Vervet

Vervet Security Policy

Effective 1/1/24

Student health data is extremely sensitive and must be protected. Ensuring the security and privacy of student health information is paramount to Vervet. Vervet is built with HIPPA guidelines in mind. Storing student health information digitally is far more secure than paper documents. Vervet manages access on a user by user basis to ensure the highest level of security and privacy. Student health information is confidential and only shared by the parent to the schools admin and chaperones with parental permission. Chaperones will cease to have access to student information on the last day of the trip. School administration will continue to have access unless otherwise instructed by the parent. There are no official medical records transferred to Vervet at any point nor does Vervet handle any official medical records. 

In an effort to comply with HIPPA guidelines, Vervet has the following procedures in place to ensure the security of sensitive information: 

  1. Ensure the confidentiality, integrity, and availability of all e-PHI we create, receive, maintain or transmit; 

To uphold the highest standards of data security and compliance, our company is committed to ensuring the confidentiality, integrity, and availability of all electronic Protected Health Information (e-PHI) that we create, receive, maintain, or transmit. Through the implementation of robust information security policies, encrypted communication channels, access controls, and ongoing staff training, we strive to safeguard e-PHI against unauthorized access, maintain the accuracy and completeness of the information, and ensure its uninterrupted availability to authorized users. 

  1. Identify and protect against reasonably anticipated threats to the security or integrity of the information; 

As part of our comprehensive information security strategy, our company is devoted to the identification and mitigation of reasonably anticipated threats to the security and integrity of information within our purview. Through industry best practices, we proactively identify potential risks and vulnerabilities that could compromise the confidentiality, integrity, or availability of our information assets. Once identified, we implement a multifaceted approach to protection, incorporating advanced security measures, access controls and encryption technologies. This proactive stance ensures that we are resilient against emerging threats, adapt to evolving 

security landscapes, and maintain the trust of our users by safeguarding sensitive information with the utmost diligence and precision. 

  1. Protect against reasonably anticipated, impermissible uses or disclosures;

In steadfast commitment to privacy and data protection, our company rigorously safeguards against reasonably anticipated, impermissible uses or disclosures of private information. Employing a combination of stringent access controls, encryption protocols, and comprehensive employee training programs, we establish a robust defense mechanism. Additionally, our policies align with the industry, ensuring a proactive and adaptable approach to addressing emerging threats. This holistic strategy reinforces our dedication to maintaining the confidentiality of private information, preventing any unauthorized uses or disclosures, and upholding the trust placed in us by our users. 

  1. Ensure compliance by our workforce. 

To ensure unwavering compliance with the highest standards of safeguarding private information, our company prioritizes a culture of awareness, and accountability among our workforce. We have implemented a policy that clearly articulates the expectations and responsibilities of every employee regarding the protection of private information. 

Access controls and permissions are meticulously managed to restrict information access only to authorized personnel. We foster a sense of ownership among employees by emphasizing the critical role each individual plays in upholding our commitment to privacy. 

This document outlines the security measures used to protect customers data based on software that we provide and hosting services. Vervet uses an Amazon Workspace database based in the United States. 

Data Transmission All data transmission between browser/mobile app (In-flight) is transmitted via https/256 bit encryption. So in the event of any access to this data via packet listening on unsecured networks the data transmitted would not be readable or provide any third-party with any relevant information that would represent a security breach.

Data storage (at rest) Any data received into the servers, is firstly decrypted, using a secure encryption key (256 bit) and then, depending on the nature of the data stored in a relational database is plaintext or encrypted. Sensitive data is Re-encrypted, and stored in an encrypted format, so any form of access by staff, both of Vervet and our data centers would not reveal this data in a readable format. Non-sensitive data is stored in plaintext within the relational database, where is accessed only by the system. 

Vervet’s classification of sensitive data We classify data as sensitive that is not in the public domain, so, for example, a customer’s address would not be considered sensitive as this information is readily available on numerous resources. Data such as passwords, medical information, passport information, etc., would be considered sensitive and stored encrypted because this information is not readily available elsewhere and potentially could cause the user distress/harm, if it became compromised. 

Software security Any area of the website or mobile application that has any form of input such as a form is automatically protected from code injections. This prevents anyone from uploading a remotely controlled applications or injecting code into the system that could potentially reveal the data. Typically, this is to prevent what is known as SQL injection. 

Server Security The servers are protected by hardware and software firewalls, which control unauthorized access as well as potential denial of service type activity. Any form of access that provides access to the server and files other than typical browser/app activity is IP restricted. This means we have to grant access to an IP address before any form of access is available to the server. Irrespective of whether someone has a username and password if their IP address is not granted on both firewalls, then access would be prevented. We also extend this security to customers admin areas if required. All potential access ports that are not in use and could provide malicious access are also locked down either by IP address or disabled completely Root access to both servers and firewall are strictly controlled to the owner of the company only. 

Additional server security: Brute force protection Automated software that prevents repeated false, password imports, this will automatically block the user.

Virus scanning. Server runs automated scanning to detect viruses. 

Suspicious activity monitoring An automated service that warns if any suspicious activity is detected on from our customers’ accounts, such as email spamming, potential unauthorized access, attempts to upload executable files.

Staff security policy. Staff are only given access to the websites/mobile apps and they are working on the current time in. This is also controlled by IP restriction allowing us to revoke an access once the work is completed. In the event of any staff member, leaving our employment all access is revoked and reinstated on a 1 to 1 basis to ensure that only the remaining staff have access to our systems and any data. Any potentially vulnerable, usernames and passwords to our systems and external systems are also updated on a regular basis, and at the point of any staff member, leaving our unemployment. 

Multi-Factor Authentication to ensure only authorized users can gain access including “Forgot Password” option. 

Summary

This document is designed to provide an overview of the security measures taken to secure our customers data, if you have additional requirements outside of these, please contact us, and we will put together an individual security policy tailored to your exact requirements 

FAQ’s 

Are there APIs to import / export data? If not, what tools do you have to do this?

Not at this time. We use Excel/CSV to upload information to the application. We are reviewing Blackbaud now. 

Where is the data center located?

The server is an AWS platform located in the United States.

Is it a modular app? Could we use one section without another?

The app is a single, holistic application. Everything is included when downloaded or accessed online. 

Does it allow an SSO?

There is no SSO at this time 

Encrypted data: 

Date of Birth, Passport Number, Allergies Dietary Requirements, Current Medications Medical Conditions 

Vervet GDPR Compliance Statement

Effective 01/01/2024

At Vervet, we are committed to protecting the privacy and security of personal data in accordance with the General Data Protection Regulation (GDPR). Our commitment to GDPR compliance is integral to our business practices, and we strive to uphold the following principles:

Lawfulness, Fairness, and Transparency:

We process personal data transparently, fairly, and lawfully, ensuring individuals are informed about the collection and processing of their data.

Purpose Limitation:

Personal data is collected for specified, explicit, and legitimate purposes, and not further processed in a manner incompatible with those purposes.

Data Minimization:

We only collect and process personal data that is adequate, relevant, and limited to what is necessary for the intended purposes.

Accuracy:

We take reasonable steps to ensure the accuracy of personal data and update it when necessary.

Storage Limitation:

Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected.

Integrity and Confidentiality:

We implement security measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

Accountability:

Our organization is committed to demonstrating compliance with GDPR principles. We have designated individuals responsible for data protection, conduct regular assessments, and provide training to employees.

Data Subject Rights:

We respect and facilitate the exercise of data subjects’ rights, including the right to access, rectification, erasure, and the right to object to processing. 

International Data Transfers:

If applicable, we ensure that any international transfers of personal data comply with GDPR requirements, using appropriate safeguards as necessary.

Incident Response:

In the event of a data breach, we have established procedures to promptly assess, report, and mitigate the impact, in compliance with GDPR notification requirements.

By adhering to these principles, Vervet is dedicated to maintaining GDPR compliance and upholding the highest standards in data protection. For inquiries regarding our data protection practices, please contact Willy Fluharty.

Vervet CCPA Compliance Statement

Effective 01/01/2024

At Vervet, we are committed to ensuring the privacy and rights of California residents under the California Consumer Privacy Act (CCPA). Our commitment to CCPA compliance is integral to our business practices, and we adhere to the following principles:

Consumer Rights:

We respect the rights of California consumers, including the right to know, delete, and opt-out of the sale of personal information.

Notice at Collection:

We provide clear and conspicuous notices at the point of data collection, informing consumers about the categories of personal information collected and the purposes for which it will be used.

Data Minimization:

We only collect personal information that is reasonably necessary for the purposes for which it is being processed.

Non-Discrimination:

We do not discriminate against consumers who exercise their CCPA rights. All consumers are afforded the same level of service, regardless of their privacy choices.

Security Measures:

We implement reasonable security measures to safeguard personal information from unauthorized access, disclosure, and destruction.

Third-Party Accountability:

We ensure that third-party service providers processing personal information on our behalf are compliant with CCPA requirements.

Training and Awareness:

Our employees are trained on CCPA compliance, and awareness is promoted throughout the organization to ensure adherence to privacy principles.

Verification of Consumer Requests:

We have processes in place to verify the identity of consumers making requests to know or delete their personal information.

Record-Keeping:

We maintain records of consumer requests and the actions taken to comply with those requests as required by the CCPA.

Updates and Revisions:

This statement will be periodically reviewed and updated to reflect any changes in our data processing practices or in CCPA regulations.

By adhering to these principles, Vervet is dedicated to maintaining CCPA compliance and respecting the privacy rights of California consumers. For inquiries regarding our data protection practices or to exercise your CCPA rights, please contact Willy Fluharty.

Vervet Data Retention Policy

Effective 01/01/2024

  1. Purpose

This Data Retention Policy outlines the guidelines and procedures for the retention and disposal of company data to ensure compliance with legal requirements, safeguard sensitive information, and manage storage resources efficiently.

  1. Scope

This policy applies to all employees, contractors, and third-party service providers who have access to company data.

  1. Data Classification

Data will be classified based on sensitivity, legal requirements, and business needs. Categories may include:

  • Critical Data
  • Sensitive Data
  • Operational Data
  • Redundant/Obsolete Data
  1. Data Retention Periods
  • Critical Data: Retained for 7 years after the termination of the business relationship.
  • Sensitive Data: Retained for 3 years for operational purposes and compliance.
  • Operational Data: Retained for 12 months for immediate business needs.
  • Redundant/Obsolete Data: Regularly reviewed and promptly disposed of when no longer needed.
  1. Data Access and Security Controls

Only authorized personnel can access and modify data during the retention period. Access permissions are regularly reviewed and updated.

  1. Data Disposal Procedures

All data storage devices undergo secure deletion or physical destruction at end of life.

  1. Legal and Regulatory Compliance

We regularly monitor and update our policies to ensure compliance with applicable laws and regulations. We ensure that data retention practices align with legal requirements in all jurisdictions where the company operates.

  1. Training and Awareness

We conduct training sessions to educate employees about the importance of data retention, classification, and disposal. We foster awareness of the potential risks associated with mishandling or retaining data beyond the specified periods.

  1. Policy Review and Updates

The Data Retention Policy will be reviewed annually or as needed to reflect changes in legal requirements, business operations, or technology.

  1. Policy Enforcement

Violations of this policy may result in disciplinary action, up to and including termination of employment or legal action, depending on the severity and impact of the violation.

  1. Contact Information

For questions or concerns regarding this policy, please contact Willy Fluharty.

Vervet Data Breach Response Policy

Effective 01/01/2024

  1. Purpose

This Data Breach Response Policy outlines the procedures and responsibilities to be followed in the event of a suspected or confirmed data breach to minimize the impact, protect affected individuals, and comply with legal and regulatory obligations.

  1. Scope

This policy applies to all employees, contractors, and third-party service providers who have access to company data.

  1. Definition of a Data Breach

A data breach is defined as the unauthorized acquisition, access, use, or disclosure of sensitive or confidential information that compromises the confidentiality, integrity, or availability of such information.

  1. Reporting a Data Breach

Employees who suspect or discover a data breach must immediately report it to the designated point of contact (Willy Fluharty) within the organization.

  1. Investigation and Assessment

Upon receiving a report of a data breach, the organization will promptly initiate an investigation to:

  • Identify the nature and scope of the breach.
  • Assess the potential impact on affected individuals and the organization.
  • Determine the cause and vulnerabilities exploited.
  1. Containment and Mitigation

Efforts will be made to contain and mitigate the breach, prevent further unauthorized access, and limit the potential damage. This may involve isolating affected systems, changing access credentials, or implementing other protective measures.

  1. Notification

Affected individuals, regulatory authorities, and other relevant stakeholders will be notified in accordance with applicable laws and regulations. Notifications will include:

  • Description of the breach and the data involved.
  • Steps taken to contain and mitigate the breach.
  • Recommendations for affected individuals to protect themselves.
  1. Communication Plan

A designated spokesperson will coordinate external communication to ensure a consistent and accurate message is conveyed to the media, customers, and other stakeholders. All communication will be in compliance with legal requirements.

  1. Post-Incident Review

After the breach is contained and resolved, a thorough post-incident review will be conducted to:

  • Identify lessons learned.
  • Assess the effectiveness of the response.
  • Implement improvements to prevent future breaches.
  1. Legal and Regulatory Compliance

The organization will cooperate fully with law enforcement agencies, regulatory bodies, and other authorities as required by law.

  1. Training and Awareness

Regular training sessions will be conducted to ensure that employees are aware of their responsibilities in responding to a data breach and are familiar with the procedures outlined in this policy.

  1. Policy Review and Updates

The Data Breach Response Policy will be reviewed and updated annually or as needed to reflect changes in legal requirements, business operations, or technology.

  1. Contact Information

For questions or concerns regarding this policy, please contact Willy Fluharty.

Vervet Incident Response Plan

Effective 01/01/2024

  1. Purpose

This Incident Response Plan outlines the procedures and responsibilities for responding to and mitigating security incidents to ensure the confidentiality, integrity, and availability of Vervet’s information and systems.

  1. Scope

This plan applies to all employees, contractors, and third-party service providers who have access to company information and systems.

  1. Incident Definition

An incident is defined as any event that compromises the security, confidentiality, integrity, or availability of information or systems.

  1. Incident Categories

Incidents will be categorized based on severity:

  • Critical Incidents: Immediate and significant impact on business operations.
  • Major Incidents: Significant impact but manageable with predefined procedures.
  • Minor Incidents: Minimal impact requiring routine response.
  1. Incident Response Team (IRT)

A designated Incident Response Team will be established, consisting of representatives from IT, legal, communications, and relevant business units. The team will be led by the Incident Response Coordinator, Willy Fluharty.

  1. Incident Reporting

All employees must promptly report suspected or confirmed incidents to the Incident Response Coordinator. Reports should include a detailed description of the incident, including time, date, and any initial assessment of impact.

  1. Incident Response Process
  • Identification: Detect and confirm the incident.
  • Containment: Isolate affected systems to prevent further damage.
  • Eradication: Remove the cause of the incident.
  • Recovery: Restore affected systems to normal operation.
  • Lessons Learned: Analyze the incident to identify improvements for future prevention and response.
  1. Communication Protocols

Establish communication channels and protocols for internal and external communication during an incident. The designated spokesperson will coordinate external communication, ensuring a consistent and accurate message.

  1. Legal and Regulatory Compliance

Ensure compliance with applicable laws and regulations during incident response, including data breach notification requirements.

  1. Training and Awareness

Regularly train employees on incident response procedures, roles, and responsibilities. Conduct periodic drills to test the effectiveness of the response plan.

  1. Documenting Incidents

All incidents, including responses and resolutions, will be thoroughly documented. This documentation will be used for post-incident analysis, reporting, and improvement.

  1. Post-Incident Review

After each incident, conduct a post-incident review to assess the effectiveness of the response, identify lessons learned, and implement improvements to the incident response plan.

  1. Policy Review and Updates

The Incident Response Plan will be reviewed and updated annually or as needed to reflect changes in legal requirements, business operations, or technology.

  1. Contact Information

For questions or concerns regarding this plan, please contact Willy Fluharty.