Switchboard Visual Technologies, Inc. (the “Company”) implements policies to safely, privately, and securely manage the data of our customers.
Data deletion request policy
For the purposes of this policy, the terms below have the following meanings:
- Data subject means a person from or about whom personal data is collected. A data subject can be a customer, user, or even a member of the Company’s staff.
- Personal data means any information relating to a data subject that could allow the data subject to be directly or indirectly identified. Examples of common forms of personal data include name, identification number, location data, or online identifier. Personal data can also include factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the data subject.
Right to be forgotten
Summary: A data subject may contact us to request that the Company delete personal data about the data subject. In certain circumstances, the Company is required to promptly erase personal data concerning a data subject, such as if one of the following circumstances applies:
- the personal data is no longer necessary for the purpose(s) for which it was collected or otherwise processed;
- the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing (particularly if the data subject objects to processing for direct marketing purposes);
- the personal data has been unlawfully processed; or
- the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the Company is subject.
To request deletion of personal data, please send an email to firstname.lastname@example.org.
Data Management Policy
Excerpted from Switchboard’s internal document “Data Management Policy v1”. More details available upon request to email@example.com.
Switchboard is a fully-remote company with no physical locations; neither offices that house Switchboard personnel, nor data centers that house Switchboard equipment.
Switchboard classifies data and information systems in accordance with legal requirements, sensitivity, and business criticality in order to ensure that information is given the appropriate level of protection. Data owners are responsible for identifying any additional requirements for specific data or exceptions to standard handling requirements.
Information systems and applications shall be classified according to the highest classification of data that they store or process.
To help Switchboard and its employees easily understand requirements associated with different kinds of information, the company has created three classes of data.
Highly sensitive data requiring the highest levels of protection; access is restricted to specific employees or departments, and these records can only be passed to others with approval from the data owner or a company executive. Examples include:
- Customer Data
- Personally identifiable information (PII)
- Company financial and banking data
- Salary, compensation and payroll information
- Strategic plans
- Incident reports
- Risk assessment reports
- Technical vulnerability reports
- Authentication credentials
- Secrets and private keys
- Source code
- Litigation data
Switchboard proprietary information requiring thorough protection; access is restricted to employees with a “need-to-know” based on business requirements. This data can only be distributed outside the company with approval. This is default for all company information unless stated otherwise. Examples include:
- Internal policies
- Legal documents
- Meeting minutes and internal presentations
- Internal reports
- Slack messages
Documents intended for public consumption which can be freely distributed outside Switchboard when they’re made publicly accessible, e.g. by publication to a public website that allows unauthenticated or anonymous access. Examples include:
- Marketing materials
- Product descriptions
- Release notes
- External facing policies
Confidential data should be labeled “confidential” whenever paper copies are produced for distribution.
Confidential Data Handling
Confidential data is subject to the following protection and handling requirements:
- Access for non-pre-approved roles requires documented approval from the data owner
- Access is restricted to specific employees, roles and/or departments
- Confidential systems shall not allow unauthenticated or anonymous access
- Confidential Customer Data shall not be used or stored in non-production systems/environments
- Confidential data shall be encrypted in transit over public networks
- Mobile device hard drives containing confidential data, including laptops, shall be encrypted
- Mobile devices storing or accessing confidential data shall be protected by a log-on password or passcode and shall be configured to lock the screen after five (5) minutes of non-use
- Backups shall be encrypted
- Confidential data shall not be stored on personal phones or devices or removable media including USB drives, CD’s, or DVD’s
- Paper records shall be labeled “confidential” and securely stored and disposed
- Hard drives and mobile devices used to store confidential information must be securely wiped prior to disposal or physically destroyed
- Transfer of confidential data to people or entities outside the company shall only be done in accordance with a legal contract or arrangement, and the explicit written permission of management or the data owner
Restricted Data Handling
Restricted data is subject to the following protection and handling requirements:
- Access is restricted to users with a need-to-know based on business requirements
- Restricted systems shall not allow unauthenticated or anonymous access
- Transfer of restricted data to people or entities outside the company or authorized users shall require management approval and shall only be done in accordance with a legal contract or arrangement, or the permission of the data owner
- Paper records shall be securely stored and disposed
- Hard drives and mobile devices used to store restricted information must be securely wiped prior to disposal or physically destroyed
Public Data Handling
No special protection or handling controls are required for public data. Public data may be freely distributed.
Switchboard shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data. Retention periods shall be documented in the Data Retention Matrix in Appendix B to this policy.
Data & Device Disposal
Data classified as restricted or confidential shall be securely deleted when no longer needed. Switchboard shall assess the data and disposal practices of third-party vendors in accordance with the Third-Party Management Policy. Only third-parties who meet Switchboard requirements for secure data disposal shall be used to store and process restricted or confidential data.
Switchboard shall ensure that all restricted and confidential data is securely deleted from company devices prior to, or at the time of, disposal.
Annual Data Review
Management shall review data retention requirements during the annual review of this policy. Data shall be disposed of in accordance with this policy.
Under certain circumstances, Switchboard may become subject to legal proceedings requiring retention of data associated with legal holds, lawsuits, or other matters as stipulated by Switchboard legal counsel. Such records and information are exempt from any other requirements specified within this Data Management Policy and are to be retained in accordance with requirements identified by the Legal department. All such holds and special retention requirements are subject to annual review with Switchboard’s legal counsel to evaluate continuing requirements and scope.
Switchboard will measure and verify compliance to this policy through various methods, including but not limited to, business tool reports, and both internal and external audits.
APPENDIX A – Internal Retention and Disposal Procedure
- Employee devices will be collected promptly upon an employee’s termination. Remote employees will be sent a shipping label and the return of their device shall be monitored.
- Collected devices will be cleared to be re-provisioned—or removed from stock, Switchboard will securely erase the device.
- Device images may be retained at the discretion of management for business purposes
Destroying devices or electronic media
In cases where a device is damaged in a way that Switchboard cannot access the Recovery Partition to erase the drive, Switchboard may optionally decide to use an E-Waste service that includes data destruction with a certificate. Switchboard will keep certificates of destruction on record for one year. Physical destruction can be optional if it is verified that the device is encrypted with Full Disk Encryption, which would negate the risk of data recovery.
Management will review this procedure at least annually.
Operations Security Policy
Excerpted from Switchboard’s internal document “Operations Security Policy v1”. More details available upon request to firstname.lastname@example.org.
The need for backups of systems, databases, information and data shall be considered and appropriate backup processes shall be designed, planned and implemented. Security measures to protect backups shall be designed and applied in accordance with the confidentiality or sensitivity of the data. Backup copies of information, software and system images shall be taken regularly to protect against loss of data. Backups and restore capabilities shall be periodically tested, not less than annually.
Switchboard does not regularly back up user devices like laptops. Users are expected to store critical files and information in company-sanctioned file storage repositories.
Backups are configured to run daily at minimum on in-scope systems. The backup schedules are maintained within the backup application software.
Next time you’re trying to get something done, instead of talking about getting something done just do it in Switchboard.