Section 6.0 of the Propel, Inc., (“Propel” or “Company”) Information Security Management Policy (“ISMP”) incorporated herein by reference and available upon request, identifies the need for sub-policies to address a variety of information security subjects, one of which is privacy, as addressed by the European Union (EU) through its General Data Protection Regulation (GDPR), and the state of California through its California Consumer Protection Act (CCPA) and its California Privacy Rights Act (CPRA). It is important to note that Propel® also strives to achieve substantive compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, and other compliance standards to include the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Omnibus Final Rule, all of which are addressed in separate policies. Further, as a matter of policy, the Company strives to comply with both the letter and spirit of applicable laws and regulations, and it acknowledges the more comprehensive requirements of the GDPR, CCPA and CPRA. Propel® seeks to construct its culture of privacy compliance upon a foundation of global privacy concepts, characterized by transparency, consent and a sense of “doing the right thing” at the front end of its decision-making processes. This means that when the Company seeks explicit consent from individuals, it is accompanied by a clear privacy notification, an understandable explanation of how and why we collect personal data, with whom it is shared and at what risk. For Propel, the collateral benefit is that its efforts to comply with the GDPR, CCPA and CPRA also serve to embrace the nearly global expectation that privacy is a natural right to be duly protected. While the terminology and definitions may differ politically, geographically and from one organization to another, the shared objective of data privacy is to protect the privacy rights of individuals. Propel’s stated objective is to secure and keep private the protected information that the Company handles in conjunction with its clients, its clients’ employees, its third-party data-center host and other mission related third-party vendors, etc. The GDPR objective is to protect “fundamental rights and freedoms of natural persons, particularly their right to the protection of personal data.” (GDPR-Article 1.2). CCPA’s objective is to “further Californians’ right to privacy by giving consumers an effective way to control their personal information by ensuring the following rights: (1) The right…to know what personal information is being collected about them. (2) The right…to know whether their personal information is sold or disclosed and to whom. (3) The right…to say “no” to the sale of personal information. (4) The right… to access their personal information and (5) The right…to equal service and price, even if they exercise their privacy rights.” (Sec. 3. Title 1.81.5 commencing with Section 1798.100). At Propel there is a consistency between these objectives.
This sub-policy applies to all Propel employees, contractors, vendors and agents with a Propel-owned or personally-owned computer or workstation used to connect to the Company’s network (to all web application development, staging and production servers currently owned or maintained by Propel). The Company’s business model embraces two types of infrastructure with different functions, handling different amounts of personal data. The corporate infrastructure consists of a single server located in a secure area within the Company’s offices and is sometimes referred to as the corporate/office server. It handles less than 1 percent of collected personal data from our clients and their employees. Its two primary functions are to support Propel’s intra company applications as well as to provide a working platform or software workstation, upon which the Company’s team members develop, maintain, customize, revise and support what becomes a customized wellbeing program for use by our clients and their employees. See Section 3.0 below. This finished product, a client portal, formally activates upon the infrastructure known as the “Propel® platform” at the time of licensing, whereupon it is placed under client control at or about the time of program launch. Of course, appropriate Propel team members maintain access to the portal for maintenance purposes, etc. It is at this juncture that personal data begins to flow through the client’s portal. See Section 4.0 for an understanding of the dynamics of the “Propel® platform.
Propel, Inc., is engaged in the development, maintenance, customization and support of the Propel® platform, a Software as a Service (SaaS) platform that is customized to run and manage comprehensive wellbeing programs.
Crucial to an understanding of this Privacy, GDPR and CCPA Compliance Sub-Policy is the concept of how Propel’s clients can access and utilize their data. Each Propel client accomplishes this via a separately installed web application and database located on one of the servers maintained for Propel, Inc., by IBM Corporation (through its subsidiary, IBM Cloud). IBM serves as Propel’s third-party data center host at IBM Data Center locations, either in Dallas, Texas or Slough, United Kingdom (U.K.). Daily backups of all databases for the Propel® platform servers (including those used as client portals) are conducted in accordance with configuration instructions furnished by Propel when servers are brought online. These servers are maintained, protected, guarded and carefully hosted within the IBM data center environment pursuant to written agreement between Propel and IBM Corporation. Specifically, these client portals use dedicated “bare metal servers” maintained solely for Propel and its clients. The use of such dedicated bare metal servers has two important operational advantages over those which are virtual/cloud based. First, any risk of improper or deficient load sharing is alleviated, the existence of which could affect the ability of our clients to access their respective data in a crisis. Second, more than 99% of our clients’ employees’ personal data (usually protected health-care information, PHI) is handled within the confines of the carefully controlled IBM Cloud environment and NOT on Propel’s corporate/office server. Each of IBM’s data centers is designed with a focus upon redundancy in its infrastructure systems and Network Point of Presence (POP). In simpler terms, this POP technology (housed in the data center’s carefully controlled environment) enables Propel’s U.S. clients to have a safe and secure access point from the Dallas data center to the rest of the internet. Propel’s international clients have a similarly configured safe and secure access point from the Slough data center in the U.K. The Propel platform also includes one virtual “staging” server (machine) in the Dallas data center dedicated to staging and testing as client portals are made ready for initial launch or to provide a secure stage upon which the entire range of testing (from interim to final) can take place in support of the Company’s system development life cycle (SDLC) or change management processes. Two of Propel’s Information Security Sub-Policies describe and control these processes (Propel, Inc., Information Security Sub-Policy Number 3—Platform System Development Life Cycle (SDLC) Compliance; and Propel, Inc., Information Security Sub-Policy Number 7—Change Control Management). The Slough, U.K. data center positions two bare metal servers, one which serves as a client portal and another used as a database server.
Reference is made to the following link: https://www.ibm.com/cloud/compliance. A summary of IBM Cloud’s certifications includes compliance with the following laws, directives, standards and regulatory agency requirements: International Organization for Standardization (ISO) 27001, ISO 27017, ISO 27018, ISO 22301, ISO 31000, Service Organization Control (SOC) Reports ( SOC 1, SOC 2, SOC 3), Payment Card Industry (PCI) Security Standards Council, Health Information Trust Alliance (HITRUST), The Federal Information Security Management Act of 2002 (FISMA), Federal Risk and Authorization Management Program (FedRAMP), The Information Security Registered Accessors Program-Australia (IRAP), IBM ISO Management System Certification for ISO 9001, European Union (EU) Model Clauses, Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Compliance Act (HIPAA), My Number Act (Japan), U.S. International Traffic in Arms Regulations (ITAR), Criminal Justice Information Systems (CJIS) as part of the U.S. Dept. of Justice Federal Bureau of Investigation (FBI), Cloud Security Alliance (CSA), EU-US Privacy Shield, Federal Financial Institutions Examinations Council (FFIEC), The Center for Financial Industry Information Systems-Japan (FISC), The Federal Financial Supervisory Authority (BaFN-Germany), The European Banking Authority (EBA-European Union), The Cloud Computing Compliance Controls Catalog (C5-Germany), The European Union Agency for Network and Information Security (ENISA-European Union), Esquema Nacional de Seguridad (ENS-Spain), Government Cloud (G-Cloud-U.K.), General Data Protection Regulation (GDPR-European Union), The Hebergeurs de Donnees de Sante or Health Data Hosting (HDS-France), IT-Grundschutz-Germany, The Multi-Tier Cloud Security (MTCS-Singapore) and The Network Information System (NIS Directive-European Union). It is important to note that these certifications and regulatory compliance accomplishments are an integral part of Propel’s decision making process for selecting the most reliable web/data center host for its clients. This selection process is now a formalized compliance policy identified as the Propel, Inc., Third-Party Due Diligence and Risk Management Policy, a copy of which is available upon request.
With an understanding of Propel’s business model and its third-party relationship with IBM Cloud, the Company contractually relies upon the expertise and security certification(s) maintained by IBM Cloud, to secure and keep private the protected data entrusted to IBM Cloud for handling, storage and backup. In short, Propel relies upon IBM Corporation to maintain the certifications, etc., noted above, the importance of which cannot be overstated. A vital part of this compliance effort is the continual external auditing of its data center operations.
As the result of a formal cookie audit, a first visit to the Propelwellness.com website (on the Company’s internal server) engages the following as a prompt:
You can browse our website without disclosing information about yourself. We use two types of cookies, the first is designed to ensure that you have a secure browsing experience. These “strictly necessary” cookies (your consent is not required) guard against unauthorized posting of content and serve to protect our website visitors. The second type, “performance” cookies (your consent is requested) help us to better understand how our site is used. This collected information never identifies you personally. If you choose to contact us on the website, your identifying information is NOT shared with any third-party. You also have a right to know what, if any, information we hold about you, as well as a right to ask that your personal information be updated, corrected, or deleted altogether. If you wish to make a request to us in this regard, please contact Propel at: firstname.lastname@example.org. You should also know that to opt out of being subject to Google Analytics across all websites you can visit http://tools.google.com/dlpage/gaoptout.
To learn more, see our policy page.
In accordance with GDPR-Article 37, Propel, Inc., designates its Chief Compliance Officer (CCO) to assume the additional responsibility as Data Protection Officer (DPO). For additional questions, comments, suggestions, requests for more information or if you would like to voice a complaint, please contact the Company by E-Mail at email@example.com, or in the alternative, send written correspondence to Propel, Inc., Attn: CCO/DPO, 105 Continental Place, Suite 400, Brentwood, TN 37027 (USA). The Company’s phone number is +1-615-377-6116. You also have the right to lodge a complaint with a supervisory authority.
In accordance with GDPR-Article 27, Propel, Inc., has appointed Apex Agency Services, Ltd., 6th Floor, 125 Wood Street, London, EC2V 7AN (U.K.) as its agent for service of process in the U.K. or elsewhere in the European Union (EU). Apex Agency Services Website Address is: https://apexprocessagent.com. Its E-mail address is firstname.lastname@example.org.
The DPO also occupies the position of CCO, and as such serves as a member of the Propel Information Security Management Committee, presently consisting of three (3) members and serving at the pleasure of the President and Chief Executive Officer (CEO). Sitting as Co-Chairpersons of the Committee are the Chief Administrative Officer (CAO) and the Vice President, Application Architecture (VP-AA). Serving as the Committee’s Secretary is the CCO/DPO who is also charged with taking minutes of meetings and drafting the various compliance policies and sub-policies. Relative to matters involving GDPR compliance, the DPO’s findings shall be controlling (in accordance with GDPR Article 38). The DPO reports directly to the President and CEO on such matters. The President and CEO encourages the CCO/DPO to seek the advice and consent from the other committee members (whenever possible) as well as from other team members about GDPR, CCPA and CPRA compliance issues.
Propel’s CCO, in consultation with the Information Security Management Committee will verify compliance to this policy through various methods, which may include, but not be limited to one or more of the following: periodic internal and external technology audits, walk-throughs, video monitoring, business tool reports, inspection and log review. Feedback will be provided to the CAO, Information Security Management Committee and appropriate business unit manager(s).
An exception to the policy must be approved in advance by Propel’s CAO and the Information Security Management Committee.
A team member found to have violated this policy may be subject to disciplinary action, up to and including termination of employment for even the first offense.
Please review the following policies for details of protecting information when working on privacy and GDPR Compliance:
You can browse our website without disclosing information about yourself. We use two types of cookies, the first is designed to ensure that you have a secure browsing experience. These “strictly necessary” cookies (your consent is not required) guard against unauthorized posting of content and serve to protect our website visitors. The second type, “performance” cookies (your consent is requested) help us to better understand how our site is used. This collected information never identifies you personally. If you choose to contact us on the website your identifying information is NOT shared with any third-party. You also have a right to know what, if any information we hold about you, as well as a right to ask that your personal information be updated, corrected, or deleted altogether. If you wish to make a request to us in this regard, please contact Propel at: email@example.com. You should also know that to opt out of being subject to Google Analytics across all websites you can visit http://tools.google.com/dlpage/gaoptout.
To learn more, see our policy page.