Data Protection & Security
Sightly Enterprises, Inc. (“Sightly”) takes the protection of sensitive customer data very seriously. With this in mind, Sightly has developed this Data Protection & Security Reference, which outlines controls and methods employed by Sightly in its handling of customer data in relation to cloud-based deployments.
This Data Protection & Security Reference applies to all electronic data created, received, maintained, or transmitted by Sightly from, to, or on behalf of itself and customers.
1.1. Customer Data. As used in this Data Protection & Security Reference, Customer Data means data generated by a customer and handled by Sightly on behalf of the customer that may fall within the scope of confidential, proprietary and account information. Customer Data may also include personally identifiable information shared with Sightly by a customer and for which Sightly has legal or regulatory obligations to handle such data in a certain manner.
2. GENERAL INFORMATION REGARDING SECURITY AND PRIVACY CONSIDERATIONS
Sightly developers of cloud services applications follow best practices in order to securely design, develop, and maintain systems that comply with applicable laws and regulations. In handling Customer Data, Sightly also adheres to the Sightly Data Classification Standard, a corporate policy that outlines processes for categorizing data by sensitivity level. This policy facilitates the proper handling and security controls for Customer Data.
2.1. Customer Data is hosted in Sightly’s cloud services environment (“Cloud Provider”). Development, management, and operations follow the “zero trust” model (“Never trust; always verify”) and practices. Sightly platforms are hosted by Google Cloud with production environment(s) ISO 9001 certified, SOC 2 Type II audited and CCPA compliant (CCPA law takes effect on January 1, 2023).
2.2. Sightly’s cloud services, specifically those within the connectivity and storage domains, incorporate industry best-practice and regulatory compliance controls to secure Customer Data. Customer Data are subject to cryptographic measures to ensure data confidentiality and anonymization when at rest or in transit.
2.3. In certain instances, Sightly may use Customer Data for purposes of aggregation, population metrics, and analytics. Any Customer Data that is used for those purposes will be properly de-identified by Sightly.
3. DATA TRANSMISSION
3.1. Encryption. Automated and/or Manual secure data transfer will utilize encryption-in-transit through an unknown and/or untrusted network such as the public internet environment via SSL/TLS encryption.
3.2. Preparation – Off Premises. In the event that Customer Data must be staged at an intermediary location due to Sightly Data Classification Standard.
4. DATA STORAGE
4.1. Encryption. Customer data is protected by encryption-at-rest through whole disk encryption Cloud Provider security protocols
4.2. Archival/Removal. In the event some or all Customer Data exported is not required in Sightly’s cloud environment, Sightly support personnel will remove the unneeded data.
At the end of the customer engagement (or at any time agreed upon by the customer and Sightly), Sightly support personnel will permanently delete the Customer Data from Sightly systems.
5. DATA ACCESS
Only individuals with a valid business need can access and view data on Sightly reporting applications. As an individual is assigned to a role with approved permissions, only then is that individual able to access data and information permissible to that role.
5.1. Data Repositories. Data residing within the Sightly cloud services environment is protected from unauthorized access by way of authorization and authentication with Role-Based Access Control (RBAC). Only authorized users may have access to this data, and that access is provided based on valid business needs.
5.1.1. Vulnerability Detection and Remediation. Data repositories within Sightly cloud services include functionality for discovering and classifying sensitive data, surfacing, and mitigating potential database vulnerabilities, and detecting anomalous activities that could indicate a threat to Sightly resources.
5.1.2. De-identification/Obfuscation. At the data repository layer, and where technically feasible, Sightly will employ obfuscation and data masking to prevent unauthorized access to Customer Data.
5.2. Reporting Application(s). Visibility and access to data and information within Sightly is protected by way of the following controls.
5.2.1. Role-Based Access Control.
5.2.2. De-identification/Obfuscation. Where applicable and technically feasible, Customer Data will be obfuscated via pseudonymization or redaction, to ensure that data is unintelligible to those without proper business justification. Obfuscation and data masking controls may be inherited from the database layer, and not specific to the reporting application itself.
5.3. Sightly Personnel. Sightly teammates are subject to company policy, including code of conduct and data classification standards, which ensure Customer Data is given the appropriate level of protection, as described within this agreement.
5.4. Third Parties. Sightly may engage with third party Service Providers and/or development entities that generate and/or will have access to Customer Data. Such entities are governed by stringent security and regulatory requirements in which Sightly is a beneficiary.
6. CUSTOMER RESPONSIBILITIES
6.1. Customer Infrastructure. Customers will remain responsible for existing Information Technology infrastructure, and the secure posture of that infrastructure. Sightly is not responsible for infrastructure residing within the customer premises, including componentry that facilitates the functionality of the service provided by Sightly. Sightly will not be responsible for a security incident nor breach that may expose Customer Data if the cause of that incident is due to insecure customer infrastructure.
6.2. Logical Access. Customers will be responsible for their personnel with respect to logical access to services provided by Sightly. Sightly may help facilitate access to these services via federated authentication and authorization.
6.3. Acknowledgement. Customer acknowledges and agrees to the terms defined in this Data Protection & Security Reference in general and upon executing a separate agreement.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data, Sightly will act in compliance with applicable laws and regulations as well as any obligations imposed by separate agreement.