These requirements reflect the changes to the relevant European protection laws, specifically the 2016 General Data Protection Regulation (GDPR). Customers should be aware that clients who are also citizens of the EU are eligible persons under the GDPR even if they have only provided a non-EU residence address. For purposes of the GDPR and similar laws and regulations, the roles of Xenegrade and its customers are as follows. Laws and regulations may identify different requirements for each of these roles.
- Xenegrade is considered to be in the data processor role.
- Customers are considered to be in the data controller role.
PRIVACY
Xenegrade's privacy policy is to respect and protect the privacy of users and students. Xenegrade follows five core principles of privacy protection in the operation of its software applications.
| Policy/Requirement | Xenegrade | Customer |
|---|---|---|
| Notice / Awareness | ||
| Inform customers that Xenegrade is not the owner of the data they collect and may take full ownership of the data upon agreement termination. | Yes | |
| Provide customers the ability to share their Privacy Policy. | Yes | |
| Provide clients with access to customer's Privacy Policy. | Yes | |
| Provide customers information about the type of data collected and how it is used. | Yes | |
| Provide clients information about the type of data collected, how it is used, and lawful basis for collecting information. |
Yes | |
| Provide customers/clients information about the data that is shared with third-party vendors. | Yes | Yes |
| Provide customers/clients information about the data retention period. | Yes | Yes |
| Choice / Consent |
||
| Provide customers the ability to obtain and modify consent to recording and use of client's personal information. | Yes | |
| Provide clients the ability to obtain and modify consent to recording and use of personal information at every source of registration. |
Yes | |
| Provide clients the ability to opt-in to and modify direct marketing consent. | Yes | |
| Access / Participation |
||
| Provide customers the ability to share recorded client's personal information for review or data portability. | Yes | |
| Provide clients access to recorded personal information upon request for review or data portability. | Yes | |
| Correct data inaccuracies to clients' recorded personal information upon request. | Yes | |
| Provide customers the ability to delete all data for a client or modify a client's records as anonymous. | Yes | |
| Provide clients the ability to request full delete or full anonymity of their personal information. | Yes | |
| Data Integrity / Security |
||
| Install and maintain appropriate physical, electronic, and managerial procedures to safeguard and secure the information collected. | Yes | Yes |
| Manage user and client login credentials to safeguard and secure the information collected. | Yes | |
| Inform clients within 72 hours if personal data has been breached. | Yes | Yes |
| Enforcement / Redress |
||
| Provide customers a method to submit concerns that Xenegrade did not adhere to its Privacy Policy. | Yes | |
| Provide clients a method to submit concerns that the customer did not adhere to its Privacy Policy. | Yes |
SECURITY
Authentication from Xenegrade’s servers restricts application access using up-to-date methods. From user security, environmental security, firewalls, SSL certificates, and IP protection, Xenegrade covers all the bases. Details are not provided in this public area for security reasons. However, customers can obtain more information via a written request.
PCI COMPLIANCE
Xenegrade performs a PCI compliance scan of all systems on all systems on a monthly basis. A PCI Compliance Certificate is available upon request.
Some customers choose to run a PCI compliance scan of their site. Xenegrade requests that all such scans be approved and scheduled with Xenegrade in advance. Scheduling a PCI scan in cooperation with Xenegrade will prevent multiple organizations from scanning at the same time causing server issues that could shut down servers or dramatically diminish performance.