Skip to main content

Propel, Inc., Privacy Policy, GDPR and CCPA Compliance

1.0 AUTHORITY/PURPOSE/OBJECTIVE

Section 6.0 of the Propel, Inc., (“Propel” or “Company”) Information Security Management Policy (“ISMP”) incorporated herein by reference and available upon request, identifies the need for sub-policies to address a variety of information security subjects, one of which is privacy, as addressed by the European Union (EU) through its General Data Protection Regulation (GDPR), and the state of California through its California Consumer Protection Act (CCPA) and its California Privacy Rights Act (CPRA). It is important to note that Propel® also strives to achieve substantive compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, and other compliance standards to include the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH) and the Omnibus Final Rule, all of which are addressed in separate policies. Further, as a matter of policy, the Company strives to comply with both the letter and spirit of applicable laws and regulations, and it acknowledges the more comprehensive requirements of the GDPR, CCPA and CPRA. Propel® seeks to construct its culture of privacy compliance upon a foundation of global privacy concepts, characterized by transparency, consent and a sense of “doing the right thing” at the front end of its decision-making processes. This means that when the Company seeks explicit consent from individuals, it is accompanied by a clear privacy notification, an understandable explanation of how and why we collect personal data, with whom it is shared and at what risk. For Propel, the collateral benefit is that its efforts to comply with the GDPR, CCPA and CPRA also serve to embrace the nearly global expectation that privacy is a natural right to be duly protected. While the terminology and definitions may differ politically, geographically and from one organization to another, the shared objective of data privacy is to protect the privacy rights of individuals. Propel’s stated objective is to secure and keep private the protected information that the Company handles in conjunction with its clients, its clients’ employees, its third-party data-center host and other mission related third-party vendors, etc. The GDPR objective is to protect “fundamental rights and freedoms of natural persons, particularly their right to the protection of personal data.” (GDPR-Article 1.2). CCPA’s objective is to “further Californians’ right to privacy by giving consumers an effective way to control their personal information by ensuring the following rights: (1) The right…to know what personal information is being collected about them. (2) The right…to know whether their personal information is sold or disclosed and to whom. (3) The right…to say “no” to the sale of personal information. (4) The right… to access their personal information and (5) The right…to equal service and price, even if they exercise their privacy rights.” (Sec. 3. Title 1.81.5 commencing with Section 1798.100). At Propel there is a consistency between these objectives.

2.0 SCOPE/UNDERSTANDING THE PROPEL BUSINESS MODEL

This sub-policy applies to all Propel employees, contractors, vendors and agents with a Propel-owned or personally-owned computer or workstation used to connect to the Company’s network (to all web application development, staging and production servers currently owned or maintained by Propel). The Company’s business model embraces two types of infrastructure with different functions, handling different amounts of personal data. The corporate infrastructure consists of a single server located in a secure area within the Company’s offices and is sometimes referred to as the corporate/office server. It handles less than 1 percent of collected personal data from our clients and their employees. Its two primary functions are to support Propel’s intra company applications as well as to provide a working platform or software workstation, upon which the Company’s team members develop, maintain, customize, revise and support what becomes a customized wellbeing program for use by our clients and their employees. See Section 3.0 below. This finished product, a client portal, formally activates upon the infrastructure known as the “Propel® platform” at the time of licensing, whereupon it is placed under client control at or about the time of program launch. Of course, appropriate Propel team members maintain access to the portal for maintenance purposes, etc. It is at this juncture that personal data begins to flow through the client’s portal. See Section 4.0 for an understanding of the dynamics of the “Propel® platform.

3.0 PROPEL OVERVIEW AND BUSINESS DESCRIPTION

Propel, Inc., is engaged in the development, maintenance, customization and support of the Propel® platform, a Software as a Service (SaaS) platform that is customized to run and manage comprehensive wellbeing programs.

4.0 UNDERSTANDING THE PROPEL PLATFORM SERVER/CLIENT DATA BACK-UP AND RECOVERY/DYNAMICS OF THE IBM THIRD-PARTY DATA CENTER ENVIRONMENT

Crucial to an understanding of this Privacy, GDPR and CCPA Compliance Sub-Policy is the concept of how Propel’s clients can access and utilize their data. Each Propel client accomplishes this via a separately installed web application and database located on one of the servers maintained for Propel, Inc., by IBM Corporation (through its subsidiary, IBM Cloud). IBM serves as Propel’s third-party data center host at IBM Data Center locations, either in Dallas, Texas or Slough, United Kingdom (U.K.). Daily backups of all databases for the Propel® platform servers (including those used as client portals) are conducted in accordance with configuration instructions furnished by Propel when servers are brought online. These servers are maintained, protected, guarded and carefully hosted within the IBM data center environment pursuant to written agreement between Propel and IBM Corporation. Specifically, these client portals use dedicated “bare metal servers” maintained solely for Propel and its clients. The use of such dedicated bare metal servers has two important operational advantages over those which are virtual/cloud based. First, any risk of improper or deficient load sharing is alleviated, the existence of which could affect the ability of our clients to access their respective data in a crisis. Second, more than 99% of our clients’ employees’ personal data (usually protected health-care information, PHI) is handled within the confines of the carefully controlled IBM Cloud environment and NOT on Propel’s corporate/office server. Each of IBM’s data centers is designed with a focus upon redundancy in its infrastructure systems and Network Point of Presence (POP). In simpler terms, this POP technology (housed in the data center’s carefully controlled environment) enables Propel’s U.S. clients to have a safe and secure access point from the Dallas data center to the rest of the internet. Propel’s international clients have a similarly configured safe and secure access point from the Slough data center in the U.K. The Propel platform also includes one virtual “staging” server (machine) in the Dallas data center dedicated to staging and testing as client portals are made ready for initial launch or to provide a secure stage upon which the entire range of testing (from interim to final) can take place in support of the Company’s system development life cycle (SDLC) or change management processes. Two of Propel’s Information Security Sub-Policies describe and control these processes (Propel, Inc., Information Security Sub-Policy Number 3—Platform System Development Life Cycle (SDLC) Compliance; and Propel, Inc., Information Security Sub-Policy Number 7—Change Control Management). The Slough, U.K. data center positions two bare metal servers, one which serves as a client portal and another used as a database server.

5.0 IBM CLOUD CERTIFICATIONS

Reference is made to the following link: https://www.ibm.com/cloud/compliance. A summary of IBM Cloud’s certifications includes compliance with the following laws, directives, standards and regulatory agency requirements: International Organization for Standardization (ISO) 27001, ISO 27017, ISO 27018, ISO 22301, ISO 31000, Service Organization Control (SOC) Reports ( SOC 1, SOC 2, SOC 3), Payment Card Industry (PCI) Security Standards Council, Health Information Trust Alliance (HITRUST), The Federal Information Security Management Act of 2002 (FISMA), Federal Risk and Authorization Management Program (FedRAMP), The Information Security Registered Accessors Program-Australia (IRAP), IBM ISO Management System Certification for ISO 9001, European Union (EU) Model Clauses, Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Compliance Act (HIPAA), My Number Act (Japan), U.S. International Traffic in Arms Regulations (ITAR), Criminal Justice Information Systems (CJIS) as part of the U.S. Dept. of Justice Federal Bureau of Investigation (FBI), Cloud Security Alliance (CSA), EU-US Privacy Shield, Federal Financial Institutions Examinations Council (FFIEC), The Center for Financial Industry Information Systems-Japan (FISC), The Federal Financial Supervisory Authority (BaFN-Germany), The European Banking Authority (EBA-European Union), The Cloud Computing Compliance Controls Catalog (C5-Germany), The European Union Agency for Network and Information Security (ENISA-European Union), Esquema Nacional de Seguridad (ENS-Spain), Government Cloud (G-Cloud-U.K.), General Data Protection Regulation (GDPR-European Union), The Hebergeurs de Donnees de Sante or Health Data Hosting (HDS-France), IT-Grundschutz-Germany, The Multi-Tier Cloud Security (MTCS-Singapore) and The Network Information System (NIS Directive-European Union). It is important to note that these certifications and regulatory compliance accomplishments are an integral part of Propel’s decision making process for selecting the most reliable web/data center host for its clients. This selection process is now a formalized compliance policy identified as the Propel, Inc., Third-Party Due Diligence and Risk Management Policy, a copy of which is available upon request.

6.0 IBM COMPLIANCE IS PROPEL’S COMPLIANCE; PROPEL BENEFITS FROM IBM CLOUD’S CERTIFICATION(S)

With an understanding of Propel’s business model and its third-party relationship with IBM Cloud, the Company contractually relies upon the expertise and security certification(s) maintained by IBM Cloud, to secure and keep private the protected data entrusted to IBM Cloud for handling, storage and backup. In short, Propel relies upon IBM Corporation to maintain the certifications, etc., noted above, the importance of which cannot be overstated. A vital part of this compliance effort is the continual external auditing of its data center operations.

7.0 THE PROPEL WEBSITE/THE INTERNAL SERVER/COOKIE AUDIT/PRIVACY AND COOKIE NOTICE

As the result of a formal cookie audit, a first visit to the Propelwellness.com website (on the Company’s internal server) engages the following as a prompt:

PRIVACY NOTICE
You can browse our website without disclosing information about yourself. We use two types of cookies, the first is designed to ensure that you have a secure browsing experience. These “strictly necessary” cookies (your consent is not required) guard against unauthorized posting of content and serve to protect our website visitors. The second type, “performance” cookies (your consent is requested) help us to better understand how our site is used. This collected information never identifies you personally. If you choose to contact us on the website, your identifying information is NOT shared with any third-party. You also have a right to know what, if any, information we hold about you, as well as a right to ask that your personal information be updated, corrected, or deleted altogether. If you wish to make a request to us in this regard, please contact Propel at: privacy@propelwellness.com. You should also know that to opt out of being subject to Google Analytics across all websites you can visit http://tools.google.com/dlpage/gaoptout.

To learn more, see our policy page.

ACCEPT COOKIES

8.0 PROPEL, INC., DESIGNATION OF DATA PRIVACY OFFICER (DPO)/CONTACT INFORMATION FOR PRIVACY ISSUES

In accordance with GDPR-Article 37, Propel, Inc., designates its Chief Compliance Officer (CCO) to assume the additional responsibility as Data Protection Officer (DPO). For additional questions, comments, suggestions, requests for more information or if you would like to voice a complaint, please contact the Company by E-Mail at privacy@propelwellness.com, or in the alternative, send written correspondence to Propel, Inc., Attn: CCO/DPO, 105 Continental Place, Suite 400, Brentwood, TN 37027 (USA). The Company’s phone number is +1-615-377-6116. You also have the right to lodge a complaint with a supervisory authority.

9.0 DESIGNATION OF AGENT FOR SERVICE OF PROCESS/EUROPEAN UNION (EU) REPRESENTATIVE

In accordance with GDPR-Article 27, Propel, Inc., has appointed Apex Agency Services, Ltd., 6th Floor, 125 Wood Street, London, EC2V 7AN (U.K.) as its agent for service of process in the U.K. or elsewhere in the European Union (EU). Apex Agency Services Website Address is: https://apexprocessagent.com. Its E-mail address is processagent@apexfs.com.

10.0 POLICY REVISION AS CONTINUING EXERCISE IN RISK MANAGEMENT / DATA PRIVACY IMPACT ASSESSMENT (DPIA)

As stated in Section 1.0 of the Propel, Inc., Information Security Management Policy (referenced below in Section 13.0 below, and available upon request), the process of revision for each compliance policy, etc., also constitutes a “big picture” review of the Propel platform, and further represents an exercise in continuing risk management. This is because each policy revision contains a review/consideration of at least the following items and/or activities: the CCO/DPO has considered the Company’s responsibilities relating to personal data (PD); that each client develops its own privacy notices and policies for posting on its wellness program portal (after reviewing Propel’s proposed Terms of Use Policy and Consent Agreement which in effect constitutes a portal specific privacy policy); that all PD processed by Propel is authorized via a transparent, clearly stated, “opt in” consent process; that a review of Propel’s information, data and cyber security programs currently in effect, reveal no unusual vulnerabilities or material, incident driven activities; that all PD is encrypted at rest, in transit and in storage; that PD is never sold to a third party, or shared with any entity outside the requirements of the wellness program, without the consent of the program participant, except as may be required by law; that there is no history of PD breach or compromise; that a review of Propel’s application development security posture reveals no unusual vulnerabilities; that a review of all information security sub-policies and privacy policies, etc., reveals no additional vulnerabilities; the Company’s CCO/DPO has reviewed (for regulatory updates) at a minimum the websites of the following organizations, whose owners have information and/or enforcement authority of privacy laws in their respective jurisdictions: a) The Information Commissioner’s Office in the United Kingdom, b) Office of the Privacy Commissioner of Canada, c) U.S. Department of Health & Human Services, and d) State of California Office of the Attorney General; that the Company’s use of encryption technologies is quite extensive and continually updated; that Propel’s President & Chief Executive Officer (CEO) approves all non-housekeeping policy revisions; comments, suggestions, etc., are always welcome from the Chief Administrative Officer (CAO), Vice President-Application Architecture (VP-AA) as well as from all team members; from all of which, the CCO/DPO finds that pursuant to requirements and guidance of GDPR, CCPA, CPRA and others, there is no need to conduct a more formalized DPIA at the conclusion of this process; that the risk/potential for harm, and/or impact is extremely low and as such, Propel’s processing activities do not represent a significant risk to the privacy or security of program participants or their PD.

11.0 DPO AS A MEMBER OF THE PROPEL INFORMATION SECURITY MANAGEMENT COMMITTEE

The DPO also occupies the position of CCO, and as such serves as a member of the Propel Information Security Management Committee, presently consisting of three (3) members and serving at the pleasure of the President and Chief Executive Officer (CEO). Sitting as Co-Chairpersons of the Committee are the Chief Administrative Officer (CAO) and the Vice President, Application Architecture (VP-AA). Serving as the Committee’s Secretary is the CCO/DPO who is also charged with taking minutes of meetings and drafting the various compliance policies and sub-policies. Relative to matters involving GDPR compliance, the DPO’s findings shall be controlling (in accordance with GDPR Article 38). The DPO reports directly to the President and CEO on such matters. The President and CEO encourages the CCO/DPO to seek the advice and consent from the other committee members (whenever possible) as well as from other team members about GDPR, CCPA and CPRA compliance issues.

12.0 POLICY COMPLIANCE

12.1 Compliance Measurement

Propel’s CCO, in consultation with the Information Security Management Committee will verify compliance to this policy through various methods, which may include, but not be limited to one or more of the following: periodic internal and external technology audits, walk-throughs, video monitoring, business tool reports, inspection and log review. Feedback will be provided to the CAO, Information Security Management Committee and appropriate business unit manager(s).

12.2 Exceptions

An exception to the policy must be approved in advance by Propel’s CAO and the Information Security Management Committee.

12.3 Non-Compliance

A team member found to have violated this policy may be subject to disciplinary action, up to and including termination of employment for even the first offense.

13.0 RELATED STANDARDS, POLICIES AND PROCESSES

Please review the following policies for details of protecting information when working on privacy and GDPR Compliance:

  • Propel Information Security Management Policy (ISMP);
  • Propel Third-Party Due Diligence and Risk Management Policy;
  • Propel Information Security Sub-Policy Number 3--Platform System Development Life Cycle (SDLC) Compliance;
  • Propel Information Security Sub-Policy Number 7—Change Control Management); and
  • Propel Information Security Sub-Policy Number 5—Acceptable Encryption; Technologies in Use

Privacy Notice

You can browse our website without disclosing information about yourself. We use two types of cookies, the first is designed to ensure that you have a secure browsing experience. These “strictly necessary” cookies (your consent is not required) guard against unauthorized posting of content and serve to protect our website visitors. The second type, “performance” cookies (your consent is requested) help us to better understand how our site is used. This collected information never identifies you personally. If you choose to contact us on the website your identifying information is NOT shared with any third-party. You also have a right to know what, if any information we hold about you, as well as a right to ask that your personal information be updated, corrected, or deleted altogether. If you wish to make a request to us in this regard, please contact Propel at: privacy@propelwellness.com. You should also know that to opt out of being subject to Google Analytics across all websites you can visit http://tools.google.com/dlpage/gaoptout.

To learn more, see our policy page.