Compliance
FEDRAMP, HIPAA, PCI Compliance
The Connexion Platform has been deployed into multiple complex regulatory environments, including federal compliance regulations through FEDRAMP and health systems HIPAA compliance. Datastream operates all portal installs at the FEDRAMP Moderate threshold at minimum, and addresses additional compliance requirements as needed, such as HIPAA or GDPR.
EU-U.S. Privacy Shield Framework
Datastream materially adheres to the principles of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, and is currently in the process of self-certifying its U.S. entity’ with such Frameworks. All Personal Information received from European Union (EU) member countries and Switzerland will be processed in reliance on the applicable Privacy Shield Framework and in accordance with the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, please visit www.privacyshield.gov.
Cloud Services Attestations and Certifications
All of the data centers we leverage from Amazon Web Services are audited and/or certified by various internationally-recognized attestation and certification compliance standards.
AWS Compliance and certification information can be obtained from AWS link here, or active customers can get more information by contacting Datastream Connexion.
GDPR
Passed in 2016, the new General Data Protection Regulation (GDPR) is the most significant legislative change in European data protection laws since the EU Data Protection Directive (Directive 95/46/EC), introduced in 1995. The GDPR, which becomes enforceable on May 25, 2018, seeks to strengthen the security and protection of personal data in the EU and serve as a single piece of legislation for all of the EU. It will replace the EU Data Protection Directive and all the local laws relating to it.
We support the GDPR and will ensure all Datastream Connexion applications and Connexion Portal services comply with its provisions by May 25, 2018. Not only is the GDPR an important step in protecting the fundamental right of privacy for European citizens, it also raises the bar for data protection, security and compliance in the industry.
Privacy
Datastream Connexion is firmly committed to the privacy of our customers and the data which they store on the Connexion cloud platform. You can read more about the privacy of your account information and data in our Privacy Policy.
In addition to the security of your account information, we also treat the data you store on our services with the utmost sensitivity. A portal launched in a specific geographic region will stay in that region unless the customer performs an action to request further geographic migration or footprint expansion. Furthermore, backups and snapshots also remain in the same region in which the associated Portal resides to avoid any international data transfer issues.
Payment Data Security
Credit / debit card purchases for customer Portal-based custom applications or services are processed by the third-party vendor Stripe. When our customers provide their credit / debit card information on our website the data is sent to Stripe, i.e., the payment data is not stored on our systems.
Communications
All communications with Datastream Connexion and the Connexion Platform (Vinna) are transmitted over TLS (HTTPS) for all of our services.
PrivacySHIELD
Privacy Shield Notice. (May 22, 2018)
Datastream Connexion is committed to protecting your privacy. This Privacy Shield Notice sets out the privacy principles we follow with respect to transfers of personal data from the European Economic Area ("EEA") and Switzerland to the United States, including personal data we receive from individuals who visit our or our portal and mobile sites ("Websites"), who access or use our product or service offerings ("Services"), or who otherwise interact with us ("you").
Datastream materially adheres to the principles of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, and is currently in the process of self-certifying its U.S. entity’ with such Frameworks. All Personal Information received from European Union (EU) member countries and Switzerland will be processed in reliance on the applicable Privacy Shield Framework and in accordance with the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, please visit www.privacyshield.gov.
If there is any conflict between the terms of this Privacy Shield Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern.
Types of Personal Data We Collect and Use
The types of personal data we may receive in the United States, as well as the purposes for which we collect and use it, are set out in our Privacy Policy.
We will only process personal data in ways that are compatible with the purposes we collected it for or for purposes you later authorize. Before we use your personal data for a materially different purpose, we will provide you with the opportunity to opt-out.
Transfers to Third Parties
Information about the types of third parties to which we disclose personal data and the purposes for which we do so is described in our Privacy Policy.
If we have received your personal data in the United States and subsequently transfer that information to a third party acting as an agent, and such third-party agent processes your personal data in a manner inconsistent with the Privacy Shield Principles, we will remain responsible unless we can prove we are not responsible for the event giving rise to the damage.
Disclosures for National Security or Law Enforcement
Please note that under certain circumstances, we may be required to disclose your personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Access, Correction and Deletion Rights
You may have the right to access personal data that we hold about you and request that we correct, amend, or delete it if it is inaccurate or processed in violation of the Privacy Shield. These access rights may not apply in some cases, including where providing access is unreasonably burdensome or expensive under the circumstances or where it would violate the rights of a third party. If you would like to request access to, correction, amendment, or deletion of your personal data, you can submit a written request to the contact information provided below. We may request specific information from you to confirm your identity.
Your Choices
We commit to giving you an opportunity to opt out if personal data we control about you is to be disclosed to another independent third party or is to be used for a purpose that is materially different from those set out in our Privacy Policy. Where sensitive personal data is involved, we will obtain your express opt-in consent to do such things. If you otherwise wish to limit the use or disclosure of your personal data, please write to us at the contact details set out below. You can also ask us to remove you from any mailing list to which you previously subscribed by sending us an email or by following the "unsubscribe" link in any marketing communications we send to you.
Questions or Complaints
In compliance with the Privacy Shield Principles, we commit to resolve complaints about our collection or use of your personal data. EEA and Swiss individuals with inquiries or complaints regarding our Privacy Shield practices should first contact us at info@dscxn.com.
You may, under limited circumstances, invoke binding arbitration for complaints not resolved by the above mechanisms. Additional information can be found at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
Datastream will be subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission with regards to our compliance with the EU–U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.
Changes to this Notice
We reserve the right to amend this Notice from time to time consistent with the Privacy Shield's requirements.
Contact Security
Responsible Vulnerability Disclosure
Our goal is to keep the Connexion Platform safe and secure for everyone. If you have discovered a security vulnerability we would greatly appreciate your help in disclosing it to us in a responsible manner. Publicly disclosing a vulnerability can put the entire Connexion community at risk.
If you have discovered a potential vulnerability we would greatly appreciate you informing our Security team. You can submit the details of the potential vulnerability by submitting the vulnerability by contacting our Customer Support team here.
We will work with you to assess and understand the scope of the issue and fully address any concerns. Submitted vulnerabilities are initially reviewed, triaged, and then assessed in detail to determine the risk level of the vulnerability. Security vulnerabilities are treated with the utmost importance to ensure the safety and security of our service.
