INCISIV may collect and receive Customer Data and other information and data (“Other Information”) in a variety of ways:
● Customer Data. Customers or individuals granted access to the INCISIV platform by a Customer (“Authorized Users”) routinely submit Customer Data to INCISIV when using the Services.
● Other Information. INCISIV also collects, generates and/or receives Other Information:
1. Profile and Account Information. To create or update an account, you or your Customer (e.g., your employer) supply INCISIV with an email address, phone number, password, domain and/or similar account details. In addition, Customers that purchase a paid version of the Services provide INCISIV (or its payment processors) with billing details such as credit card information, banking information and/or a billing address.
2. Usage Information.
■ Services Metadata. When an Authorized User interacts with the Services, metadata is generated that provides additional context about the way Authorized Users work. For example, INCISIV logs the users, features, content and links you view or interact with, the types of files shared, and what Third Party Services are used (if any).
■ Log data. As with most websites and technology services delivered over the Internet, our servers automatically collect information when you access or use our Websites or Services and record it in log files. This log data may include the Internet Protocol (IP) address, the address of the page visited before using the Website or Services, browser type and settings, the date and time the Services were used, information about browser configuration and plugins, language preferences and cookie data
.■ Device information. INCISIV collects information about devices accessing the Services, including type of device, what operating system is used, device settings, application IDs, unique device identifiers and crash data. Whether we collect some or all of this Other Information often depends on the type of device used and its settings.
■ Bulk Data. INCISIV collects data such as x,y,z data about user movement in VR, where they are looking in VR and the objects they have interacted with.
■ Task & metrics Data: INCISIV collects data on how users complete tests assigned to them. This data can include time, accuracy, speed, gaze, general head and hand movement etc.
4. Third Party Services. A Customer can choose to permit or restrict Third Party Services for the INCISIV platform. Typically, Third Party Services are software that integrate with our Services, and a Customer can permit its Authorized Users to enable and disable these integrations for its Workspace. INCISIV may also develop and offer applications that connect the Services with a Third Party Service. Once enabled, the provider of a Third Party Service may share certain information with INCISIV.
5. Contact Information. In accordance with the consent process provided by your device, any contact information that an Authorized User chooses to import (such as an address book from a device) is collected when using the Services.
6. Third Party Data. INCISIV may receive data about organizations, industries, lists of companies that are customers, Website visitors, marketing campaigns and other matters related to our business from parent corporation(s),affiliates and subsidiaries, our partners, or others that we use to make our own information better or more useful. This data may be combined with Other Information we collect and might include aggregate-level data.
Generally, no one is under a statutory or contractual obligation to provide any Customer Data or Other Information (collectively, “Information”). However, certain Information is collected automatically and, if some Information, such as Workspace setup details, is not provided, we may be unable to provide the Services.How We Use Information
Customer Data will be used by INCISIV in accordance with Customer’s instructions, including any applicable terms in the Customer Agreement and Customer’s use of Services functionality, and as required by applicable law. INCISIV is a processor of Customer Data and Customer is the controller. Customer may, for example, use the Services to grant and remove access to the INCISIV platform, assign roles and configure settings, access, modify, export, share and remove Customer Data and otherwise apply its policies to the Services.
INCISIV uses Other Information in furtherance of our legitimate interests in operating our Services, Websites and business. More specifically, INCISIV uses Other Information:
● To provide, update, maintain and protect our Services, Websites and business. This includes use of Other Information to support delivery of the Services under a Customer Agreement, prevent or address service errors, security or technical issues, analyze and monitor usage, trends and other activities, or at an Authorized User’s request.
● As required by applicable law, legal process or regulation.
● To communicate with you by responding to your requests, comments and questions. If you contact us, we may use your Other Information to respond.
● To develop and provide insights and additional features. INCISIV tries to make the Services as useful as possible for specific training and Authorized Users. For example, we may use predictive models, identify organizational trends and insights, to customize a training experience, or create new productivity features and products.
● To send emails and other communications. We may send you service, technical and other administrative emails, messages, and other types of communications. We may also contact you to inform you about changes in our Services, our Services offerings, and important Services-related notices, such as security and fraud notices. These communications are considered part of the Services and you may not opt out of them. In addition, we sometimes send emails about new product features, promotional communications, or other news about INCISIV. These are marketing messages so you can control whether you receive them. If you have additional questions about a message you have received from INCISIV please reach out through the contact mechanisms described below.
● For billing, account management and other administrative matters. INCISIV may need to contact you for invoicing, account management, and similar reasons and we use account data to administer accounts and keep track of billing and payments.
● To investigate and help prevent security issues and abuse.
This section describes how INCISIV may share and disclose Information. Customers determine their own policies and practices for the sharing and disclosure of Information, and INCISIV does not control how they or any other third parties choose to share or disclose Information.
● Customer’s Instructions. INCISIV will solely share and disclose Customer Data in accordance with a Customer’s instructions, including any applicable terms in the Customer Agreement and Customer’s use of Services functionality, and in compliance with applicable law and legal process.
● Displaying the Services. When an Authorized User submits Other Information, it may be displayed to other Authorized Users in INCISIV. For example, an Authorized User’s email address may be displayed with their INCISIV profile.
● Collaborating with Others. The Services provide different ways for Authorized Users working in INCISIV to collaborate, such as shared insights or multiuser interoperability. Other Information, such as an Authorized User’s profile Information, may be shared, subject to the policies and practices of the other INCISIV users within your organisation.
● Customer Access. Owners, administrators, Authorized Users, and other Customer representatives and personnel may be able to access, modify, or restrict access to Other Information. This may include, for example, your employer using Service features to export logs of INCISIV activity or accessing or modifying your profile details.
● Third Party Service Providers and Partners. We may engage third party companies or individuals as service providers or business partners to process Other Information and support our business. These third parties may, for example, provide virtual computing and storage services, or we may share business information to develop strategic partnerships with Third Party Service providers to support our common customers.
● Corporate Affiliates. INCISIV may share Other Information with its corporate affiliates, parents and/or subsidiaries.
● During a Change to INCISIV’s Business. If INCISIV engages in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of INCISIV’s assets or shares, financing, public offering of securities, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities, some or all Other Information may be shared or transferred, subject to standard confidentiality arrangements.
● Aggregated or De-identified Data. We may disclose or use aggregated or de-identified Other Information for any purpose. For example, we may share aggregated or de-identified Other Information with prospects or partners for business or research purposes, such as telling a prospective INCISIV customer the average amount of time spent within a typical INCISIV training experience.
● To Comply with Laws. If we receive a request for information, we may disclose Other Information if we reasonably believe disclosure is in accordance with or required by any applicable law, regulation, or legal process.
● To enforce our rights, prevent fraud, and for safety. To protect and defend the rights, property, or safety of INCISIV or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud or security issues.
● With Consent. INCISIV may share Other Information with third parties when we have consent to do so.
INCISIV takes security of data very seriously. INCISIV adopts Microsoft Defender for Cloud which is a unified cloud-native platform that helps strengthen your security posture, enables protection against modern threats, and helps reduce risk throughout the cloud application lifecycle across multi-cloud and hybrid environments. INCISIV uses the Microsoft for Defender Cloud
initiatives and implement the security recommendations as defined in the Azure Security Benchmark
v3.Microsoft Azure Architecture Overview
The Microsoft Azure platform is used to capture and host all the data from VR training. Different Azure resources are utilized to ensure the smooth process. Authenticated devices) send data to our Azure cloud platform where raw unprocessed data is catalogued in a database and incoming raw data files are analysed by propriety analytics. Results are catalogued in the database and anonymised raw data files are stored in an Azure Blob Storage container. All end-user data is visualised by a Power BI Dashboard with access restricted to Azure Active Directory (AAD) accounts and row-level security policies.
Data Security –Azure
This architecture provides customers with strong data security, both by default and as customer options. User credentials security, Server level security and data security are managed by different azure services mentioned below:Azure Active Directory (AD):
To assure data security, Directory Data in Azure AD is signed and encrypted while in transit between data centers within a scale unit. The data is encrypted and unencrypted by the Azure AD core store tier, which resides inside secured server hosting areas of the associated Microsoft data centers. Customer-facing web services are secured with the Transport Layer Security (TLS) protocol.Secret Storage:
Azure AD service back-end utilizes secret stores for storing of sensitive material for service use such as certificates, keys, credentials, and hashes using technology that is proprietary to Microsoft. The specific store used depends on the service, the operation, the scope of the secret (user wide or tenant-wide), and other requirements. Multiple algorithms are used to keep the user credentials secure.Azure Key Vault:
The architecture utilizes Azure Key vault which helps customers easily maintain control of keys that are used by cloud applications and services to encrypt data. Webservices: The webservices provides the secure connection between HEAT and Azure. All the server level security is managed with webservices.User Access Management:
All the users access management is controlled using Azure Active directory. The access can be provided by assigning different roles and responsibilities as per the user type.Dynamic Data Masking:
All Azure cloud INCISIV databases implement dynamic data masking of sensitive information, such personal information (e.g. User names, passwords etc). This security policy prevents unauthorized access to sensitive data by enabling customers to designate how much of the sensitive data to reveal with minimal impact on the application layer. It's a policy-based security feature that hides the sensitive data in the result set of a query over designated database fields, while the data in the database is not changed. All user passwords are protected by server-side Salted secured hash algorithms (HMACSHA512).Azure Cloud Defender Security:
While Microsoft Azure does provide security measures against data loss or damage, and cyberattack, we have also put a plan in place to ensure all client/user data is protected, and we avail of Microsoft Azure Security Centre as a service which regularly monitors our deployed infrastructure for weaknesses or provide alerts related to data integrity or security and guides the end-user to Data Security compliance. All Microsoft Azure datacentres are designed, built, and operated in a way that satisfies top industry standards, such as ISO27001, HIPAA, FedRAMP, SOC 1, and SOC 2, and UK GCloud. INCISIV customers will benefit of this service standard including a Disaster Recovery protocol to ensure 99.9% data availability through synchronisation of data and servers toother geolocated datacentres and automatic re-routing to mitigate any downtime by the principal Datacentre. Furthermore, Azure portal platform passwords are regularly changed with complex passwords and multi-factor authentication (MFA) is required to login. Azure resource admin passwords/connection strings/SAS keys are all administered by an INCISIV super admin and changed regularly. All stored data is encrypted at rest and data movements utilise secure data transfer protocols.Data recovery and business continuity plan
We have implemented an API that is wrapped around a local syncing API. If for whatever reason there is a loss of internet connectivity during runtime, all anonymised data files a re restored locally SQLIte database, and the data files are pushed to the cloud whenever connectivity is restored. Regardless, all data files are stored locally on the device in the event of catastrophic issues, which can be transferred to INCISIV and manually added to our cloud infrastructure.
Azure cloud: Azure databases is backed up regularly (24-hour cycle) and geo-replicated, and anonymised raw data files (with 30-day retention period) are equally backed up in the cloud on Azure. Data storage and Database performance is regularly monitored through a number of Cloud services and resources can be scaled-up or out on-demand to handle load on our severs and data storage containers.
International Data Transfers
INCISIV may transfer your Personal Data to countries other than the one in which you live. We deploy the following safeguards if INCISIV transfers Personal Data from jurisdictions with differing data protection laws:
● E.U.-U.S. Privacy Shield and Swiss-U.S. Privacy Shield. To comply with European Union and Swiss data protection laws, True Communication Technologies Ltd, trading as INCISIV (“INCISIV”) self-certified under the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield. These frameworks were developed to enable companies to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States. To learn more about the Privacy Shield Program, please see http://www.privacyshield.gov/welcome. Once the United Kingdom is no longer a Member State of the European Union, INCISIV will comply with the E.U.- U.S. Privacy Shield in respect of the collection, use and retention of personal data transferred from the United Kingdom to the United States in reliance on the E.U. – U.S. Privacy Shield, or any successor framework between the U.S. and the U.K.
● European Union Model Clauses. INCISIV offers European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our Customers that operate in the European Union and the United Kingdom, and other international transfers of Customer Data.
Data Protection Officer
To communicate with our Data Protection Officer, please email firstname.lastname@example.org
Identifying the Data Controller and Processor
Data protection law in certain jurisdictions differentiates between the “controller” and “processor” of information. In general, Customer is the controller of Customer Data. In general, INCISIV is the processor of Customer Data and the controller of Other Information.Your Rights
Individuals located in certain countries, including the European Economic Area and the United Kingdom, have certain statutory rights in relation to their personal data. Subject to any exemptions provided by law, you may have the right to request access to Information, as well as to seek to update, delete or correct this Information. If you wish to access this information, please contact the Customer who controls your INCISIV for additional access and/or assistance. To the extent that INCISIV’s processing of your Personal Data is subject to the General Data Protection Regulation (or applicable laws covering the processing of Personal Data in the United Kingdom), INCISIV relies on its legitimate interests, described above, to process your data.Data Protection Authority
Subject to applicable law, you also have the right to (i) restrict INCISIV’s use of Other Information that constitutes your Personal Data and (ii) lodge a complaint with your local data protection authority. As the United Kingdom is no longer a Member State of the European Union, you may direct questions or complaints to the UK supervisory authority, the Information Commissioner’s Office
18 Ormeau Avenue,