Data Handling Policy
Effective Date: 8/18/2023
At dataroomHQ keeping our customers’ data secure is paramount to our success. In fact, improving the security of how customers share their data is part of our value proposition. Today, startups share financial data with investors via conventional means, such as emailing or even uploading spreadsheets using commercial solutions, without any control as to how the data will be used or when, if ever, will be deleted. At dataroomHQ we allow our customers to securely upload, analyze and share their financial information with their team and investors.
Trust is foundational to our business. DataroomHQ strives to help protect your information from loss, misuse and unauthorized access, disclosure and destruction. This document describes the steps we take to ensure your data is safe with us.
1. Purpose
This Data Handling Policy outlines the principles and guidelines for the collection, processing, storage, and protection of data at dataroomHQ. This policy ensures that data is handled in a secure, compliant, and ethical manner.
2. Scope
This policy applies to all employees, contractors, and third-party partners who handle data on behalf of dataroomHQ.
3. Data Collection and Processing
3.1 Lawful Basis: We will collect and process data only for legitimate purposes and with a lawful basis, such as user consent, contractual obligations, legal requirements, or legitimate interests.
3.2 Data Minimization: We will collect and retain only the minimum amount of data necessary to create user accounts in our application. It is worth mentioning that the nature of our business, however, does not require the storage of additional Personal Identifying Information.
3.3 Transparency: We will inform individuals about the purposes of data collection, processing, and any sharing of data in a clear and transparent manner through privacy notices or policies.
4. Data Storage and Retention
4.1 Secure Storage: We will implement appropriate technical and organizational measures to protect data from unauthorized access, loss, or destruction. Technical measures include encryption of data at rest and in transit.
4.2 Data Retention: We will retain data only for the period necessary to fulfill the purposes for which it was collected, unless otherwise required by law. Please refer to our Data Retention Policy below for more information.4.3 Data Accuracy: We will take steps to ensure the accuracy and integrity of data and provide mechanisms for individuals to update or correct their data.
5. Data Sharing and Third Parties
5.1 Third-Party Partners: Before sharing data with third-party partners, we will assess their security and privacy practices to ensure they meet our standards.
5.2 Contracts: We will have written agreements in place with third-party partners that outline their responsibilities in handling data and ensuring compliance with applicable regulations.
6. Data Security
6.1 Access Controls: We will implement role-based access controls to ensure that only authorized personnel can access and process data. This includes role-based security within our application, giving control to our customer’s organization to limit the level of access for their own users, as well as access controls for systems used internally by our own staff.
6.2 Encryption: Sensitive data will be encrypted both at rest and in transit, whenever feasible.
6.3 Security Incident Response: We will have an incident response plan to promptly address and mitigate data breaches or security incidents. See Security Incident Response policy below for more information.
7. Data Subject Rights
7.1 Individual Rights: We will respect and respond to data subject rights, including the right to access, rectify, erase, restrict processing, and data portability.
7.2 Data Subject Requests: Individuals can exercise their rights by contacting security@dataroomhq.com. We will respond to requests in accordance with applicable laws.
8. Training and Awareness
8.1 Employee Training: All employees and relevant personnel will receive training on data handling practices and the importance of data protection.
9. Compliance and Review
9.1 Legal Compliance: We will adhere to all relevant data protection laws and regulations, such as GDPR, CCPA, and others applicable to our operations.
9.2 Policy Review: This policy will be reviewed periodically to ensure it remains accurate, relevant, and aligned with current practices and legal requirements.
10. Contact Information
For inquiries or concerns related to data handling, please contact csirt@dataroomhq.com
Security Incident Response Policy
Effective Date: 8/18/2023
1. Purpose
This Security Incident Response Policy outlines the procedures and guidelines for detecting, assessing, responding to, and recovering from security incidents at dataroomHQ. This policy ensures a coordinated and effective response to safeguard our systems, data, and stakeholders.
2. Scope
This policy applies to all employees, contractors, third-party partners, and stakeholders who handle data or have access to dataroomHQ systems and assets.
3. Incident Categories
Incidents covered by this policy include, but are not limited to, unauthorized access, data breaches, malware infections, denial-of-service attacks, and insider threats.
4. Incident Response Team
4.1 Formation: An Incident Response Team (IRT) comprising members from IT, security, legal, and communications departments will be formed to lead incident response efforts.
4.2 Roles and Responsibilities: The IRT will have designated roles, responsibilities, and communication channels for each phase of incident response.
5. Incident Detection and Reporting
5.1 Detection: Monitoring tools and procedures will be in place to detect and promptly identify potential security incidents.
5.2 Reporting: All employees and stakeholders are responsible for promptly reporting any suspected security incidents to the designated reporting channels, including email notifications to the IRT and the creation of tickets in our ticketing system.
6. Incident Assessment
6.1 Preliminary Assessment: The IRT will conduct an initial assessment to determine the nature and scope of the incident.
6.2 Categorization and Severity: Incidents will be categorized based on their severity and potential impact.
7. Incident Response
7.1 Containment: Immediate actions will be taken to contain the incident, prevent further damage, and isolate affected systems.
7.2 Eradication: The root cause of the incident will be identified and eliminated from systems.
7.3 Recovery: Efforts will be focused on restoring affected systems to normal operation while preserving evidence.
7.4 Communication: Communications with internal and external stakeholders will be managed according to the established communication plan.
8. Legal and Regulatory Compliance
8.1 Legal Support: Legal counsel will be engaged to provide guidance on legal and regulatory obligations.
8.2 Notification: Appropriate regulatory authorities, affected individuals, and partners will be notified as required by applicable laws and regulations.
9. Lessons Learned and Improvement
9.1 Post-Incident Review: After each incident, the IRT will conduct a thorough review to identify lessons learned and areas for improvement.
9.2 Documentation: Detailed incident reports will be documented to aid in future incident response and analysis.
10. Training and Drills
10.1 Employee Training: All employees will receive training on recognizing, reporting, and responding to security incidents.
10.2 Tabletop Drills: Periodic tabletop exercises will be conducted to simulate security incidents and test the effectiveness of the incident response plan.
11. Policy Review
This policy will be reviewed annually to ensure its accuracy, relevance, and alignment with evolving security threats and business practices.
12. Contact Information
For inquiries or concerns related to security incidents, please contact the Incident Response Team Lead at security@dataroomhq.com
Data Retention Policy
Effective Date: 8/18/2023
1. Purpose
This Data Retention Policy outlines the guidelines and procedures for the retention and disposal of data at dataroomHQ. This policy ensures that data is retained for the appropriate period based on legal requirements, business needs, and data classification.
2. Scope
This policy applies to all employees, contractors, third-party partners, and stakeholders who handle, access, or store data on behalf of dataroomHQ.
3. Data Classification
3.1 Data Classification: Data will be classified based on sensitivity, regulatory requirements, and business importance.
3.2 Data Owner: Each data type will have a designated owner responsible for determining retention periods and disposal methods. This includes data collected from prospects (e.g., during events or marketing campaigns) as well as data consumed by our application.
4. Retention Periods
4.1 Legal Requirements: Data will be retained for the duration required by applicable laws and regulations.
4.2 Business Needs: Data will be retained for the period necessary to fulfill business purposes, as defined by data owners.
4.3 Data Classification: Retention periods will vary based on data classification, with higher sensitivity data retained for shorter periods.
4.4 Data Deletion Requests: Upon request from our customers, customer data will be deleted from our systems within 60 days.
4.5 Contract termination: Upon the termination of contractual agreements or services, customer data will be deleted from our systems within 60 days.
5. Data Disposal
5.1 Secure Disposal: Data will be disposed of in a secure and compliant manner to prevent unauthorized access or data breaches.
5.2 Deletion Methods: Data may be deleted, shredded, or securely wiped from electronic storage media. This includes data stored in backups.
6. Records of Disposal
6.1 Documentation: A record of data disposal activities, including the type of data, date of disposal, and disposal method, will be maintained.
7. Third-Party Data
7.1 Third-Party Data: Data received from third parties will be retained and disposed of in accordance with the terms of any agreements or contracts.
8. Review and Audit
8.1 Periodic Review: Data retention practices will be reviewed periodically to ensure compliance with changing legal requirements and business needs.
8.2 Audits: Internal and external audits will assess the implementation and effectiveness of the data retention policy.
9. Policy Communication
9.1 Training: All employees and relevant personnel will receive training on data retention procedures and compliance.
9.2 Communication: The data retention policy will be communicated to all employees and stakeholders through appropriate channels.
10. Contact Information
For inquiries or concerns related to data retention, please contact csirt@dataroomhq.com