Notice of Client Data Processing

Client Personal Information

Some of our clients may be “businesses” as defined in the California Consumer Privacy Act of 2018, as amended (the “CCPA”). To the extent our services to those clients require us to collect, use, retain, disclose or otherwise process Client Personal Information that is subject to the CCPA, we do so strictly as our client’s “service provider” as defined in the CCPA.

Some of our clients may be subject to industry-specific federal laws regulating data privacy, such as the Health Insurance Portability And Accountability Act (HIPAA), as amended, or the Gramm-Leach-Bliley Act (GLBA). To the extent our services to those clients require us to collect, use, retain, disclose or otherwise process Client Personal Information that is subject to federal privacy laws, we do so strictly as our client’s service provider pursuant to business associate agreements or other appropriate terms.

We do not sell Client Personal Information or share it for targeted advertising purposes. We do not collect, retain, use, disclose or otherwise process Client Personal Information for any purpose other than for the purpose of performing the services specified in our agreement with the client. We do not collect, retain, use, disclose or otherwise process Client Personal Information outside of our direct business relationship with the client. We work with clients and our own sub-contractors to ensure that our agreements with them incorporate those and other restrictions as necessary, and to support responses to consumer requests under the CCPA or applicable federal law.

United States Residents

Some of our clients may be “businesses” as defined in the California Consumer Privacy Act of 2018, as amended (the “CCPA”). To the extent our services to those clients require us to collect, use, retain, disclose or otherwise process Client Personal Information that is subject to the CCPA, we do so strictly as our client’s “service provider” as defined in the CCPA.

Some of our clients may be subject to industry-specific federal laws regulating data privacy, such as the Health Insurance Portability And Accountability Act (HIPAA), as amended, or the Gramm-Leach-Bliley Act (GLBA). To the extent our services to those clients require us to collect, use, retain, disclose or otherwise process Client Personal Information that is subject to federal privacy laws, we do so strictly as our client’s service provider pursuant to business associate agreements or other appropriate terms.

We do not sell Client Personal Information or share it for targeted advertising purposes. We do not collect, retain, use, disclose or otherwise process Client Personal Information for any purpose other than for the purpose of performing the services specified in our agreement with the client. We do not collect, retain, use, disclose or otherwise process Client Personal Information outside of our direct business relationship with the client. We work with clients and our own sub-contractors to ensure that our agreements with them incorporate those and other restrictions as necessary, and to support responses to consumer requests under the CCPA or applicable federal law.

Data Subjects In The European Economic Area And Elsewhere Outside The United States

Some of our clients are “data controllers” as defined in the EU’s General Data Protection Regulation (“GDPR”) or other laws governing data protection in countries outside of the United States. To the extent our services to those clients require us to process Client Personal Information that is subject to those laws, we do so strictly as our client’s “data processor” as defined in the GDPR or other applicable law.

We follow our clients’ instructions regarding the purposes for which Client Personal Information is to be processed, and endeavor to conduct that processing subject to conditions set forth in Article 28 of the GDPR or elsewhere under applicable law. We work with clients and our authorized sub-processors to ensure that our agreements with them incorporate those conditions as necessary, and to support responses to data subject requests, and other obligations our clients may have, under the GDPR and other laws that may apply. Where necessary and appropriate, our agreements with clients incorporate other appropriate safeguards, such as standard data protection clauses adopted by the European Commission or another supervisory authority for international transfers of personal data.

Data Security

We maintain reasonable security measures to ensure that access to any Client Personal Information is restricted only to authorized individuals who need access for a legitimate business purpose, and to protect Client Personal Information against unauthorized access, theft, or loss. As part of those measures, we use a proprietary platform, GRMS Veritas, to provide clients with supplier risk assessment information, which may include Client Personal Information, in the most secure way. We have designed this platform using the latest Microsoft .NET Framework.

Veritas is hosted on the Amazon Web Services cloud and is built according to AWS best practices for high availability, disaster recovery, security, and scalability. There is no single point of failure in network or infrastructure, and both utilize regularly-rotated 256-bit encryption. Data is backed up in multiple locations and AWS services are leveraged to recover from hardware or system errors without data loss.

Veritas uses Amazon S3 to store supplier risk assessment data. S3 provides comprehensive security and compliance capabilities that meet even the most stringent regulatory requirements and security standards including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, and FISMA, helping satisfy compliance requirements for virtually every regulatory agency around the globe.

Last updated August 17, 2021