GDPR COMPLIANCY

Transparent information about data processing

We hold value and full transparency about the information that gets collected and flows through our technology. It is your right to know where your information is going.

Right of access

Data controllers will be required to fulfill requests from individuals seeking access to their private data or information on how it is being used. Data collectors and processors will have to detail how the personal information was obtained, how and why it is being used, as well as with whom the company is sharing the information. Companies will also be mandated to provide the individual with a copy of their personal records.

Right to be Forgotten

Individuals can decide they no longer want their personal data to be processed and request all of their information to be deleted.

Notice of security breaches

Individuals must be alerted within 72 hours in the form of an email if their personal data has been hacked or otherwise compromised.

Elevation Corporate Health and GDPR

Over the next year, we will be taking requirements put to together by the General Data Protection Regulation (GDPR) compliance standard to keep our users information safe and keep a users data more reachable.

Transparent information about data processing

The Article 4 of GDPR defines data controllers and data processors as below:

Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Processor – a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.

For example, if Acme Co. sells widgets to consumers and uses Email Automation Co. to email consumers on their behalf and track their engagement activity, then, with regard to such email activity data, Acme Co. is the data controller, and Email Automation Co. is the data processor.

This distinction is important for compliance. Generally speaking, the GDPR treats the data controller as the principal party for responsibilities such as collecting consent, managing consent-revoking, enabling the right to access, etc. A data subject who wishes to revoke consent for his or her personal data therefore will contact the data controller to initiate the request, even if such data lives on servers belonging to the data processor. The data controller, upon receiving this request, would then proceed to request the data processor remove the revoked data from their servers.

Elevation Corporate Health as a Data Controller

In the meaning of Data Controller stated above, Elevation may ask and store the following private data:

1. User email address
2. User First and Last Name
3. Barcode# *
4. Employee ID# *
5. Date of Birth (optional)
6. User phone number (optional)
7. User avatar (optional)

If you create an account with Elevation, we will ask you for a valid email address at minimum. The email address will be used as the primary point of contact in the service. You also have the option to give us more information if you want to, including an additional email address, phone number and a photograph (avatar). This type of information will be shared in the administrative staff management your location or facility.

Why we collect this

• We need your Personal Information to create your account, and to provide the services you request.
• We show your Personal Information on your profile page. This profile is only accessible by users with whom you share a workspace.
• We use your Personal Information, specifically your email address, to identify you on the Elevation platform.
• We will use your email address to communicate with you (newsletters, notifications). You can change your email and unsubscribe from those messages any time. We are using Mandrill mailing software (owned by Mailchimp) to send our email messages to our clients (all information about our Vendors and their GDPR commitments is listed below)

We do not store any Credit Card information. For that we use an external service: Stripe.

We limit our use of your Personal Information to the purposes listed in our privacy statement. We do not share, sell, rent, or trade Personal Information with third parties.

Elevation as a Data Processor

All private data stored in Elevation’s Git repositories, pipelines and sandboxes are managed by Elevation employees only. What data is stored, how it is processed and how it is used is administered and managed by Elevation, onsite staff, client, and any associated party. In this case, Elevation operates as a Data Processor. As the controller of the information, Elevation must ensure that the collection of personal data is GDPR compliant as well as other processors in his pipeline.

If required, Elevation users can ask for a signed Data Processing Agreement, which defines our responsibilities regarding the data stored on our servers.

Right of access and Right to be Forgotten

Elevation doesn’t ask for more personal data from our users than we need to provide our services to you. We provide you the ability to access  the data you have given us. 

We have gone through our Privacy Statement to provide more context and transparency, though, so our users understand exactly why we ask for information and what we’ll do with it.

If you want to get or erase all information that we have about you, please send a request to [email protected] or onsite management.

Notice of security breaches

Elevation takes all measures reasonably necessary to protect Personal Information from unauthorized access, alteration, or destruction, maintain data accuracy, and help ensure the appropriate use of Personal Information. We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. We are committed to announcing any security breaches within 72 hours after we notice this kind of issue.

Privacy by design

Since the very beginning, the application’s architecture and server infrastructure have been designed and chosen specifically to ensure that all user data is safe.

The application and user data are hosted Amazon Web Services servers. You can see how AWS secures data here. Amazon’s GDPR commitment is available here.

Elevation’s system installation is using a strong security measures that need an administrator credentials alongside access keys to access. Our codebase uses strong encrypted protections again forgeries to make sure we block suspicious activity. We also employ industry-leading solutions to mitigate DDoS attacks.

The application is continually updated  with the most recent and secure solutions. Critical security patches are provided as needed outside of the regular release cycle. All reported issues and security holes are fixed with the highest priority.

Data portability

As described in the data processing section above, Elevation is a Data Controller, has we only access the data that is provided during registration with optional Personal Information provided by the user. All this information can be found in the my profile section of the user’s account. The data can be changed, removed or copied at anytime by Elevation staff, upon request.

Tracking

Our Vendors

We also use the services that already confirmed they met GDPR conditions or are in the final stage of preparations:

• Amazon Web Services – hosting infrastructure for the Service and SES for email and SMS notifications (United States)
• Stripe – payment processing (United States)
• Google G Suite – email communication with clients (United States)
• Intercom – helpdesk and customer messaging platform (United States)

Updates to our ToS and other policies

To achieve compliance with the GDPR we’re very focused on bringing our policies into alignment with the new law. This includes updates to Terms of Service, Privacy Policy, and Safety & Security.

If you need more information, please contact us at [email protected]