Cloudcase Software Solutions (CSS) may collect and provide access to information for its licensed users and their interested parties. This information is held by CSS in good faith. However, no representation is made as to the completeness or accuracy of the information maintained by CSS.
Accordingly, all data published by CSS is provided as is, without warranty or representation of any kind, either expressed or implied, including but not limited to any implied warranties or implied terms of merchantability, fitness for particular use or non-infringement.
By accessing any CSS software, processes, systems, website, web services or documentation, you agree that CSS will not be liable for any direct or consequential loss arising from the use of information and material contained or obtained through CSS’s software, processes, systems, website, web services or documentation.
The exclusions and limitations contained herein apply only to the extent permitted by law. All CSS Services are subject to terms and conditions that can only be obtained from CSS, directly.
Copyright in the information and material contained or obtained through CSS’s software, processes, systems, website, web services or documentation belong to CSS, and may only be used by explicit permission obtained from CSS. The copies of any such information or material must retain any copyright or other intellectual property notices contained in the original material. The software, processes, systems, website, web services or documentation of CSS Services may be subject to other intellectual property rights reserved by CSS or by other third parties.
2 Transfer of information
2.1 Electronic Communication Channels
CSS’s information may be exchanged through the following electronic communication channels: e-mail, download of files from the Internet, transfer of data via Cloudcase managed SFTP server, telephones, SMS text messages, encrypted portable media, Microsoft Teams, and Slack.
The Security Director determines the communication channel that may be used for each type of information, and possible restrictions regarding permissions to use the communication channels, i.e. defines which activities are forbidden.
In addition to controls prescribed by the Data Classification Policy, the Security Director prescribes additional controls for each type of data and communication channel, based on risk assessment results.
In situations involving cloud service customers’ information, the Security Director also must consider the cloud service agreements clauses to prescribe appropriate security controls.
3 Protection of PII in Cloud Environments
The General Manager, Service Support is responsible to coordinate all activities necessary to ensure the proper application of this policy.
3.1 Information Collection, Use, Sharing and Disclosure
3.1.1 Information Collection
CSS to operate the SaaS environment on behalf of our clients does collect Personally Identifiable Information (PII) based on client product configurations. Typical PII information may include the following:
- Date of Birth
- Financial Information
- Employment Information
- Bank details
- Details of products and services a PII Principal may have purchased from a PII Controller that CSS provide such products and services to, or which a PII Principal has enquired about, together with any additional information necessary to deliver those products and services, respond to the PII Principal’s enquires and generally to complete any commercial transaction between the PII Principal and the relevant PII Controller that CSS acts on behalf of, and
- Any additional information a PII Principal may provide to CSS directly through the use of CSS’s software, processes, systems, website, web services or documentation for the purpose of completing any commercial transaction between the PII Principal and the relevant PII Controller that CSS acts on behalf of.
3.1.2 Information Use and Sharing
The Security Director must ensure that PII processed by CSS will be used only for the following purposes:
- Purposes defined in the contract with our client
- Technical purposes required to fulfill the customer’s contract
- Passing PII data to contracted third party data service providers only through the use of direct and secure integration communication.
CSS will only share PII submitted to it with the following third parties, only to the extent necessary to perform business activities and/or fulfill contractual requirements agreed with our clients:
- Credit Bureau Checks
- Identity Verification Checks
CSS will not supply PII submitted to it to any third party for direct marketing or advertisement purposes.
3.1.3 Information Disclosure
Disclosure of PII may be done as reasonably necessary for the purposes stated in clause 4.1.2 of this policy based on our contracted client’s authority.
Disclose of any PII held by CSS to entities not listed above only can be made after the Security Director obtains consent from the information owner for the disclosure, or upon a legally binding request made by law enforcement authority if the legal request does not prohibit the notification disclosure. The notification will be performed as defined in the contract.
In cases where the PII disclosure was caused by an incident, the notification to the PII Principal and PII Controller will be reported as soon as possible, using the CSS Support System. Situations where a disclosure may happen are:
- during the course of normal operations
- during changes in operational conditions
- as results of audit activities
- as law enforcement authorities request
- as a result of a data breach incident
Any PII disclosure must be recorded by any CSS employee in the CSS Support System, incident management wokflow. It must include what PII has been disclosed, by whom, to whom, and at what time. In cases where the disclosure is demanded by law, the legal reference that is used to authorise the disclosure must also be included in the record.
Users must not make unauthorised copies of software owned by the organisation, except in cases permitted by law, or by written permission from the CFO or the Security Director.
Users must not copy software or other original materials from other sources and are liable for all consequences that could arise under the intellectual property law.
3.2 PII Principal’s Access to and Control Over Information
General Manager, Service Support must ensure that CSS’s cloud services, owned or outsourced, offer the following capabilities for PII Principals and/or PII Controllers to access and control their PII in a timely fashion:
- Unique identification and authentication credentials to access PII relevant to them
- Privacy settings to enable them to control the publication of their information
- Editing functionalities to enable them to include, correct, update, and exclude information
The specificities of implementation alternatives are described as the contract’s requirements.
Concerning privacy and editing capabilities, the cloud processors must provide warnings to PII Principal and/or PII Controller about possible impacts that may occur to product or service performance by using these capabilities.
3.3 Information Location, Storage, Transfer and Access
3.3.1 Information Location
The PII captured by CSS may only be stored on highly secure infrastructure that is approved by the Security Director.
3.3.2 Information Storage
To ensure the protection of PII submitted to CSS managed systems, all assets used to store PII must make use of encryption solutions.
The Security Director is responsible to ensure that the use of hard copy material containing PII, e.g., printed reports, must be restricted.
3.3.3 Information Transfer Over Public Networks
The Security Director is responsible to ensure that the transfer of PII submitted to CSS managed systems when done through public data-transmission networks must ensure the PII is encrypted as part of the transmission.
3.3.4 Information Access
Access for PII data is restricted to CSS’s support staff who perform activities related to the purposes stated in the section titled Information Use and Sharing of this policy.
No CSS staff will be given access to PII data without prior authorisation of the General Manager, Service Support.
The Security Director is responsible to ensure that all individuals under CSS with access to PII must be subject to a security check and sign a non-disclosure agreement before being granted access to PII data.
3.4 Information Retention and Disposal
The Security Director is responsible to ensure that all PII is retained only for the time defined as needed for the achievement of its intended purpose.
Regarding information systems acquisition, development, and maintenance, requirements shall be established to ensure that temporary files and documents created in the normal course of operation are deleted as soon as those files and documents are not needed anymore. The Security Director is responsible to review information systems’ requirements to ensure these requirements are included.
All the methods for secure erasure and destruction of PII is prescribed in the document Disposal and Destruction Policy.
3.5 Logging, Monitoring and Compliance Verification
The Security Director is responsible to ensure that logs are kept, monitored, and reviewed on PII data to ensure means to verify whether or not it has been changed, to identify unusual behavior over PII handling, and to provide appropriate corrective actions if errors are identified.
The Security Director shall support any verification operations by our customers or internal audit committee to ensure the operation is compliant with all requirements defined in this policy.
3.6 Cookie Usage
Cookies are small files which are stored on a user’s computer. They are designed to hold a modest amount of data specific to a particular client and website and can be accessed either by the web server or the client computer.
Please refer to your computer browser’s instructions for how to manage your cookie settings.