1. Introduction
In order to operate efficiently SimBiotic Software® (SimBio) has to collect and use information about individuals and institutions with whom it works. These may include members of the public, current, past and prospective employees, clients, customers (students and educational institution personnel) and suppliers. SimBio’s Data Policy focuses on the data stored within SimBio’s SimUText System®. This is the only place within SimBio where data from students is stored long term. However, the tenets of the policy apply to all of SimBio’s systems where student information may potentially be stored, including tools used for providing user support to students.
SimBio is committed to ensuring information is properly managed and SimBio will take prudent, industry-recommended best practices to meet its obligations under this policy and will regularly review procedures to ensure that it is doing so.
SimBio’s data security policy balances three principle goals against the needs of operating our business and fulfilling the needs of our users:
- Minimize the amount and value of user data we store
- Minimize the chances that user data is leaked or lost
- Have procedures in place to detect, inform, trace, and correct / block sources of any losses or leaks in user data
2. Overview
SimBio’s data security starts by limiting the data that is stored. SimBio does NOT store any of the following personal information about students who use SimBio’s SimUText System:
- Credit cards or any other financial information (when collected, credit card information is securely transmitted directly to a large, established credit card processor without long-term storage of that information by SimBio)
- Grades
- Directly-stored passwords (all passwords are stored as hashes)
- Addresses or phone numbersy Any government identification (social security number, drivers license, etc.)
- Medical information
- Birthdates
SimBio deletes data from student work within the SimUText System on a regular basis. Data on student work is not retained longer than one year after the end of the class in which they conducted the work.
In addition to limiting the data stored, SimBio has a variety of industry standard policies, processes, and systems to reduce the possibility of data loss. SimBio also has plans in place for recovering from and reporting data loss. These are outlined below.
SimBio does not release, share, or sell any data collected about or from students to any third parties, inclusive of all data within the SimUText System, other than for publishing results of IRB-approved educational research.
3. People and Policies
SimBio’s data security policy applies to all employees, contractors, agents and representatives and temporary staff working for or on behalf of SimBio. A Data Security Auditor appointed by SimBio management has overall responsibility for compliance with the SimBio Data Protection Policy.
4. Systems
SimBio uses a mix of collocated physical servers, cloud-based servers, and personal computers
for all operations. SimBio relies on the partners who maintain the physical hardware for first-line protection of the servers and for maintaining operating system updates. SimBio has multiple levels of security implemented for reaching systems that store user data.
5. Processes
In addition to built-in protections, SimBio implements a number of processes to aid in preventing and recovering from data loss, including regular backups and other maintenance, de-identification of data before it leaves production systems, employee training, and routinely conducting tests of our ability to restore our systems in the event of an attack or failure. This security policy is reviewed yearly.
6. Customer’s Right to Access Their Personal Information
Any person whose details are held by SimBio is entitled to ask for a copy of all information held about them.
When SimBio receives a request, SimBio will respond as soon as possible, and in no case longer than 30 calendar days.
When providing the information SimBio will also provide a description of why the information is processed, details of anyone it may be disclosed to and the source of the data.
7. Breach of the Policy
Non-compliance with the requirements of this policy by the members of staff could lead to serious action being taken by third parties against SimBio. Non-compliance by a member of staff is therefore considered a disciplinary matter that, depending on the circumstances, could lead to dismissal.
8. Procedures for Notifying Interested Parties in the Event of a Data Incident
In the event that there is a breach of SimBio’s database security or any other incident involving personal user information stored by SimBio, SimBio will, within 5 business days of discovery and verification of the breach:
- To the best of our ability, notify all users who were directly affected by the data incident,
- To the best of our ability, notify the appropriate personnel at any institutions to which those users were associated in their use of SimBio’s software,
- Notify the appropriate personnel of any third parties, such as publishers, whose customers may have been affected by SimBio’s data incident, and/or
- Notify the appropriate government authorities,
as required by applicable law.