- We do not sell user data. Your data is not and will never be sold. Ever.
- We take data privacy seriously. Data collected is never shared with a third party without your expressed written consent. In rare and limited circumstances we could be asked to release your data, for example if we were subpoenaed by the courts.
- Our services are built with security in mind. We understand that our efforts toward privacy are only as useful as the measures we take to keep your data secure. Please see the section below on data security.
- We aim for compliance with all U.S. laws and accepted business practices. In developing our products and services we have made all reasonable attempts to be compliant in each and every industry and jurisdiction where our services are applicable. If anyone believes we are not compliant, please contact us at firstname.lastname@example.org.
For those that use our website(s) and social media
We use website analytics. The Website use Google analytics and/or other similar products to collect statistics on our visitors, such as the user’s IP address and browser type, location information such as city and state, and which pages are visited. Google analytics helps us ensure that our website and our services are designed for the best experience of our visitors. We do not use analytics or other website tools to track behavior unrelated to our services or outside of our websites.
Blogs and support forums. If you choose to participate in discussions on any blog or forum on our site(s), please be aware that any information you share can be read and utilized by other visitors. We are not responsible for the personal information you post or any actions that result from said actions.
Links to other websites. The Website may contain links to other sites not owned or controlled by SiteSeer Technologies or its parent companies. We are not responsible for the content or privacy policies of these sites.
For those that use products or services accessed through the Website (“the Services”)
Data access. We will only access stored user data as needed, such as to provide the Services, technical support, or to audit accounts to ensure compliance with the Terms of Service. Data will be stored no less than one year following the completion or cancellation of the Services. We retain the right to purge data we feel in violation of the Terms of Service.
User Data Protection
This policy applies to user data with particular concern for protection of user’s sensitive information:
1. Security. Protect client sensitive information from loss, damage, inappropriate access, and unauthorized disclosure or use;
2. Integrity. Provide reasonable assurance that data, once received, will not be subject to unauthorized modification, and that data will remain unaltered during transmission, storage, migration, and use;
3. Accountability. Monitor and record security-related events and link them to the originator; and
4. Technical Guidelines. Provide technical guidelines and collaborative solutions to respond to these requirements.
The SiteSeer computer and communications systems’ privileges of all users, systems, and programs shall be restricted based on the following principle of “least privileges”:
1. Users shall be granted the “least privileges” required to accomplish their tasks;
2. Applications shall be granted the “least privileges” to perform their functions; and
3. General support systems shall be granted the “least privileges” to fulfill their role in a larger network.
Data Integrity. Each file or collection of data in a computer system must have an identifiable origin and use. Accessibility, maintenance, movement, and disposition of the data are governed on the basis of its sensitivity.
Information Flow Control. To ensure that proper information flow control is established, the use of data labeling shall be applied to sensitive data. All computer-resident information, which the information is classified as either sensitive or non-sensitive, shall have an operating system with discretionary access controls and auditing functionality to ensure the confidentiality, integrity, and availability of the system.
Data Access Authority to Production Files. Access by application programmers and analysts to production programs shall be limited through an approved change control request. This access shall be allowed for a specific time frame to accomplish the approved change control request and then withdrawn. Programmers and analysts will not transform, alter, or modify the operating environment or standard operating procedures; programmers and analysts shall not make any modification that could have potential and/or significant impact on the stability and reliability of the infrastructure which impacts normal business operations.
Internal Audit/Operations Analysis. Internal auditors shall be authorized unrestricted read access for computer systems audits, provided management approves their request for audit privileges in advance. The request may be on the Internal Network Support-LAN Request Form or an approved substitute. The privileges authorized shall last for the duration of the audit. Requests for more than read or browse privileges during an audit must be documented and approved by management before privileges are granted.
Information Security Group. The security group shall be authorized unrestricted read access for computer systems, reviews or audits, provided the Information Security Officer approves their request for audit privileges in advance. The privileges authorized shall last for the duration of the review or audit.
System Software. Access authorizations shall be appropriately limited. Access to system software is restricted to a limited number of personnel, corresponding to job responsibilities. Application programmers and computer operators shall be specifically prohibited from accessing system software. The access capabilities of systems programmers shall be periodically reviewed to see that access permissions correspond with job duties. Justification and management approval for access to systems software shall be documented and retained.
Passwords Maintenance. Individuals assigned with maintaining User IDs shall only be given access to enter, change, delete, etc., user profiles and no other permissions or access to other files or system level programs. Web Sites. There are many interdependencies among the security controls on the Web. The WebSite shall provide the following minimum features and controls:
1. The site’s domain naming service entries for all URL-referenced systems must be resolvable;
2. The site must maintain logging. Access to logs must be limited to authorized personnel. Logs must be retained in a secure but retrievable format;
3. The site must use a standard encryption mechanism for sensitive data transmission commensurate with the level of protection required;
4. The site must meet logical security requirements, such as secure password policies, Webmaster contact, Hyper Text Transfer Protocol Daemon server configured for least privilege, and separate development/production systems;
5. Backups and restore capabilities must be in place;
6. The site shall not allow Web development on production Web servers. Proper change control policies and procedures must be complied with;
7. FTP transfer to/from SiteSeer’s servers will be via protocol FTP over SSL implicit to ensure data is protected during transfer. User’s must authenticate prior to transfer and authentication credentials will be given to the client’s assigned system administrator responsible for providing client’s data required by the application.
Firewalls. As a matter of the SiteSeer’s policy, all firewall services are denied, except those explicitly permitted and approved. Therefore, the procurement of a firewall product, installation of the product, and turning on the services of the firewall product must be coordinated and approved by the Information Security Officer. An examination and evaluation shall be required every quarter or when one of the following occurs:
1. A change or modification is made to the system software; and
2. There is a change in system administrators or Information Security Representative personnel.
Remote Desktop Security. The system administrator shall put into place security mechanisms that ensure all users take steps to protect the confidentiality, integrity, and availability of the client’s information. The system administrator shall deploy the necessary hardware and software to ensure that all such external access is identified, authenticated, tracked and logged. This means that the site is making a good-faith effort to ensure:
1. That the identity of all users is authenticated, and only properly validated users are granted access;
2. That a log is kept to permit, should the need arise, historical review of offsite access to the system, by time, date, access port identity and user identity;
3. That the system administrator shall ensure all remote connections be protected anytime when the user leaves the system unattended. The system administrator shall enforce this access control by using a locking “screen saver,” which locks user interaction after no more than five (5) minutes of inactivity.
Impact. All areas of SiteSeer shall comply with this User Data Protection policy; otherwise, an exception to the policy should be filed (and approved prior to implementation) if the policy requirement is not met. The following areas should comply with this policy:
1. Users. This policy shall impact all users that have access to the SiteSeer network or systems. This policy illustrates that all access is recorded and holds the individual user accountable and responsible for unauthorized access.
2. Data Owners. This policy shall assist the data owners in assuring that only authorized users have access to information data and that unauthorized access to information data will be determined and prevented when possible. This policy allows Data Owners to assign “least privileges” to sensitive information to ensure the confidentiality, integrity, and authorization of that information.
3. Managers. This policy shall allow management to take appropriate action to ensure that authentication is designed to combat fraud and make the SiteSeer network more secure. Management shall ensure that every program or system component will operate with the minimum set of privileges it needs to accomplish its task. Managers shall ensure that proper labeling of sensitive data is incorporated into identifying the SiteSeer system components.
4. Application Development/Database Administrators. This policy shall ensure that all administrators are responsible for implementing and monitoring approved access control solutions on computer systems. This policy shall ensure that all sensitive applications have the appropriate audit functions to abide by Federal laws, policies, and shall ensure that sensitive information flow is properly labeled and controlled within its own environment.
5. Help Desk. This policy shall ensure that continuity of access control solutions and data user protection solutions meet the needs of the Application Owners/Data Owners. The Help Desk will document any vulnerabilities identified in their ticket and report such findings to the system administrator for appropriate action.
Created: May 4, 2016
Updated: August 1, 2017