will, upon verified request from the data subject, correct any data that is inaccurate.
- Avalution will, upon verified request from the data subject, delete all of their personal information that has been collected and stored.
- Avalution will, upon verified request from the data subject, allow them to request limit the extent to which their data is processed.
EU data subjects concerned about their rights under GDPR may contact Avalution for additional information.