Scout collects process & user interaction data to identify operational improvement opportunities for your organization.
Is personal information collected, stored, or processed?
Yes. A user’s email, location, role, team, department are collected. Email addresses are used as logins and for notifications. The location, role, team, and department are used as classifiers for data collected.
How is Personally Identifiable Information (PII) handled?
Personally Identifiable Information (PII) is scrubbed when collected.
Is there any data masking in use within the service?
Yes, data masking is used to replace PII data found during the scrubbing process.
How are digital identities and credentials protected in Scout?
Digital identities are managed through an integrated IAM service using 256-bit encryption or integration with the customer’s SSO system.
How is data transmitted?
All data is transmitted from the Data Agent to the Scout Portal using HTTPS and TLS1.2
How is data stored?
Data is temporarily stored on the user’s workstation, then transmitted to the Scout Portal where it stored on a PostgreSQL. Data is always stored using AES-256 encryption.
How long will data be stored (data retention)?
Data retention is configurable based on customers’ requirements.
Is there a documented Data Privacy and Data Protection Policy complying with relevant data secrecy, data privacy and data protection regulations such as GDPR and CCPA?
Is a documented Information Security Incident Management procedure in place?
Are customers notified if their data is accessed by or disclosed to an unauthorized party?
Yes, every time.
In case of unauthorized customer data access or disclosure, do you provide sufficient information to support cooperation with an investigation by the Privacy Commissioner?
Yes, every time.
Is there a process to notify customers of information security incidents / business continuity incident that affects customer data or services?
Yes. Soroco notifies customers if incidents occur.
Are customers notified if a formal request from authorities to access their data is made?
Yes, to the extent not prohibited by applicable law.
When would third parties, including government agencies, be allowed to access customer data?
After providing notification to clients authorized by relevant laws.
Can you guarantee that third-party access to shared logs and resources won't reveal critical information about my organization?
Yes, logs and resources are not shared between customers.
How many people will have access to customer information? What is the process of giving an employee access to customer information?
The customer controls who will have access to the data. Soroco users that are part of the engagement would get named access based on Scout’s Role-based access control. It encompasses Soroco Engineers, Soroco Customer Success team, and Soroco Business Analysts.
How does Soroco control potential non-authorized access to customers' data?
Access to customer’s data on Scout is restricted with named access to those privileged users that are part of the project.
Does Soroco document employee access to customers' data?
All accesses to Scout environment is logged and audited.
Do the Terms of Service or SLA require Soroco to report unauthorized access to customer data by Soroco’s employees?
Yes. As per the client’s requirement/project requirement SLA may differ.