CareerSpots Security Policy

Effective Date – September 1, 2020

Purpose

This Security Policy forms part of the End User License Agreement (“Agreement”) between the Customer and CareerSpots to reflect our agreement regarding Security and the Processing of Customer Data, including Personal Data, in accordance with the requirements of Data Protection Laws and Regulations, to the extent CareerSpots, in providing Products and/or Services set forth in the Agreement, processes Customer Data or Personal Data on behalf of Customer. References to the Agreement will be construed as including this Security Policy. Any capitalized terms not defined herein shall have the respective meanings given to them in the
Agreement.

Definitions

“Administrative Data” means data, related to Customer, employees or representatives of Customer, that is collected and used by CareerSpots in order to administer or manage CareerSpots’ delivery of the Products and/or Services, or the Customer’s account, for CareerSpots’ own business purposes. Administrative Data may include Personal Data and information about the contractual commitments between CareerSpots and Customer, whether collected at the time of the initial registration or thereafter in connection with the delivery, management or administration of Products and/or Services.

“Agreement” means a CareerSpots End User License Agreement, Services Agreement or similar agreement or Addendum related to the purchase of Products and/or Services.

“Affiliate” means, with respect to any entity, any other entity Controlling, Controlled by or under
common Control with such entity, for only so long as such Control exists.

“CareerSpots” means CareerSpots LLC, a Pennsylvania limited liability corporation based in Newtown Square, PA.

“CareerSpots Content” means any course, lesson, video, audio, website, visual information, documents, software, products and services, including the Career Ready Guide©, the Job Search Guide©, and/or the CareerSpots videos contained or made available to you in using the Service.

“Control” means the direct or indirect ownership of more than 50% of the voting capital or similar right of ownership of an entity, or the legal power to direct or cause the direction of the general management and policies of that entity, whether through the ownership of voting capital, by contract or otherwise. Control and Controlling shall be construed accordingly.

“Customer Data/User Data” means all data (including but not limited to text, audio, video or image files) that is provided to CareerSpots and/or Digitalchalk by or on behalf of Customer in connection with Customer’s use of our Products and/or Services, or data developed by CareerSpots and/or DigitalChalk at the request of or on behalf of Customer pursuant to a statement of work, contract or other relevant agreement. Customer Data includes log, configuration or uploaded files, or reporting information, taken from a Product or Service and provided to CareerSpots and/or DigitalChalk to help us troubleshoot an issue in connection with a support request. Customer Data does not include Administrative Data, Support Data, Financial Data or Telemetry Data, as defined herein.

“Data Processor” means the entity which Processes Personal Data on behalf of the Customer. For purposes of this Security Policy, Infinity Learning Solutions (DBA DigitalChalk), including its Affiliates, is the Data Processor.

“Data Protection Laws and Regulations” means all mandatory laws and regulations, including laws and regulations of the United States and individual state specific legislation, applicable to the Processing of Personal Data under the Agreement.

“Data Subject” means the individual to whom Personal Data relates.

“DigitalChalk” means collectively the DigitalChalk online learning delivery software system and brand developed and owned by ILS, together with all component parts of and Intellectual Property Rights associated with the DigitalChalk system.

“Financial Data” means information that Customer provides to CareerSpots and/or DigitalChalk in connection with making a purchase or entering into a license agreement for Products and/or Services, and primarily includes a credit card number and security code.

“ILS” means Infinity Learning Solutions, Inc., a Delaware corporation having its principal place of business at 2 Town Square Boulevard, Suite 242, Asheville, North Carolina 28803, USA.

“Personal Data” means data about a living individual transmitted to CareerSpots and/or DigitalChalk as part of the registration and payment process from which that person is identified or identifiable, as defined in the Privacy Policy, directive, or any replacement legislation.

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

“Products” means the CareerSpots Content, software platform or SaaS products licensed or provided to Customer under the Agreement.

“Services” means the DigitalChalk online learning delivery software system, provided by CareerSpots to Customer under the Agreement.

“Sub-Processor” means any non-DigitalChalk or DigitalChalk Affiliate Data Processor, engaged
by DigitalChalk.

“Support Data” means information that CareerSpots and/or DigitalChalk collects when Customer submits a request for support services or other troubleshooting, including information about hardware, software and other details related to the support incident, such as authentication information, information about the condition of the product, system and registry data about software installations and hardware configurations, and error-tracking files.

“Telemetry Data” means information generated by instrumentation and logging systems created through the use and operation of the Products and/or Services.

Processing Of Personal Data

CareerSpots will process and use Customer Data and Personal Data on your behalf and only in accordance with your instructions (including via email) and to the extent required by law. Customer hereby acknowledges that by virtue of using the Products and/or Services it gives CareerSpots instructions to process and use Customer Data and Personal Data in order to provide the Products and/or Services in accordance with the Agreement. Customer takes full responsibility to keep the amount of Customer Data and Personal Data provided to CareerSpots to the minimum necessary for the performance of the Products and/or Services. Customer shall, in its use of the Products and/or Services, comply with Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data must comply with Data Protection Laws and Regulations. In addition, Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data, including providing any required notices to, and obtaining any necessary consent from, its customers, employees, agents or third parties to whom it extends the benefits of the Products and/or Services.

Rights Of Data Subjects

For applicable Products or Services, the Customer will have the ability to request the deletion of Customer Data and Personal Data of an individual Data Subject contained in the Customer Data. Following such deletion request by Customer, CareerSpots will delete such data from its systems as soon as reasonably practicable.

CareerSpots shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment or deletion of such Data Subject’s Personal Data. CareerSpots shall not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to Customer.

In the event CareerSpots receives any official complaint, notice, or communication that relates to CareerSpots processing of Personal Data or either party’s compliance with Applicable Laws in connection with Personal Data, to the extent legally permitted, CareerSpots shall promptly notify Customer and, to the extent applicable, CareerSpots shall provide Customer with commercially reasonable cooperation and assistance in relation to any such complaint, notice, or communication. Customer shall be responsible for any reasonable costs arising from CareerSpots’s provision of such assistance.

Data Processing Personnel

CareerSpots shall ensure that personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. CareerSpots shall ensure that such confidentiality obligations survive the termination of the personnel engagement. CareerSpots shall ensure that access to Personal Data is limited to those personnel who require such access to perform the Agreement.

Sub-Processors

Customer hereby acknowledges that by virtue of using the Products and/or Services that (a) CareerSpots is entitled to retain DigitalChalk to conduct its data processing (b) DigitalChalk is entitled to retain its affiliates as Sub-processors, and (c) DigitalChalk or any such affiliate may engage any third parties from time to time to process Customer Data in connection with making the Products and/or the provision of Services. CareerSpots will only disclose Personal Data to Sub-processors that are parties to written agreements with CareerSpots including obligations no less protective that the obligations of this Security Policy.

Security

DigitalChalk, under it’s agreements with CareerSpots, has implemented and shall maintain appropriate technical and organizational measures to protect Customer Data against accidental loss, destruction or alteration, unauthorized disclosure or access, or unlawful destruction, including the policies, and procedures and internal controls set forth in this Security Policy for its personnel, equipment, and facilities at the Processor locations providing the services to CareerSpots and/or Customers (“Services”).

Technical and Organizational Security Measures

1. Organization of Information Security
a. Security Ownership – Data Processor has appointed one or more security officers (Privacy Policy Administrators) responsible for coordinating and monitoring the security rules and procedures.
b. Security Roles and Responsibilities – Data Processor’s personnel with access to Customer Data are subject to confidentiality obligations.
2. Human Resources Security
a. General – Data Processor informs its personnel about relevant security procedures and their respective roles. Data Processor also informs its personnel of possible consequences of breaching its security policies and procedures. Employees who violate Data Processor’s security policies may be subject to disciplinary action, up to and including termination of employment. A violation of this policy by a temporary worker, contractor or vendor may result in the termination of his or her contract or assignment with Data Processor.
b. Training – Data Processor personnel with access to Customer Data receive:
i. annual security education and training regarding privacy and security procedures for the Services to aid in the prevention of unauthorized use (or inadvertent disclosure) of Customer Data;
ii. training regarding effectively responding to security events; and
iii. training is regularly reinforced through refresher training courses, emails, and other training materials.
c. Background Checks – Data Processor personnel are subject to criminal background checks.
3. Asset Management
a. Asset Inventory – Assets associated with information and information-processing facilities are identified and an inventory of assets is maintained.
b. Information Classification – Data Processor classifies Customer Data to help identify it and to allow for access to it to be appropriately restricted.
c. Media Handling by Data Processor personnel:
i. Use trusted devices that are provided by Data Processor to it’s employees
ii. Avoid accepting or storing Customer Data on a non-trusted device (meaning one that was not supplied by DigitalChalk). This includes smartphones, tablets, USB drives and CDs.
iii. Encrypt Customer Data stored on a mobile device, including laptops, smartphones, tablets, USB drives and CDs; and
iv. Take measures to prevent accidental exposure of customer data, including using privacy filters on laptops when in areas where over-the-shoulder viewing of Customer Data is possible.
4. Personnel Access Controls
a. Access Policy – An access control policy is established, documented, and reviewed based on business and information security requirements.
b. Access Recordkeeping – Data Processor maintains a record of security privileges of its personnel that have access to Customer Data, networks and network services.
c. Access Authorization.
i. Data Processor has user account creation and deletion procedures, with appropriate approvals, for granting and revoking access to DigitalChalk’s and Customers’ systems and networks at regular intervals based on the principle of “least privilege” and need-to-know criteria based on job role.
ii. Data Processor maintains and updates a record of personnel authorized to access systems that contain Customer Data.
iii. For systems that process Customer Data, Data Processor revalidates access of users who change reporting structure and deactivates authentication credentials that have not been used for a period of time not to exceed six months.
iv. Data Processor identifies those personnel who may grant, alter or cancel authorized access to data, systems and networks.
v. Data Processor ensures that, each personnel having access to its systems have a single unique identifier/log-in.
vi. Data Processor maintains strict policies against any shared “generic” user identification access.
d. Network Design – For systems that process Customer Data, Data Processor has controls to avoid personnel assuming access rights they have not been assigned to gain unauthorized access to Customer Data.
e. Least Privilege – Data Processor limits access to Customer Data to its personnel performing the Services and, to the extent technical support is needed, its personnel performing such technical support.
f. Integrity and Confidentiality
i. Data Processor instructs its personnel to automatically lock screens and/or disable administrative sessions when leaving premises that are controlled by Data Processor or when computers are otherwise left unattended.
ii. Data Processor computers and trusted devices automatically lock after fifteen (15) minutes of inactivity.
iii. Data Processor stores passwords in a secured and restricted way that makes them unintelligible while they are in force.
g. Authentication
i. Data Processor uses industry standard practices to identify and authenticate users who attempt to access information systems. Where authentication mechanisms are based on passwords, Data Processor
requires that passwords be renewed regularly, no less often than every 90 days.
ii. Where authentication mechanisms are based on passwords, Data Processor requires the password to be at least eight (8) characters long and conform to very strong password control parameters including length, character complexity, and non-repeatability.
iii. Data Processor ensures that de-activated or expired identifiers are not granted to other individuals.
iv. Data Processor monitors repeated attempts to gain access to the information system using an invalid password.
v. Data Processor maintains industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed.
vi. Data Processor limits access to file stores and/or systems in which passwords are stored.
5. Cryptography
a. Cryptographic controls policy
i. Data Processor has a policy on the use of cryptographic controls based on assessed risks
ii. Data Processor assesses and manages the lifecycle of cryptographic algorithms, hashing algorithms, etc. and deprecates and disallows usage of weak cypher suites, and mathematically insufficient block lengths and bit lengths.
iii. Data Processor’s cryptographic controls/policy addresses appropriate algorithm selections, key management and other core features of cryptographic implementations.
b. Key management – Data Processor has procedures for distributing, storing, archiving and changing/updating keys; recovering, revoking/destroying and dealing with compromised keys; and logging all transactions associated with keys.
6. Physical and Environmental Security
a. Physical Access to Facilities
i. Data Processor limits access to facilities where systems that process Customer Data are located to authorized individuals.
ii. Access is controlled through appropriate sign-in procedures for facilities with systems processing Customer Data.
iii. Physical Access to Equipment – Data Processor equipment that is located off premises is protected using industry standard process to limit access to authorized individuals.
b. Clear Desk – Data Processor has policies requiring a “clean desk/clear screen” at the end of the workday.
7. Operations Security
a. Operational Policy – Data Processor maintains policies describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Customer Data and to its systems and networks.
b. Workstations – Data Processor uses the following controls on its workstations that process Customer Data:
i. anti-malware software and firewalls,
ii. password and screensaver controls with automatic lock of workstation upon idleness,
iii. periodic scans to query the hardware and the presence of software, patches, corporate applications, and security components; and
iv. full disk encryption on laptop devices.
c. Mobile Devices – Mobile phones and tablets are protected via a mandatory PIN, restrictions on the amount of email that can be stored on the device, and a remote wipe capability.
d. Data Recovery – Data Processor maintains multiple copies of Customer Data from which Customer Data can be recovered. Data Processor stores copies of Customer Data and data recovery procedures in a different place from where the primary equipment processing the Customer Data is located. Data Processor has specific procedures in place governing access to these copies of Customer Data.
e. Logging and Monitoring – Data Processor maintains logs of and monitors access to administrator and operator activity and data recovery events.
8. Communications Security and Data Transfer
a. Networks – Data Processor uses the following controls to secure its networks that access Customer servers which store Customer Data:
i. Network traffic passes through firewalls. Data Processor has implemented intrusion prevention systems that allow traffic flowing through the firewalls to be logged and protected 24×7.
ii. Network, application and server authentication passwords are required to meet minimum complexity guidelines (at least 8 characters with both numerical and alphabetical characters) and be changed at least every 90 days.
iii. Initial user passwords are required to be changed during the first logon. Data Processor policy prohibits the sharing of user IDs and passwords.
9. System Acquisition, Development and Maintenance
a. Security Requirements – Data Processor has adopted security requirements for the purchase or development of information systems, including for application services delivered through public networks.
b. Development Requirements – Data Processor has policies for secure development, system engineering and support. Data Processor conducts appropriate tests for system security as part of acceptance testing processes.
10. Supplier Relationships
a. Policies – Data Processor has information security policies or procedures for its use of suppliers. Data Processor has agreements with suppliers in which they agree to comply with Data Processor’s security requirements.
b. Management – Data Processor performs periodic audits on key suppliers and manages service delivery by its suppliers and reviews security against the agreements with suppliers.
11. Information Security Incident Management
a. Response Process – Data Processor maintains a record of information security breaches with a description of the breach, the consequences of the breach, the name of the reporter and to whom the breach was reported, and the procedure for recovering data.
12. Information Security Aspects of Business Continuity Management
a. Planning – Data Processor maintains emergency and contingency plans for the facilities in which Data Processor information systems that process Customer Data are located.
b. Data Recovery – Data Processor’s redundant storage and its procedures for recovering data are designed to attempt to reconstruct Customer Data in its original state from before the time it was lost or destroyed.

Security Breach Management And Notification

DigitalChalk maintains security incident management policies and procedures, including detailed security incident escalation procedures. CareerSpots shall give notice to Customer when Customer Data was, or it is reasonably believed to have been, inappropriately accessed as a result of a security breach. Said notice shall be made immediately upon confirmed discovery of the breach and the time necessary such as to allow CareerSpots to determine the scope of the breach, to identify organizations and individuals affected by the breach, and to restore reasonable integrity of the data system that was breached. Notification will provide Customer with relevant information about the Security Incident, including, to the extent then known, the type of Customer Data involved, the volume of Customer Data disclosed, the circumstances of the incident, mitigation steps taken, and remedial and preventative action taken. If a federal, state, or local law enforcement agency determines that notice to Customer required under this Security Policy would interfere with a criminal investigation, the notice shall be delayed upon the written request of the law enforcement agency for a specified period that the law enforcement agency determines is reasonably necessary. A law enforcement agency may, by a subsequent written request, revoke such delay as of a specified date or extend the period set forth in the original request made under this paragraph to a specified date if further delay is necessary. Notice to the Customer is not required if, after an appropriate investigation and consultation with relevant federal, state, or local law enforcement that it is reasonable to believe no user Customer Data was accessed by unauthorized individuals.

Additional Terms For Transfer Of Personal Data

For the purposes of this Security Policy, the Customer hereby instructs CareerSpots to process Personal Data: (a) in accordance with the Agreement; (b) at the request of Customer, including requests made in connection with Support Services; and (c) as initiated by Data Subjects in their use of Customer’s networks.

Customer hereby acknowledges that by virtue of using the Products and/or Services DigitalChalk will be retained as data processor for CareerSpots, and DigitalChalk and DigitalChalk’s affiliates respectively may engage third-party Sub-processors in the course of providing the data processing services.