Sunflower UX, LLC dba Sunflower UX
We are committed to maintaining the highest standards of privacy and security regarding the collection, use, and storage of our customers' and clients' personal information. This Data Storage and Retention Policy outlines our practices and procedures for responsibly managing the data we collect, in compliance with SOC2 guidelines.
The data collected and managed by Sunflower UX, LLC are classified into three categories based on the sensitivity and the potential impact of their disclosure. This helps in applying appropriate security measures in compliance with regulatory requirements.
2.1 Confidential Data:
Definition: Data that, if disclosed, could cause significant harm to the organization, its stakeholders, or its clients. This includes data that is legally protected or involves personal privacy considerations.
Examples:
Protected Personal Information (PPI): Information which can be used to identify a person uniquely and reliably, including but not limited to name, social security number, address, telephone number, e-mail address, mother’s maiden name, etc.
Communication Records: Audio and video recordings and transcripts of sessions conducted via Zoom or other virtual meeting platforms.
Client-Specific Data: Contact details of clients, contractual agreements, payment information, and any other sensitive data provided by clients or collected during service provision.
Research Data: All data collected during research studies, including personal data of participants, study results, and any related analytical data.
Handling Requirements:
Store in encrypted formats both at rest and in transit.
Access is restricted to authorized personnel only, based on a need-to-know basis.
Access rights will fall into two categories:
Administration will be given to the principal investigator for a project, any identified project leads, and internal administrative staff who will be supporting said project.
Individual contributors will be able to create and update information, but not to delete or relocate any of this data.
2.2 Internal Data:
Definition: Data necessary to perform daily functions within the organization but does not include sensitive information that could cause significant harm if disclosed externally.
Examples:
Internal reports, non-sensitive correspondence between departments, procedural documents.
Operational data like schedules, non-confidential meeting notes, internal project updates.
Handling Requirements:
Access rights: Access is restricted to authorized personnel only. Specific roles within the organization, such as administration, operational staff, or specific contractors, will have access as needed to perform their job functions. Basic encryption and security measures are required.
2.3 Public Data:
Definition: Data that can be disclosed to the public without any risk of harm to the organization, its stakeholders, or its clients.
Examples:
Public announcements, press releases, promotional materials.
Published research findings that do not include personal or sensitive data.
Handling Requirements:
No restrictions on access or sharing.
Standard data integrity measures to ensure accuracy and reliability of public information.
We collect the minimum necessary personally identifiable information (PPI) to provide services to our customers and clients. Efforts are made to anonymize data wherever possible to protect privacy.
Due to the potentially sensitive nature of certain participant data, any terms of data sharing with third parties shall be negotiated prior to data collection. The data will not be reclassified after the fact, to prevent violation of the Terms of Consent to which the participant agreed.
4.1 Digital Storage:
All digital data, including customer and client information, is stored on secure shared Google Drives. Access is strictly controlled and monitored as defined in the Data Classification sections above.
4.2 Physical Storage:
Physical copies of data will be stored as we transition to including paper forms. These documents will be kept in secure, locked storage cabinets accessible to authorized personnel only.
5.1 Encryption:
All stored digital data, including confidential, internal, and certain public data, is encrypted using AES-256 at rest and TLS 1.2 in transit.
5.2 Access Controls:
Access to data is role-based and strictly controlled. Detailed access specifications are maintained based on the data classification:
Confidential Data:
Access restricted to authorized personnel only, based on a need-to-know basis.
Internal Data:
Access control is less restrictive but monitored.
Public Data:
Generally accessible with no specific restrictions but monitored for integrity.
5.3 Audit Trails:
Audit trails are maintained for all sensitive and confidential data access and modifications to ensure compliance with SOC2 guidelines and internal governance.
5.4 Digital Access and Password Management
To secure access to all digital platforms, including Google accounts used by Sunflower UX, LLC, the following password management practices are enforced:
Password Requirements: Passwords must be at least 12 characters long and include a combination of upper and lower case letters, numbers, and symbols.
Mandatory Password Changes: Employees are required to change their passwords every 90 days, and past passwords can not be reused for at least one year.
Two-Factor Authentication: Where available, 2FA must be enabled to add an extra layer of security beyond just a password. Alternatively, Single Sign-On (SSO) systems should be employed to streamline secure access.
Password Storage: Passwords will only be stored in encrypted formats, or in a trusted password management software, e.g. 1Password. Under no circumstances will passwords be written down or stored in plain text.
Company Issued Devices: All devices provided by Sunflower UX, LLC to its employees must be secured with passwords at all times. These passwords must adhere to the minimum standards established in the data security practices as listed above. This requirement is crucial to protecting sensitive organizational data and maintaining compliance with our security protocols.
Sunflower UX, LLC retains personal data only for as long as necessary to fulfill the purposes for which it was collected, including for the duration of any required legal or financial obligations.
6.1 Retention Schedule:
Customer data is retained for the duration of the customer relationship plus an additional seven years.
Employee data is retained for the duration of employment and seven years thereafter.
Physical forms are digitized whenever possible, and original copies are securely destroyed after digitization.
Sunflower UX, LLC is committed to maintaining the autonomy of our customers and clients over their personal information.
7.1 Scheduled Deletion:
Upon expiry of the retention period, data is securely deleted from all storage locations. Digital data is deleted using secure erasure methods, and physical data is shredded.
7.2 Deletion Upon Request:
Customers or clients may request the deletion of their personal data at any time. Upon receiving a deletion request, Sunflower UX, LLC will ensure that all relevant data is deleted within 1-2 months of the request, subject to necessary reviews to confirm the identity of the requester and the scope of the request. This process is designed to prevent accidental or malicious deletions and to ensure compliance with legal or regulatory obligations that might require the retention of certain types of data.
Sunflower UX, LLC engages with various third-party vendors who may process or store sensitive data. To ensure these vendors adhere to the same standards of data protection as Sunflower UX, LLC:
Vendor Selection: Vendors are carefully selected based on their compliance with relevant security and privacy laws and standards. This includes reviewing their SOC2 compliance status, if applicable.
Security Assessments: Regular security assessments and audits may be conducted to ensure ongoing compliance with our security requirements.
In the event of a data breach, Sunflower UX, LLC will promptly notify affected individuals and regulatory bodies in accordance with legal requirements, and take immediate remedial actions to mitigate any potential harm.
Sunflower UX, LLC recognizes the importance of regular training and awareness programs to ensure all employees and contractors are fully informed about our data storage and retention policies, as well as their personal responsibilities in protecting the data they handle.
Initial Training: All new employees and contractors receive comprehensive training on data protection principles, including the specifics of our Data Storage and Retention Policy, during their onboarding process.
Ongoing Training: Regular refresher training sessions are held at least annually to update staff on any changes to data protection laws, technologies, and our internal policies. Additional training sessions are scheduled whenever significant changes to our data handling processes or policies occur.
To ensure the integrity and security of data managed by Sunflower UX, LLC, strict enforcement of this Data Storage and Retention Policy is essential. The following measures are in place to enforce policy compliance:
Compliance Audits: Regular audits may be conducted to ensure that all staff adhere to our data storage and retention guidelines. These audits are carried out by internal auditors or external consultants.
Reporting Mechanisms: Employees and contractors are encouraged to report any suspected data security issues or breaches through established reporting mechanisms. Anonymity and confidentiality of the reporting individual are protected to encourage openness and honesty.
Consequences of Non-Compliance: Violations of this policy are taken seriously and may result in disciplinary action, including termination of employment or contracts, legal action, and financial liability, depending on the severity of the breach.
Incident Management and Disciplinary Procedures: In cases of policy violation, incident management procedures are followed, which include investigation, assessment of the impact, and implementation of remedial actions. Disciplinary procedures are clearly outlined and communicated to all employees and contractors.
Continuous Improvement: Feedback from enforcement and monitoring activities is used to continually improve policy guidelines and enforcement procedures.
This policy may be updated periodically to reflect changes in our practices, technology, or legal requirements. Stakeholders will be notified of significant changes through our usual communication channels.
For questions or concerns about our Data Storage and Retention Policy, please contact the corporate office at Hello@sunfloweruxteam.com.