Last Modified: September 2, 2020
Copyright (c) 2018-2020 Soroco Private Limited. All rights reserved.
NO WARRANTY. THE PRODUCT IS PROVIDED BY SOROCO “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL SOROCO BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THE PRODUCT, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
SCOUT PRIVACY STATEMENT
The scope of the policy is pertinent to all users/customers who interact with any element of “Scout Enterprise” or related analytic services. These interactions include downloading, installing, teaching and data collection via the Scout Data Agent. Logging in, adjusting settings, managing processes, and gaining insights through the Scout Portal and Scout Go. Interacting with our Analytics team on specific uses cases or data inquiries.
- ABOUT SCOUT
Scout is an enterprise application used to measure and improve organizational productivity. Scout provides insights through process discovery that drive the creation of a transformation roadmap. The end point client of Scout is installed on user systems, which continuously tracks user activity on included applications. The data gathered can be used to highlight exactly what aspects of the user’s business to prioritize with different operational levers (automation, standardization, training, elimination) and what return on investment can be expected.
- DATA COLLECTION
a) Scout collects personal data in the following scenario:
*Registration of users:
- Email ID
- Company Name
*The following pieces of PII may be captured while interacting with included applications. Fields that follow a common pattern will undergo PII scrubbing in attempts to remove them from the database for example Email ID, IP Address, SSN, Phone Passwords, bank account numbers, and other fields that are obfuscated are not captured by default.
b) Scout collects data only from included applications and websites. By default, all applications and websites are treated as excluded applications. Excluded applications and websites will only register total time spent by all users from a team collectively.
c) Scout only captures detailed information from included applications and websites, which are pre-approved and configurable. As users work on included applications as a part of their daily function, Scout captures the interactivity within these applications.
d)Scout additionally collects usage analytics relating to the ‘Scout’ product, such as pages visited and where the user navigates within ‘Scout’. Users are free to pause ‘Scout’ at any time if they wish to stop data collection.
e) Only Admin users have access to remove or add any application or websites in the included category through the Scout portal. Users can raise requests to admins to remove or add any applications and URLs from the included category.
- DATA STORAGE
Scout data resides in two locations: briefly on an end user’s computer and eventually in a database residing on the Scout Server. The Scout Server may be cloud-hosted or in a location of the client’s choosing.
a) All the data collected by Scout is temporarily stored on an individual’s computer before being uploaded to the Scout Server. All the collected data is encrypted (AES256), and after upload removed from the user’s local device every 5 minutes.
b) If the individual system cannot reach the Scout Server, for example the computer is not connected to the VPN, the data will be stored locally until the Scout Server is reachable.
- DATA PROCESSING
a) Soroco only process personal data in accordance with the agreements reached with the user’s organization(“Customer”).
b) Customers retain all rights, titles, and interests to their collected data. Soroco acquires no rights to customer data, outside any agreed upon analytic services.
c) Periodic reviews/audits shall be conducted to verify that Soroco team members collect and process personal data in compliance with privacy notices, contracts, and this policy.
- DATA ACCESS
a) Only approved engineers and analysts from Soroco can directly access the raw data collected by Scout.
b) The following actions can be performed upon Customer’s request.
- Delete data
- Edit data (e.g. remove certain info, extract fragments, etc.)
- Create admin-level users
c) Only appropriately privileged users can perform the following activities:
- Edit Scout user details
- Add manager-level users and end users
- Change team assignments
d) An audit log is generated and maintained for every activity performed above.
- THIRD PARTY TOOLS
Scout Enterprise uses a limited number of third-party tools to assist Soroco in providing a few services. These third-party providers perform technical operations such as database and application monitoring, data analytics, error tracking and customer support software tools. These third parties may access, process, or store certain Personal Data of users while providing these services.
Most of these third-party tools are installed within Scout server and process data only within the server (i.e. at no time is data moved outside) and only in a manner that is strictly based on the Customer’s instructions.
A few of these (listed below) may access, process, or store certain Personal Data of users outside of Scout while providing these services.
- Mixpanel is a product analytics service that is used to track user interaction within a web application. We use mix panel to track user behavior in the form of clicks and movement between screens within the Scout application to analyze and improve the product.
- Sentry is an open source application monitoring and error tracking platform used to identify issues in real time. We use sentry to collect error and crash logs for every user and continuously monitor and resolve issues.
- Jira is a user feedback tool that is used to raise tickets when an issue or bug is noticed within the product.
- INCIDENT MANAGEMENT
a) If Soroco becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data or Personal Data while processed by Soroco (each a “Security Incident”), Soroco will promptly and without undue delay:
- Notify the Customer of the Security Incident.
- Investigate the Security Incident and provide Customer with detailed information about the Security Incident.
- Take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
b) Notification(s) of Security Incidents will be delivered to one or more of Customer’s administrators by any means Soroco selects, including via email. Customer is solely responsible for complying with its obligations under incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Security Incident.
c) Soroco shall make reasonable efforts to assist Customer in fulfilling Customer’s obligation under GDPR Article 33 or other applicable law or regulation to notify the relevant supervisory authority and data subjects about such Security Incident.
d) Soroco’s obligation to report or respond to a Security Incident under this section is not an acknowledgement by Soroco of any fault or liability with respect to the Security Incident.
e) Customer must notify Soroco promptly about any possible misuse of its accounts or authentication credentials or any security incident related to Scout.
f) Scout captures personal information however most of the personal data undergoes PII scrubbing. Any sensitive info, such as passwords, emails, or social security numbers, will automatically be scrubbed from the data. In case any personal data is captured by Scout, the Customer may raise an Incident. Scout team will erase the data per request.
g) For every engagement, one POC (Point of contact) for incident reporting is appointed by the Customer.
h) Should an end user have a concern about the data captured by Scout, the following steps should be followed:
- End user raises an incident by contacting their POC
- POC will inform Scout Team
- Scout Team will erase the data
- DATA RETENTION AND DISPOSAL
a) The default data retention policy is 60 days on the Scout Server. The expiry date/retention period can be configured according to the customer’s requirement.
b) After defined retention period, the data will be deleted from the Scout Server on a first-in-first-out (FIFO) basis.
c) All data collected from Scout will be deleted within 60 days after the end of the engagement, unless otherwise requested.
- OPT OUT OPTION
a) When not performing business-related work, users can pause Scout from collecting data.
b) To pause Scout on their computer, users may perform the following steps:
- Navigate to the system tray and access the Scout icon.
- Right-click the Scout icon
- Click “Pause Scout” button
- DATA SUBJECT RIGHTS
Soroco will make available to Customer in a manner consistent with Soroco’s role as a processor Personal Data of data subjects and the ability to fulfil data subject requests to exercise their rights under the GDPR.
Soroco shall comply with reasonable requests by Customer to assist with Customer’s response to such a data subject request. If Soroco receives a request from Customer’s data subject to exercise one or more of its rights under the GDPR in connection with Scout for which Soroco is a data processor or sub processor, Soroco will redirect the data subject to make its request directly to Customer. Customer will be responsible for responding to any such request including, where necessary, by using the functionality of Scout. Soroco shall comply with reasonable requests by Customer to assist with Customer’s response to such a data subject request.
Records of Processing Activities: Soroco shall maintain all records required by Article 30(2) of the GDPR and, to the extent applicable to the processing of Personal Data on behalf of Customer, make them available to Customer upon request.
- RESOLUTION OF DISPUTES
a) Resolution of disputes reported by Customers
Customer with inquiries or complaints about the processing of their personal data shall bring the matter to the attention of the Data Privacy Officer (DPO) in writing. Any disputes concerning the processing of the personal data will be resolved by the DPO by following due process of law through arbitration.
b) Monitoring and Enforcement
For the purpose of periodic monitoring, the following processes shall be implemented:
i. Compliance Assessments
The DPO shall work with the risk leadership to develop processes to carry out periodic reviews for all functions and customer operations to ensure processing activities are carried out in line with this policy.
This Policy may be revised at any time. Notice of significant revisions shall be provided to employees through the Intranet Portal of Soroco or e-mail communication and to others through an appropriate mechanism selected by the DPO.
This Policy shall be available to customers via Soroco’s central documentation site.
- FOR FURTHER DETAILS
For more information, such as your rights in respect of your personal data, transfer of personal data, data retention and security measures implemented by Soroco, please reach us at firstname.lastname@example.org.
In the event of a conflict between this Scout privacy statement and the terms of any agreement(s) between a customer and Soroco for Scout, the terms of those agreement(s) will control.
- KEY TERMS & DEFINITIONS
a) “DATA CONTROLLER” – The entity that determines the purposes, conditions, and means of the processing of personal data.
b) “DATA SUBJECT” – A natural living person whose personal data is processed by a controller or processor.
c) “DATA PROCESSOR” – The entity that processes data on behalf of the Data Controller.
d) “PROCESSING” – Any operation performed on personal data, whether or not by automated means, including collection, recording, organizing, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
e) “THIRD PARTY” – Third party, in relation to personal data, means any person other than the data subject, the data controller, or any data processor or other person authorized to process data for the data controller.
f) “PERSONAL DATA” – Any data related to a natural person or ‘Data Subject’ that can be used to identify the person directly or indirectly. e.g., Name, Address, Phone Number, IP Address etc.
g) “SENSITIVE PERSONAL DATA” – Sensitive Personal Data is defined as information that if lost, compromised, or disclosed could potentially harm, cause inconvenience, embarrassment, or unfairness to an individual.
e.g., Bank account information, Government ID’s, Income or Credit history, Credit/Debit card No, data relating to offenses, or criminal convictions, Sexual Orientation, Health/ Medical records either Past or Present or Future, Racial or ethnic origin, political opinions, religious or philosophical beliefs etc.
h) “INCLUDED” – Applications and websites that have been included to collect granular data from a users machine. The info collected include the pages users visited, fields they clicked, and inputs they typed.
i) “EXCLUDED” – Applications and websites that have not been included to collect granular data from a users machine. The only info that will be collected from these is the duration of time users spend.