Revised: 11-01-2018

 

Propel, Inc., Privacy Policy and GDPR Compliance (abridged for website posting)

 

1.0 AUTHORITY/PURPOSE/OBJECTIVE: Section 7.0 of the Propel, Inc., ("Propel" or "Company") Information Security Management Policy ("ISMP") incorporated herein by reference, identifies the need for sub-policies to address a variety of information security subjects, one of which is privacy as addressed by the European Union (EU) through its General Data Protection Regulation (GDPR). It is important to note that Propel® strives to achieve substantive compliance with both the GDPR and U.S. privacy laws. Further, as a matter of policy, the Company strives to comply with both the letter and spirit of applicable laws and regulations, and it acknowledges the more comprehensive requirements of the GDPR. Propel® seeks to construct its culture of privacy compliance upon a foundation characterized by transparency, consent and a sense of "doing the right thing" at the front end of its decision-making processes. This means that when the Company seeks explicit consent from individuals, it is accompanied by a clear privacy notification, an understandable explanation of how and why we collect personal data, with whom it is shared and at what risk. For Propel, the collateral benefit is that its efforts to comply with the GDPR also serve to embrace the nearly global expectation that privacy is a natural right to be duly protected. While the terminology and definitions may differ politically, geographically and from one organization to another, the shared objective of data privacy is to protect the privacy rights of individuals. Propel's stated objective is to secure and keep private the protected information that the Company handles in conjunction with its clients, its clients' employees, its third-party data-center host and other mission related third-party vendors, etc. The GDPR objective is to protect "fundamental rights and freedoms of natural persons, particularly their right to the protection of personal data." (GDPR-Article 1.2). At Propel there is a consistency between the two objectives.

2.0 SCOPE/UNDERSTANDING THE PROPEL BUSINESS MODEL: This sub-policy applies to all Propel employees, contractors, vendors and agents with a Propel-owned or personally-owned computer or workstation used to connect to the Company's network (to all web application development, staging and production servers currently owned or maintained by Propel). The Company's business model embraces two types of infrastructure with different functions, handling different amounts of personal data. The corporate infrastructure consists of a single server located in a secure area within the Company's offices and is sometimes referred to as the corporate/office server. It handles less than 1 percent of collected personal data from our clients and their employees. Its two primary functions are to support Propel's intra company applications as well as to provide a working platform or software workstation, upon which the Company's team members develop, maintain, customize, revise and support what becomes a customized wellbeing program for use by our clients and their employees. Section 3.0 below describes the capabilities which are developed and customized for the Company's clients. This finished product, a client portal, formally activates upon the infrastructure known as the "Propel® Platform" at the time of licensing, whereupon it is placed under client control at or about the time of program launch. Of course, appropriate Propel team members maintain access to the portal for maintenance purposes, etc. It is at this juncture that personal data begins to flow through the client's portal. See Section 4.0 for an understanding of the dynamics of the "Propel® Platform".

3.0 PROPEL OVERVIEW AND BUSINESS DESCRIPTION: Propel, Inc., is engaged in the development, maintenance, customization and support of the Propel® platform that is customized to run and manage comprehensive wellbeing programs. The Propel® platform includes such features as:

a. A Full Content Management System allows the client organization to manage all portal content as well as to add and delete pages, links and navigation.
b. Social Networking and Teaming Functions enable clients to create virtual teams designed to compete against each other in wellness/wellbeing related competition(s).
c. Fitness and Health Activity Tracking Functions are used by client employees (users) to track their personal activity for hundreds of nutritional choices, physical activities, biometric measures and other wellness/wellbeing categories. These Propel portal functions further enable users to connect with more than 150 different downloadable applications (apps) and hardware devices allowing users to automatically upload their personal activity.
d. Goal Tracking Functions permit users to create and track their personal fitness, health and other wellbeing goals, as well as to monitor and print progress graphs and charts.
e. Fully Customizable Competitions mean that through the portal, users can participate in individual, team and/or group competitions launched by the client's Program Administrator and/or to create their own private competitions, inviting others to participate with them.
f. Recognition Features provide automated methods of recognizing health and wellness/wellbeing accomplishments (e.g., certificates of achievement, achievement rankings, leaderboards, badges and customizable incentives).
g. Customizable Incentive Management means that client organizations can automate the management of their health promotion incentive programs, build customized incentives and closely track results.
h. Vendor Connectivity permits client organizations to connect wellbeing vendors to the Propel platform, thus creating a fully integrated program experience using the client's choice of vendor partners that provide health coaching, disease management, biometrics, telemedicine, etc.).

4.0 UNDERSTANDING THE PROPEL PLATFORM SERVER/CLIENT DATA BACK-UP AND RECOVERY/THIRD-PARTY DATA CENTER RELATIONSHIP: Crucial to an understanding of this Privacy and GDPR Compliance Sub-Policy is the concept of how Propel's clients access and utilize their data. Note that each client has a separately installed web application and database located on one of the servers maintained for Propel, Inc., by its third-party data center host. More than 99% of our clients' employees' protected data is handled within the confines of the carefully controlled data center environment and NOT on Propel's corporate/office server.

5.0 DATA CENTER CERTIFICATIONS: A summary of the data center's certifications includes compliance with the following standards and regulatory agency requirements:, Payment Card Industry (PCI) Security Standards Council, Health Information Trust Alliance (HITRUST), Federal Risk and Authorization Management Program (FedRAMP), The Information Security Registered Accessors Program-Australia (IRAP), IBM ISO Management System Certification for ISO 9001, ISO 14001, ISO 50001 and OHSAS 1800, European Union (EU) Model Clauses, Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Compliance Act (HIPAA), My Number Act (Japan), U.S. International Traffic in Arms Regulations (ITAR), Criminal Justice Information Systems (CJIS) as part of the U.S. Dept. of Justice Federal Bureau of Investigation (FBI), Cloud Security Alliance (CSA), EU-US Privacy Shield, Federal Financial Institutions Examinations Council (FFIEC), International Organization for Standardization (ISO) 27001, ISO 27017, ISO 27018, ISO 22301, ISO 31000, Service Organization Control (SOC) Reports ( SOC 1, SOC 2, SOC 3)The Center for Financial Industry Information Systems-Japan (FISC) and The Federal Information Security Management Act of 2002 (FISMA). It is important to note that these certifications and regulatory compliance accomplishments are an integral part of Propel's decision making process for selecting a web host for its clients. This selection process is a formalized compliance policy identified as the Propel, Inc., Third-Party Due Diligence and Risk Management Policy.

6.0 THIRD-PARTY DATA CENTER COMPLIANCE IS PROPEL'S COMPLIANCE; PROPEL BENEFITS FROM DATA CENTER'S CERTIFICATION(S): With an understanding of Propel's business model and its third-party relationship with its data center, the Company contractually relies upon the expertise and security certification(s) maintained by its data center to secure and keep private the protected data entrusted to it for handling, storage and backup.

7.0 THE PROPEL WEBSITE/COOKIE AUDIT/PRIVACY AND COOKIE NOTICE: As the result of a formal cookie audit, a visit to the Propelwellness.com website will engage the following: "Privacy Notice. You can browse our website without disclosing information about yourself. We use two types of cookies, the first is designed to ensure that you have a secure browsing experience. These "strictly necessary" cookies guard against unauthorized posting of content and serve to protect our website visitors. The second type, "performance" cookies (your consent is requested) help us to better understand how our site is used. This collected information never identifies you personally. If you choose to contact us on the website your identifying information is NOT shared with any third-party. You also have a right to know what, if any information we hold about you, as well as a right to ask that your personal information be updated, corrected, or deleted altogether. If you wish to make a request to us in this regard, please contact Propel at: privacy@propelwellness.com. You should also know that to opt out of being subject to Google Analytics across all websites you can visit http://tools.google.com/dlpage/gaoptout. MAY WE HAVE YOUR CONSENT TO USE PERFORMANCE COOKIES? You can say "no" and it will not have a meaningful impact upon your browsing experience." No Yes More Information (Note that selecting the "More Information" button will take the reader to this policy).

8.0 PROPEL, INC., DESIGNATION OF DATA PRIVACY OFFICER (DPO)/CONTACT INFORMATION FOR PRIVACY ISSUES: In accordance with GDPR-Article 37, Propel, Inc., designates its Chief Compliance Officer (CCO) to assume the additional responsibility as DPO. For additional questions, comments, suggestions, requests for more information or if you would like to voice a complaint, please contact the Company by E-Mail at privacy@propelwellness.com, or in the alternative, send written correspondence to Propel, Inc., Attn: CCO/DPO, 105 Continental Place, Suite 160, Brentwood, TN 37027 (USA). The Company's phone number is +1-615-377-6116.

9.0 DESIGNATION OF AGENT FOR SERVICE OF PROCESS/EUROPEAN UNION (EU) REPRESENTATIVE: In accordance with GDPR-Article 27, Propel, Inc., has appointed Link Asset Services, Attn: Corporate Services Group, 6th Floor, 65 Gresham Street, London, EC2V 7NQ (U.K.) as its agent for service of process in the U.K. Link's Website Address: www.linkassetservices.com; Link Corporate Services' E-mail address is processagent@linkgroup.co.uk.

10.0 DATA PRIVACY IMPACT ASSESSMENT (DPIA): The process of developing this policy and its incorporated ISMP constitute an ongoing DPIA. The CCO/DPO has considered the Company's roles as a controller and processor of personal data (PD); that the Company acts as a controller because it designs, develops and customizes the Propel® platform upon which its client(s) then accept, control and begin processing the PD of their respective employees; that each client develops its own privacy notices and policies pursuant to Propel's required Terms of Use Policy and Consent Agreement; that this processor role is executed in only a limited number of instances related to the recording of certain biometric screening data which is carefully secured, logged into a secure spreadsheet and downloaded to the associated client's portal at the end of each day; that all PD is provided pursuant to a transparent consent process; that there is no history of PD breach or compromise; that the DPO has reviewed the U.K. website of the country's Supervisory Authority, The Information Commissioner's Office (most recently 11-01-2018); that the Company's use of encryption technologies is quite extensive and continually updated; from all of which the DPO finds that there is no need to conduct a more formalized DPIA at this time, that the risk/potential for harm is extremely low, as is the likelihood and severity of impact upon individuals.

11.0 DPO AS A MEMBER OF THE PROPEL INFORMATION SECURITY MANAGEMENT COMMITTEE: The DPO also occupies the position of CCO and serves as a member of the Propel Information Security Management Committee, alongside the Chief Administrative Officer (CAO) and the Vice President, Application Architecture (VP-AA). Relative to matters involving GDPR compliance, the DPO's findings shall be controlling (in accordance with GDPR Article 38). The DPO reports directly to the President and CEO on such matters.

12.0 PRIVACY AND GDPR COMPLIANCE AS AN EVOLVING PROCESS: As with any good compliance policy, this sub-policy is evolving as our business environment changes. Laws and regulations change as well. Specific to this policy is the Company's mandate that the DPO continually review the nature, scope, context and purposes of its controller and processor functions; that the DPO also assess the necessity, proportionality and compliance measures as they relate to risks of individuals (along with additional measures to mitigate those risks). Complaints brought under this policy will be promptly investigated by the CCO and CAO. It shall be the responsibility of the CCO to monitor, evaluate, revise and test this plan as directed above.