Data and Information Privacy Policy

Issue No: 4.0
Updated: January 2022

Purpose

Intradiem (the “Company”) captures customer information which is directly acquired or provided through integrations or otherwise. As a result, the Company has adopted a Data and Information Privacy Policy (the “Policy”) to protect “nonpublic personal information” of its customers, classified as Privacy- restricted.
Nonpublic personal information includes nonpublic “personally identifiable information” plus any list, description or grouping of customers that is derived from nonpublic personally identifiable information and contains personally identifiable information through which an individual can be identified. The primary purpose of this policy is to implement administrative, technical and physical safeguards to protect the security, confidentiality, integrity and privacy of Customer information.

Scope

This Policy applies to all employees, contractors and temporary staff of the Company, its subsidiaries and/or affiliates who directly or remotely access the Company’s infrastructure and/or systems.

Policy Owner

The Chief Technology Officer (CTO) shall have final authority over the management of the Policy. The CTO may delegate his/her authority regarding this Policy as he/she sees fit.

Changes

The Company may modify or amend this Policy at any time with or without prior notice.

Violations

Anyone violating this Policy shall be subject to disciplinary action up to and including termination of employment for cause.

Policy

It shall be the policy of Intradiem to protect the privacy, confidentiality and integrity of Customer Privacy-restricted information and data, as well as any non-customer information which is classified as Privacy-restricted or confidential.  The Company will comply with all appropriate laws and regulations regarding the Company’s obligations to protect such information.

Customer Information and Data Collected by Intradiem:

The mobile application collects and stores the following data locally to the mobile device:

Agent Contact Preferences: This includes email address, mobile number, and contact preferences indicating over which channel they prefer to receive messages (SMS, email, Push Notifications).

Work Preferences:  Work preferences are set by the Agent and indicate what days of the week and times of day the user would like to be contacted if shifts become available.  Note, this is only applicable if enabled for that tenant by the organization.

Application Data: Agent schedule data and inbox messages are cached locally on the mobile device and synchronized with the tenant at 15-minute intervals.

Security:

All data stored within the mobile application is encrypted using AES 256-bit encryption.  Every read/write operation on the device decrypts and encrypts data, meaning that no data is ever left unencrypted on the device.

Touch ID is stored in Apple Keychain in order to support secure, biometric authentication.

No data is shared between applications on the device, meaning that data cannot “bleed” between applications.

Passwords are never stored on the device.

Some of the third-party libraries used require location to access wifi networks and read/write to external storage permission to get callback from the OS in case of filesystem changes for the security, but none of the data is collected or shared.

Retention, Disposal, and Destruction: Data and Information destruction must comply with regulatory and contractual requirements. Data retention should be identified within contracts with each customer. In the absence of a data retention clause, the Company will follow its standard retention policy. Right to erasure, or export as defined in GDPR, must be outlined in customer contracts. In the absence of a data destruction clause, the Company will follow its standard destruction policy. DevSecOps will retain a data retention and destruction matrix based on classification and in accordance with policy and procedure.

Access: In accordance with Company Policy and Procedure as well as with any contractual requirements, granting access to data and information (paper or electronic format) must follow the principle of least privilege. All controls must be appropriately designed to allow for authorized access only.

Electronic Format

  • When transmitted over a public or wireless network, data must be encrypted
  • Customer Privacy-restricted or confidential information and data is prohibited from being exported, specifically to mobile or portable device(s)
  • Technical controls must be in place and supported by procedural controls to ensure information and data is not moved, copied, removed or otherwise location moved without prior authorization
  • Data can be stored on systems and applications which reside in the Company’s data
  • Any 3rd party housing the data center must be reviewed and approved by the Company
  • Applications displaying data must control visibility to data by security role


Paper Format

  • Documents must be labeled in accordance with information and data classification policy (see Asset Management Policy)
  • No documents can remain on the desk at the end of each day. All documents must be stored within a lockable desk or cabinet.

Technical and Procedural Controls

  • All assets must comply with Access Control, Acceptable Use, Network, Server Security and all other applicable IT and Security policies and procedures
  • All IT assets used for processing, transmitting and storing nonpublic information must be protected by way of technical controls including, but not limited to, role-based access (granted on the principle of least privilege), monitored by IDS and IPS, and DLP enabled to ensure confidentiality and integrity of data and information

Non-Disclosure:

The Company maintains safeguards to comply with federal and state laws, regulations, and standards to guard Privacy-restricted data and information. The Company does not share any nonpublic personal data and information with any nonaffiliated third parties, except in the following circumstances:

  • As necessary to provide Company services or to maintain and service the customer’s account.
  • As required or requested by regulatory authorities or law enforcement officials who have jurisdiction over the Company or as otherwise required or permitted by any applicable law; and
  • To the extent reasonably necessary to prevent fraud and unauthorized

 
Employees are prohibited from disclosing data and information regardless of classification to unauthorized third parties or for any purposes not authorized by the Company.

Mobile Application Specific Policy:

The Intradiem Mobile application communicates across secured and encrypted API connections to display information to the user on the handheld device. This architecture provides a very high quality of service.
Administrators can edit profiles and permissions to revoke access to any user through the administration console . The application provides access to functions based upon the core permissions and rights defined for each user by the administrator. Mobile users are never able to view or access more than their permissions allow.

Mobile Application FAQ:

  • What kind of data is transferred (send/receive) between the app and the servers?
    • Schedule Data (shift information for the user).
    • Schedule Event Requests (example: sending a request to change a shift start time).
    • (Encrypted) Login Credentials.
    • Alerts & Messages (including yes/no questions)
    • Agent Preference Data (such as: email, phone, work times preferred).
  • Are these communications encrypted?
    • Yes, SSL (Secure Socket Layer) communication encryption is used for all API calls.
    • All components require authentication at each point and time of access.
  • What security permissions are required?
    • Username and password if using our system alone.
    • If using SSO, the credentials for whatever 3rd party system being used.
  • Can the user manually log out of the application?
    • Yes
  • Is the user automatically logged out of the application?
    • Automatic timeout/logout of the application can be customized by the administrator.
    • The user is required to log in again upon each launch of the application.

Contact Information

Intradiem, Inc.
Mansell Two
3650 Mansell Road
Suite 500
Alpharetta, GA 30022

If you have any questions, concerns or comments about this Privacy Statement, please contact us.