Privacy & Security Policy

SafetyIQ Application Privacy Policy

Privacy Policy – J.E.S.I Management Solutions Pty Ltd trading as SafetyIQ

Last updated: 6 April 2023

J.E.S.I Management Solutions Pty Ltd (ACN 159 033 179) (SafetyIQ, we, us and our) respects your privacy and is committed to protecting it.

We comply with the Australian Privacy Principles and the Privacy Act 1988 (Cth) (Privacy Act), which govern the way private sector organisations collect, use, keep secure and disclose Personal Information or Personal Data or Personal Data.

The Privacy Act defines “Personal Information” to mean any information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent or can be reasonably ascertained, from the information or an opinion.

If you are a resident of the European Union or the United Kingdom, we are required to comply with the GDPR (as defined in Section 11) in relation to your Personal Data (as defined in Section 11).

If you have any concerns or complaints about the manner in which your Personal Information or Personal Data has been collected, used or disclosed by us, please contact us via the information set out in Section 10 and will resolve your concern or answer your question.

We recommend that you keep this information for future reference.

1. The kinds of Personal Information or Personal Data collected, used and disclosed by SafetyIQ

We will only use or disclose your Personal Information or Personal Data for the primary purposes for which it was collected or as consented to by you.  At or around the time we collect Personal Information or Personal Data from you, we will endeavour to provide you with a notice which details how we will use and disclose that specific information.  We set out some common collection, use and disclosure instances in the table below.

Privacy Collection Statement - New & Existing Users

2. How SafetyIQ collects and holds Personal Information or Personal Data
   • Collection generally

As much as possible or unless provided otherwise in this Privacy Policy or a notification, we will collect your Personal Information or Personal Data directly from you.  When you engage in certain activities, such as filling out a survey or sending us feedback, we may ask you to provide certain information.  It is completely optional for you to engage in these activities. Depending upon the reason for requiring the information, some of the information we ask you to provide may be identified as mandatory or voluntary.  If you do not provide the mandatory information or any other information we require in order for us to provide our products or services to you, we may be unable to provide our products or services to you in an effective manner, or at all.

• Collection of payment card information

SafetyIQ does not collect your payment card information, where you make a payment card payment within SafetyIQ’s software application for our products and services. Such Personal Information or Personal Data is collected and used by third party payment services, namely, Stripe. You can find more information about how your Personal Information or Personal Data is collected and used in Stripe’s Privacy Policy (https://stripe.com/au/privacy).

• Collection of location information

The SafetyIQ App collects background location information to keep employee’s safe when using location safety features and alerts. SafetyIQ Collects this personal information for the purpose of employee safety. SafetyIQ will only collect your location information with your express and informed consent. Use of certain core safety functions of SafetyIQ which require location information shall only be available when location and tracking services are enabled.

We do not use your location information to provide our products and services to you, without your express consent. If at any time you do not wish for your location information to be accessed, collected or used, you may do this by disabling the location tracking services on your device in respect of SafetyIQ’s software application or by contacting us via the details set out in Section 10 below

• Other collection types

We may also collect Personal Information or Personal Data about you from other sources and third parties. Some examples of these alternative collection events are:

• when we collect Personal Information or Personal Data about you from your employer;
• when we collect Personal Information or Personal Data about you from third parties; or
• when we collect Personal Information or Personal Data about you from publicly available sources including but not limited to, court judgments, directorship and bankruptcy searches, Australia Post, White Pages directory, and social media platforms (such as Facebook, Twitter, Google, Instagram etc).

• Notification of collection

If we collect details about you from someone else, we will, whenever reasonably possible, make you aware that we have done this and why, unless special circumstances apply, including as described in this paragraph 2.5(a) to 2.5(c) below. Generally speaking, we will not tell you when we collect Personal Information or Personal Data about you in the following circumstances:

• where information is collected from any personal referee you have listed on any application form (including any employment application) with SafetyIQ;
• where information is collected from publicly available sources including but not limited to court judgments, directorship and bankruptcy searches, social media platforms (such as Facebook, Twitter, Google, Instagram etc); or
• as otherwise required or authorised by law.

• Unsolicited Personal Information or Personal Data

In the event we collect Personal Information or Personal Data from you, or a third party, in circumstances where we have not requested or solicited that information (known as unsolicited information), and it is determined by SafetyIQ (in its absolute discretion) that the Personal Information or Personal Data is not required, we will destroy the information or ensure that the information is de-identified.

• How we hold your Personal Information or Personal Data

Once we collect your Personal Information or Personal Data, we will either hold it securely and store it on infrastructure owned or controlled by us or with a third party service provider who have taken reasonable steps to ensure they comply with the Privacy Act. We provide some more general information on our security measures in Section 8 (Data security and quality).

• IP addresses

We may gather your IP address as part of our business activities and to assist with any operational difficulties or support issues with our services.  This information does not identify you personally. However, in some cases, we may aggregate certain information with other Personal Information or Personal Data we collect and hold about you.  SafetyIQ extends the same privacy protection to your Personal Information or Personal Data when gathered from other sources, as detailed in this Privacy Policy.

3. Uses and discloses of Personal Information or Personal Data

• Use and disclose details

We provide a detailed list at Section 1 of some common uses and disclosures we make regarding the Personal Information or Personal Data we collect.

• Other uses and disclosures

We may also use or disclose your Personal Information or Personal Data (excluding location information) and in doing so we are not required to seek your additional consent:

• when it is disclosed or used for a purpose related to the primary purposes of collection detailed above and you would reasonably expect your Personal Information or Personal Data to be used or disclosed for such a purpose;
• if we reasonably believe that the use or disclosure is necessary to lessen or prevent a serious or imminent threat to an individual’s life, health or safety or to lessen or prevent a threat to public health or safety;
• if we have reason to suspect that unlawful activity has been, or is being, engaged in; or
• if it is required or authorised by law.

• Use and disclosure procedures

In the event we propose to use or disclose such Personal Information or Personal Data other than for reasons set out in the above table at Section 1 or as otherwise outlined in this Privacy Policy, we will first notify you or seek your consent prior to such disclosure or use. Your Personal Information or Personal Data is disclosed to these organisations or parties only in relation to the products or services we provide to you or for a purpose permitted by this Privacy Policy. We take such steps as are reasonable to ensure that these organisations or parties are aware of the provisions of this Privacy Policy in relation to your Personal Information or Personal Data.

• Communications opt-out

If you have received communications from us and you no longer wish to receive those sorts of communications, you should contact us via the details set out at Section 10 of this policy and we will ensure the relevant communication ceases.  Any other use or disclosure we make of your Personal Information or Personal Data will only be as required or authorised by law or as permitted by this Privacy Policy or otherwise with your consent.

4. Sensitive information

• Sensitive information generally

Sensitive information is a subset of Personal Information or Personal Data.  It means information or opinion about an individual’s racial or ethnic origin, political opinions, membership of a political organisation, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual orientation or practices, criminal record, health information about an individual, genetic information, biometric information that is to be used for the purpose of automated biometric verification or biometric identification or biometric templates.

• Collection and use of sensitive information

In general, we attempt to limit the collection of sensitive information we may collect from you, but depending on the uses you make of our products this may not always be possible and we may collect sensitive information from you in order to carry out the services provided to you.  However, we do not collect sensitive information from you without your consent. The type of sensitive information we may collect about you is dependent on the services provided to you by SafetyIQ will be limited to the purpose(s) for which it is collected.

• Consent

Where we anticipate collection and use of sensitive information, we will obtain your express consent from you at (or around) the point in time in which we collect the information.

5. Credit Information and our Credit Reporting Policy

• Credit information generally

The Privacy Act 1988 (Cth) contains provisions regarding the use and disclosure of credit information, which applies in relation to the provision of both consumer credit and commercial credit.

• Credit information and SafetyIQ

As we provide terms of payment of accounts which are greater than 7 days, we are considered a credit provider under the Privacy Act in relation to any credit we may provide you (in relation to the payment of your account with us). We use credit related information for the purposes set out in the “Credit information” section of the table at Section 1 above and our Credit Reporting Policy which includes but is not limited to using the information for our internal processing of payments made using credit facilities.

• Storage and access

We will store any credit information you provide us, or which we obtain about you, with any other Personal Information or Personal Data we may hold about you. You may request to access or correct your credit information in accordance with the provisions of Section 9 and the provisions of our Credit Reporting Policy.

• Complaints

Please see Section 10 and the provisions of our Credit Reporting Policy if you wish to make a complaint in relation to our handling of your credit information.

• Our Credit Reporting Policy

Please see our Credit Reporting Policy for further information as to the manner in which we collect, use, store and disclosure credit information.

6. Anonymity and pseudo-anonymity

To the extent practicable and reasonable, we will endeavour to provide you with the option of dealing with SafetyIQ on an anonymous basis or through the use of a pseudonym.  However, there may be circumstances in which it is no longer practicable for SafetyIQ to correspond with you in this manner and your Personal Information or Personal Data may be required in order to provide you with our products and services or to resolve any issue you may have.

7. Cross Border Disclosure

• Cross border disclosures

Any Personal Information or Personal Data collected and held by SafetyIQ may be disclosed to, and held at, a destination outside Australia, including but not limited to the United States of America where we utilise third party service providers to assist SafetyIQ with providing our goods and services to you.  Personal Information or Personal Data may also be processed by staff or by other third parties operating outside Australia who work for us or for one of our suppliers, agents, partners or related companies. As we use service providers and platforms which can be accessed from various countries via an Internet connection, it is not always practicable to know where your information may be held.  If your information is stored in this way, disclosures may occur in countries other than those listed above. In addition, we may utilise overseas IT services (including software, platforms and infrastructure), such as data storage facilities or other IT infrastructure. In such cases, we may own or control such overseas infrastructure or we may have entered into contractual arrangements with third party service providers to assist SafetyIQ with providing our products and services to you.

• Provision of informed consent

By submitting your Personal Information or Personal Data to SafetyIQ, you expressly agree and consent to the disclosure, transfer, storage or processing of your Personal Information or Personal Data outside of Australia.  In providing this consent, you understand and acknowledge that countries outside Australia do not always have the same privacy protection obligations as Australia in relation to Personal Information or Personal Data.  However, we will take steps to ensure that your information is used by third parties securely and in accordance with the terms of this Privacy Policy. The Privacy Act requires us to take such steps as are reasonable in the circumstances to ensure that any recipients of your Personal Information or Personal Data outside of Australia do not breach the privacy principles contained within the Privacy Act.  By providing your consent, under the Privacy Act, we are not required to take such steps as may be reasonable in the circumstances.  However, despite this, we acknowledge the importance of protecting Personal Information or Personal Data and have taken reasonable steps to ensure that your information is used by third parties securely and in accordance with the terms of this Privacy Policy.

• If you do not consent

If you do not agree to the disclosure of your Personal Information or Personal Data outside Australia by SafetyIQ, you should (after being informed of the cross border disclosure) tell SafetyIQ that you do not consent. To do this, either elect not to submit the Personal Information or Personal Data to SafetyIQ after being reasonably informed in a collection notification or please contact us via the details set out at the top of this document.

8. Data security and quality

• SafetyIQ’s security generally

We have taken steps to help secure and protect your Personal Information or Personal Data from unauthorised access, use, disclosure, alteration, or destruction.  You will appreciate, however, that we cannot guarantee the security of all transmissions or Personal Information or Personal Data, especially where human error is involved or malicious activity by a third party. Notwithstanding the above, we will take reasonable steps to:

• make sure that the Personal Information or Personal Data we collect, use or disclose is accurate, complete and up to date;
• protect your Personal Information or Personal Data from misuse, loss, unauthorised access, modification or disclosure both physically and through computer security methods, including by encrypting all Personal Information or Personal Data stored and processed by SafetyIQ; and
• destroy or permanently de-identify Personal Information or Personal Data if it is no longer needed for its purpose of collection.

For more information, please see our Data Security Statement which details our data handling practices.

• Accuracy

The accuracy of Personal Information or Personal Data depends largely on the information you provide to us, so we recommend that you:

• let us know if there are any errors in your Personal Information or Personal Data; and
• keep us up-to-date with changes to your Personal Information or Personal Data (such as your name or address).

We provide information about how you can access and correct your information in Section 9.

9. Access to and correction of your Personal Information or Personal Data

You are entitled to have access to any Personal Information or Personal Data relating to you which we hold, except in some exceptional circumstances provided by law (including the Privacy Act).  You are also entitled to edit and correct such information if the information is inaccurate, out of date, incomplete, irrelevant or misleading. If you would like access to or correct any records of Personal Information or Personal Data we have about you, you are able to access and update that information (subject to the above) by contacting us via the details set out in Section 10 of this document.

10. Resolving Privacy Complaints

• Complaints generally

We have put in place an effective mechanism and procedure to resolve privacy complaints.  We will ensure that all complaints are dealt with in a reasonably appropriate timeframe so that any decision (if any decision is required to be made) is made expeditiously and in a manner that does not compromise the integrity or quality of any such decision.

• Contacting SafetyIQ regarding complaints

If you have any concerns or complaints about the manner in which we have collected, used or disclosed and stored your Personal Information or Personal Data, please contact us:

• • Telephone:        1800 491 746
  • Email:                corporateservices@safetyiq.com.au
  • Address:            Level 10, 15 Green Square Close Fortitude Valley Qld 4006

• Steps we take to resolve a complaint

In order to resolve a complaint, we:

• will liaise with you to identify and define the nature and cause of the complaint;
• may request that you provide the details of the complaint in writing;
• will keep you informed of the likely time within which we will respond to your complaint; and
• will inform you of the legislative basis (if any) of our decision in resolving such complaint.

• Register of complaints

We will keep a record of the complaint and any action taken in a Register of Complaints.

11. GDPR

• Definitions

In providing our products and services, or collecting and using your Personal Data, we are required to comply with the GDPR where you are a European Union resident or a United Kingdom resident. The following defined terms have the associated meanings:

• “Data Subject” has the meaning attributed to that term in the GDPR.
• “GDPR” , when used in the context of European Union residents, means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC and when used in the context of United Kingdom residents, means the UK General Data Protection Regulation as implemented by the Data Protection Act 2018; and
• “Personal Data” means the Personal Data (having the meaning attributed to that term in the GDPR) of the Data Subjects whose data is processed for the purposes of the provision of our retail services.

• GDPR Obligations

If you are a resident of the European Union or the United Kingdom for the purposes of the GDPR, then in addition to what is set out in Sections 1 - 10 above, the following applies to you. Under the GDPR, SafetyIQ is considered a “data controller” in the provision of its services to you, and as such determines the purposes and means for processing of personal data. In addition to your rights of access and correction as set out above, as a Data Subject you may:

• (access) request access to your Personal Data held by SafetyIQ;
• (rectification) request to update or rectify any of the Personal Data that we hold about you by contacting us at the details specified above and request Personal Data updates;
• (erasure) withdraw your consent to SafetyIQ’s use of your Personal Data as described in this policy by deletion or erasure of your Personal Data that we hold where that data is no longer required for the purpose for which it was collected;
• (restriction on processing) obtain from SafetyIQ a restriction on processing of your Personal Data where:
  • accuracy of the Personal Data is contested;
  • the processing by the processor is unlawful (and you oppose erasure but request restriction of use);
  • SafetyIQ no longer needs your Personal Data; or
  • you have objected to processing pursuant to your right to object under Article 21(1) of the GDPR;
• (data portability) request that SafetyIQ:
  • provides you with a copy of the Personal Data that SafetyIQ holds about you in a portable and machine readable form; or
  • share your Personal Data with a nominated third party.
• Exercising Data Subject rights

If you wish to exercise any of your Data Subject rights, then please send your request in writing to the details above in Section 10. We will process your request promptly and in any event, within one month of receipt of receiving it.

• Complaints

If you have any concerns in relation to SafetyIQ collection or processing of your Personal Data, then you also have a right to complain to a supervisory authority (within the meaning of the GDPR).

12. Consent, modifications and updates

• Interaction of this Policy with contracts

This Privacy Policy is a compliance document prescribed by law rather than a legal contract between two or more persons. However, certain contracts may incorporate all, or part, of this Privacy Policy into the terms of that contract. In such instances, SafetyIQ may incorporate the terms of this policy such that:

• certain sections or paragraphs in this policy are incorporated into that contract, but in such a way that they do not give rise to contractual obligations onto SafetyIQ, but do create contractual obligations on the other party to the contract; and
• the consents provided in this policy become contractual terms provided by the other party to the contract.

• Acknowledgement

By using our software application, purchasing a product or service from SafetyIQ, where you have been provided with a copy of our Privacy Policy or had a copy of our Privacy Policy reasonably available to you, you are acknowledging and agreeing:

• to provide the consents given by you in this Privacy Policy; and
• that you have been informed of all of the matters in this Privacy Policy.
• Modifications and updates

We reserve the right to modify our Privacy Policy as our business needs require. We will take reasonable steps to notify you of such changes (whether by direct communication or by posting a notice on our website).  If you do not agree to our continued use of your Personal Information or Personal Data due to the changes in our Privacy Policy, please cease providing us with your Personal Information or Personal Data and contact us via the details set out in Section 10 of this document.

SafetyIQ Data Security Statement

1. OUR COMPANY AND PRODUCT

J.E.S.I. Management Solutions Pty Ltd takes data security and privacy very seriously.   Our SafetyIQ users are located all over the world and we want to provide with confidence, that our practices and policies we have implemented are aligned to global best practice and continuous improvement management and monitoring.

SafetyIQ is a Software Solution for companies to effectively monitor remote and isolated workers, creating a Safer connected network irrespective of where a worker maybe located. Using SMS or Online check in, users can confirm their Safe arrival. If a SafetyIQ User does not confirm their safe arrival, SafetyIQ automates an Emergency Alert to predetermined contacts.

SafetyIQ is a cloud-based software solution that is accessible across the globe via any device that can connect to the Internet.  The user does require data connectivity to view data, create, edit or delete a journey and generate an incident alert, however the user does NOT require data connectivity to generate an automated escalation alert.  The User does require either data or mobile connectivity to confirm a safe check-in.

SafetyIQ was launched as a commercialized entity in March 2014 and has achieved significant growth across the globe and is recognized as industry best practice for managing a workforce who operate in remote and isolated environments.  SafetyIQ aspires to being the number one Risk Management Solution for remote and isolated workers in the world. As such, our commitment to safeguarding our client and user’s data is critical and one that the company takes seriously.

2. ISO 27001 ACCREDITATION & ANNUAL PENETRATION TESTING

As of the 20^th October 2021, SafetyIQ Management Solutions Pty Ltd is ISO 27001 Accredited.  This means that the company has data security processes align with global best-practice for information security management and demonstrates a robust and practical framework focused on the preservation of confidentiality and integrity.

In addition, SafetyIQ Management Solutions Pty Ltd engages 3^rd Party Penetration Services on annual basis.  These services identify vulnerabilities within the application and provide defensive capabilities to protect again malicious software attacks.

3. SECURITY CONTROLS

3.1 DATA CENTER SECURITY

SafetyIQ outsources hosting of its product infrastructure with the world’s most recognised data-center provider, Microsoft Azure. Microsoft Azure has the capability to host data in multiple locations across the globe, however we have selected Australia (Sydney) as the primary location for SafetyIQ to be hosted. Australia has a strict regulatory security and privacy framework that is considered to be one of the best in the world AUS Privacy Principles.  Microsoft Azure maintains an audited security program, including SOC-2 and ISO 27001 compliance.  Microsoft Azure Compliance Programs. Microsoft Azure Cloud provides built in controls, auditing and managing identity, configuration and usage that support our ability to remain compliant with governance and regulatory requirements.  Their extensive infrastructure guarantees system uptime of 99.95 to 100% and includes power, networking or security considerations. Access to Microsoft Azure physical centres are controlled with security guards and highly classified restrictions for Microsoft Azure Employees. View Microsoft Azure Data centres and controls

3.2 NETWORK SECURITY

Security is implemented in Microsoft Azure Virtual Private Cloud (VPC) security groups, which applies address and port protection to limit what is accessible. This allows for greater control for network traffic from a public networks. We are continually reviewing and improving network security.

3.3 CONFIGURATION MANAGEMENT

The tech tools used to manage the system configurations enables an automated and consistent methodology that safely and predictably; creates, changes, and improves infrastructure.  It facilitates an automated and systematic approach to storing version controls, reducing errors, duplication, replication and significantly improves efficiencies.

Principles used are aligned to The Twelve-Factor App of storing configuration with the application.

3.4 ALERTING & MONITORING

SafetyIQ has fully automated build procedures that include automated monitoring, alerting and response technologies to continuously alert the SafetyIQ technical team when components of the software are not operating correctly.  These alerts also include unexpected or malicious activities.

Our technical team operate a 24/7 rostering schedule that ensures timely responsiveness to automated alerts when required.  The SafetyIQ system captures and stores log’s that incorporates other integrated third party technologies. These logs include authentication attempts, permission changes, infrastructure health, and requests performed, among many other commands and transactions. Logs and events are monitored in real time and events are escalated immediately at any hour of the day to developers, security professionals, and engineers to take appropriate action.

At the user front end, all system interaction, page views, and
 other access to the SafetyIQ Software is also logged.  All changes to the codebase require a testing and review process before being deployed.

3.5 ACCESS TO SafetyIQ INFRASTRUCTURE

Access to the SafetyIQ Infrastructure is tightly controlled by the Development Team through Azure Identity and Access Management policies & access keys. All access is tracked, logged, and date stamped.

4. APPLICATION PROTECTION

4.1 WEB APPLICATION SECURITY

Microsoft Azure provides several security capabilities and services for privacy and controlled network access. Network firewalls built into Microsoft Azure VPC, and web application firewall capabilities in Microsoft Azure Web Application Firewall (WAF) allow the creation of private networks, and control access to instances and applications. Microsoft Azure ensure secure connections by using encryption in transit across all services. Protections from Distributed Denial of Service (DDoS) attacks are automatically provided by Microsoft Azure.

Multiple layers of authorization rules are applied to all API interactions to ensure confidentiality between tenants. This ensures that data is not visible between tenants.

4.2 PRODUCT DEPLOYS

SafetyIQ continues to deliver product enhancements, additional features and other technical requirements.  These varying types of deploys can be administered several times during the day, week, month and year.

Prior to deploying new or additional code, our technical team has a rigorous release process that incorporates functional testing, code reviews, testing and approval to release. If a failure occurs during a deploy, rollback is immediately and automatically engaged. The deploys released to the live production site occur without any disruption for SafetyIQ users.

Major feature or epic releases are controlled extensively in the staging environment and testing is generally undertaken by SafetyIQ Customer Solutions Representatives and if relevant, the engagement of SafetyIQ Clients.

4.3 VULNERABILITY SCANNING & PENETRATION TESTING

The level of maturity associated with our current software development, future product development roadmap and company growth incorporates a future scheduled program that incorporates vulnerability scanning and penetration testing.

We have a comprehensive risk management matrix that is undertaken and maintained for all of the SafetyIQ technology tools.

5. CUSTOMER DATA PROTECTION

5.1 CONFIDENTIAL INFORMATION CAPTURED IN SafetyIQ

The data captured in SafetyIQ includes, Company Names, individual first and last, email address, mobile numbers, job titles and geographic locations.  SafetyIQ does not collect or capture sensitive data such as credit or debit card numbers, personal financial account information, Social Security numbers, passport numbers, driver’s license numbers or similar identifiers, or employment, financial or health information. View the SafetyIQ Privacy Policy

5.2 CREDIT CARD INFORMATION PROTECTION

Several SafetyIQ Products require customers to pay for the service by credit card. SafetyIQ does not store, process or collect credit card information submitted to us by customers. Our third party vendors are trusted and hold relevant PCI-compliant requirements.  For purchases made directly online via trusted website, SafetyIQ uses Stripe and for online credit payments for invoicing, SafetyIQ uses Pin Payments.

5.3 ENCRYPTION IN-TRANSIT & AT-REST

All interactions with SafetyIQ are encrypted in-transit with TLS 1.2 and above and 2048 bit keys.

All database information is encrypted at rest. SafetyIQ does not permit collecting or storing of sensitive information like financial or health data through its service,
 as outlined in our End User Agreement.

5.4 USER AUTHENTICATION & AUTHORIZATION

The password process is encrypted and secure.  A new SafetyIQ user is required to create a unique password that is not restrictive, however a 4 digit security code is generated that secures the user identity to their SafetyIQ profile. Additional security for the SafetyIQ user is by way of confirming their mobile number to their last name when first activating their SafetyIQ user profile. If the users mobile number is updated, the user is required to respond to the SMS by confirming with their last name.  The same process is applied, when a forget or reset password is activated.

SafetyIQ Company Accounts incorporate 4 permission levels and the company/Client is responsible for administering the users permission based on their own internal access roles. For more information about user roles, please view SafetyIQ Company Account Permission Levels.

5.5 SafetyIQ EMPLOYEE ACCESS

SafetyIQ has restrictive controls for SafetyIQ employees accessing data across the entire SafetyIQ infrastructure, to include but not limited to, technology tools that are directly related to the SafetyIQ software, internal corporate functions, production clients and other customer solution tools to manage user interaction.   SafetyIQ employees are granted access to production data based on their role in the company through role based access controls or on an as-needed basis.

Engineers and members of the technical team may be granted access to various production systems, as a function of their role. Common access needs include alert responses and troubleshooting, as well as to analyse information that supports product development or support. Access to the product infrastructure is restricted and requires user authentication and authorization controls. Access to networking infrastructure is strictly limited to members of the Technical team and our data-centre support team.

The SafetyIQ Customer Success Team have access based on their work responsibilities associated with supporting and servicing SafetyIQ Company Accounts. All access requests, logins, queries, page views and similar information are logged.

All SafetyIQ Employees are inducted in to the company and associated policies to include non-disclosure confidentiality agreements.

5.6 PRIVACY

The privacy of our customers’ data is one of utmost importance to SafetyIQ. As described in our Privacy Policy, we do not sell your Personal data to any third parties.

5.7 DATA RETENTION POLICY

Customer Data records are retained for 6 years from the entry date and Customer Data configuration are retained for 6 years from the expiration of the Agreement.

An authorised Customer representative may direct SafetyIQ in writing to delete any Customer Data records or configuration prior the end of the 6-year period. An authorised Customer representative may direct SafetyIQ in writing to retain Customer Data records or configuration for longer than the 6-year period. In both cases, the Customer may be charged for the costs of manually deleting data and/or ongoing costs of retaining the data.

An authorised Customer representative may request SafetyIQ in writing to provide an export of Customer Data records. The Customer may be charged for the costs of exporting this data.

Customers are advised to request exported data for their own internal retention, as some jurisdictions require data retention of up to 75 years for records relating to incidents that result in serious personal injury, or incapacity to employees.

6. BUSINESS CONTINUITY & DISASTER RECOVERY

SafetyIQ maintains business continuity and disaster recovery plans focusing both on preventing outage through redundancy of telecommunications, systems and business operations, and on rapid recovery strategies in the event of an availability or performance issue. Whenever customer-impacting situations occur, SafetyIQ’s goal is to quickly and transparently isolate and address the issue.

Infrastructure is replicated and distributed across 2 distinct availability zones within Microsoft Azure, to allow full redundancy.

6.1 BACKUP STRATEGY

Full database backups occur as a minimum once a day and stored on a distributed file storage facility. Backups are tested and retained indefinitely or as required by company policy. Backups are encrypted and have strict access policies.

6.2 SafetyIQ SOFTWARE INCIDENT MANAGEMENT

SafetyIQ Management Solutions Pty Ltd provides 24×7 coverage to respond quickly to all security and privacy events. Many automated processes feed into the incident response
 process, including malicious activity or anomaly alerts, third party alerts, customer requests, security events, and others.

In responding to any incident, we first determine the exposure of the information and determine the source of the security problem, if possible. We communicate back to the customer (and any other affected customers) via email or phone (if email is not sufficient). We provide periodic updates as needed to ensure appropriate resolution of the incident.

Our Data Protection Officer reviews all security-related incidents, either suspected or proven, and we coordinate with affected customers using the most appropriate means, depending on the nature of the incident.

6.3 SafetyIQ DATA BREACHES

SafetyIQ considers all data breaches serious and have several automated alert mechanisms in place to identify if a data breach has occurred within the SafetyIQ Hosted Environment.  Primarily the alerts identify unauthorized access to the SafetyIQ hosted infrastructure and associated third party technology providers.

If a data breach has occurred, the initial analysis is to determine the extent of the breach, who may have been impacted, the type of breach and how to immediately quarantine or disable if necessary.

Once the breach has been effectively triaged, the SafetyIQ Data Protection Officer is appointed to communicate the data breach to those impacted, to advise what the breach was/is, who has been impacted, how they may be impacted and if at that time, a resolution to resolve the breach has been deployed or actioned.  The timeframe for disclosure of the data breach to the respective parties is within 72 hours of the breach having been identified and assessed.

Post the outcome of the data breach, the SafetyIQ technical team initiate further investigations to identify the root cause, and implement modifications as required to prevent further breaches.

7. SafetyIQ CUSTOMER RELATIONSHIP MANAGEMENT (CRM)

SafetyIQ maintains a Customer Relationship Management (CRM) that captures customer/client data that includes, Company Names, First/Last names, email, mobile and other phone numbers, communication correspondence, SafetyIQ proposals and other customer related information. Access to the CRM data is limited to a small set of SafetyIQ employees based on their roles, and access is limited to the individuals who need it to respond to customer support and related requests.

SafetyIQ uses other communication tools to keep prospective clients up to date with the company progress, enhancements, case studies and general SafetyIQ information.  The data captured includes Company Names, First/Last, email, job title. There is an opt out/in feature available that allows self-subscribed or to unsubscribe.  Subscribers on the list are added by self-subscribing via the SafetyIQ website.

Other SafetyIQ communication is to the SafetyIQ users, by way of the SafetyIQ Checkin Newsletter.  The primary purpose of the SafetyIQ Checkin is to keep SafetyIQ users up to date with product enhancements, new features and other information that directly relates to the SafetyIQ Software.

SafetyIQ does not sell or share lists with any third parties.

8. CERTIFIED TECHNOLOGY

SafetyIQ maintains a Technology Risk Register that provides oversight to a variety of third party technology tools that manage all associated functions with the SafetyIQ Software, Client Management, Communication and Corporate Governance.  This process ensures that the third party technology tools that are used or integrated hold industry best practice with respect to privacy and security certifications.

Our primary Sub-processors include Microsoft Azure, Google and Twilio.

9. OUR COMMITMENT TO GDPR

The General Data Protection Act (GDPR) is considered the most significant piece of European data protection legislation to be introduced in the European Union (EU) and is effective as of  25th May 2018.  GDPR Requirements

As SafetyIQ is a provider of services for clients located in the EU, we have an obligation to ensure compliance.  In our view the requirements are industry best practice and set a global benchmark in data security.

We have created a checklist that identifies our progress in meeting the GDRP requirements. SafetyIQ Checklist GDPR

10. DISCLAIMER

SafetyIQ values transparency in the way we manage the security and privacy of our user’s data and are continuously improving our process and system security.

This document is intended to highlight the methods, approaches and process we have in place to demonstrate our commitment to providing best practice for both the SafetyIQ business, SafetyIQ Account Companies, Subscribers and Users.