Privacy & Security

Legal Policy

 

OVERVIEW

Trust is one of the pillars on which ONGAGEMENT Inc. (“ONGAGEMENT”) was founded on. Likewise, your trust in our service is invaluable and feeling that you can trust us with your data is paramount. We are responsible for ensuring that the Personal Data from our Clients and their communities are protected.



GLOSSARY


2FA — Two Factor Authentication means that an authentication requires a token that the user, and only the user, has on them at a given time


Data Controller — the entity that determines the purposes and means of the processing of Personal Data


Data Processor — the entity that processes Personal Data on behalf of the Data Controller


Data Protection Authority — the independent national public authority responsible for the monitoring and enforcement of the data protection regulations within the European Union


Data Subject — an identified or identifiable natural person whose Personal Data is processed by a controller or processor


DPA – Data Processing Agreement is a legal binding document that governs the processing made by a Data Processor


Encryption — set of technological measures that ensure that the data is only readable by those with specified access


NDA — Non-Disclosure Agreement is a legal binding document in which the parties involved can restrict the use and dissemination of information


Personal Data — any information related to a ‘Data Subject’, that can be used to directly or indirectly identify the Data Subject


Processing — any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.



PERSONAL DATA PROCESS


Personal data

Under the light of GDPR, Personal Data means any information related to a ‘Data Subject’, that can be used to directly or indirectly identify the Data Subject.


Personal data processed by ONGAGEMENT

Community (Editors, Evaluators and Annotators): ONGAGEMENT uses Personal Data to connect each user with the proper interface they are registered using system communications by e-mail, sms, web and push. The following Community Personal Data is collected by ONGAGEMENT:

– Email address

– Phone number

– First name

– Last name

– Country

– Birthdate (Optional)

– Gender (optional)


Prospects
ONGAGEMENT uses Personal Data from visitors of our website who request to be contacted in order to receive information or demos about our products and services (” Prospects”) to communicate with them and answer to their requests as well as to keep them updated about such products and services, by means of periodical emails or messages. For the above purpose, ONGAGEMENT collects the following Personal Data from the Prospects (related to natural persons):


– First name
– Last name
– Job Title
– Company
– Email
– Phone number

Clients 
In order to provide reporting, e-mail communications and billing to its clients, ONGAGEMENT collects the following Personal Data from its Clients’ accounts (related to natural persons):


– Email address
– First Name
– Last Name
– Billing Details
– Taxpayer number (in case of individual Clients)


ONGAGEMENT proceeds to the encryption of any Personal Data that may be included in the requested works (i.e.: Names, Credit Card Numbers, Social Security, e-mails, etc.).



PURPOSES

ONGAGEMENT will collect and use Personal Data solely for fulfilling the above specified purposes and for ancillary purposes of the same.

Personal Data should not be further processed in a manner that is incompatible with the purposes that governed the collection, and, to the extent necessary for those purposes, it should be accurate, complete, and up-to-date.


Legal basis for the processing: ONGAGEMENT processes the Personal Data of its Community either to perform their contractual relationship (or taking steps before entering into a contract) or to pursue its legitimate interest of ensuring the quality of assigned work.


ONGAGEMENT processes the Personal Data concerning its Prospects either based upon their consent or relying in its legitimate interest to communicate updates on its products and services, without prejudice to their right to object at any time to processing of Personal Data for marketing purposes.


Finally, ONGAGEMENT processes the Personal Data related to its Clients pursuant to their contractual relationship (or taking steps before entering into a Contract) or in order to achieve its legitimate interest of providing a top-notch service.


Should you not provide us with all the Personal Data mentioned above, we may not be able to enter into or execute a contract with you.



PERSONAL DATA OWNERSHIP


From ONGAGEMENT’s perspective, Personal Data is owned and controlled by the Data Subject to whom it relates.


Processors

To support the delivery of our services, ONGAGEMENT relies on service providers. Any third-party engaged by ONGAGEMENT that might have access or process data that may contain Personal Data is considered a Processor. Despite the ONGAGEMENT gamification pipeline was designed taking in consideration privacy and security measures, ONGAGEMENT still performs a security and privacy review of the practices of any Processors before engaging with them. Below follows a list of our current Processors:


Amazon Web Services — Cloud service provider

Bugsnag — Error monitoring

Chatfuel — Messenger integration

Cloudflare — Content distribution, security services and DNS services

Dashbird — Serverless & troubleshooting

Egoi — Email & SMS services

Elastic — Elasticsearch service
Hotjar — User experience analytics

InvoiceExpress — Invoicing

Heroku — Cloud management platform

Hotjar — User experience analytics
Typeform — File Upload and forms management

Zapier — Integration manager


Contractual safeguards & due diligence for our Processors: Any processor and subprocessor used by ONGAGEMENT are put under a rigorous scrutiny to assess their security, confidentiality and privacy policies, as well as the adoption of adequate safeguards. We require all our Processors to have signed a DPA with us, similar to the DPA that our Clients sign with us, including but not limited to the requirements to:


– Process Personal Data as defined on their DPA
Restrict data access only to trusted and legal contractually bound staff to assure data privacy and security
– Train the staff who has access to Personal Data on data privacy and protection issues
– Implement processes which take privacy into account throughout all their data processing activities
– Inform ONGAGEMENT about any actual or potential data breach
– Cooperate with Data Protection Authorities or Data Controllers when enquired



THIRD-PARTY DATA DISCLOSURE


We restrict access to Personal Data to a reduced, privacy protection trained staff that is bound by NDA.

ONGAGEMENT only discloses data to third parties where the disclosure is absolutely necessary to provide the services that our Clients requests or in response to a lawful request from an accredited authority. ONGAGEMENT will not sell any kind of Personal Data.

Notwithstanding, in restricted and signaled circumstances, we may disclose data to third parties for marketing purposes. We subject the transfer to prior consent of Data Subjects or, at least, to the legitimate interest of such third parties to communicate their products and services. Without prejudice, the Data Subjects have the right to object at any time to processing of Personal Data for marketing purposes.



PERSONAL DATA BREACH


By data breach we mean a breach of ONGAGEMENT’s security that leads to an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed on ONGAGEMENT’s systems. We don’t consider a Personal Data breach any unsuccessful attempts or activities that do not compromise data security as unsuccessful log-in attempts, pings, port scans, denial of service attacks or other attacks on our systems. In the event of a Personal Data breach that is likely to result in a high risk to the rights and freedoms of natural persons, ONGAGEMENT commits itself to notify all Data Subjects without undue delay after the incident discovery. ONGAGEMENT also commits itself to notify the supervisory authority without undue delay and, where feasible, no later than 72 hours after having become aware of it if a breach may result in a risk to the rights and freedoms of natural persons.



DATA RETENTION


ONGAGEMENT complies with the principle of data minimization. Therefore, Personal Data shall only be kept while it is adequate, relevant and limited to what is necessary in relation to the purposes of processing.

Personal Data will be stored during the contractual relationship with our Community or with our Clients or as long as a valid consent is ensured by our Prospects, notwithstanding the need to preserve data for compliance with legal obligations during the term prescribed by law.



DATA ACCESS, RECTIFICATION, OBJECTION AND RESTRICTION


ONGAGEMENT allows the Data Subjects to access and rectify their Personal Data and also to object to and restrict the processing of their Personal Data in their user’s profile. If you want to make a request regarding the Personal Data that ONGAGEMENT holds from you without accessing our platform, follow the procedure below:

Request data access, rectification, objection or restriction
Send us an email from the email upon which you created your ONGAGEMENT account to support@ONGAGEMENT.com with subject ‘Data access/rectification/objection/restriction request’, specifying your request. Please note that if you object to or restrict the processing of data that we absolutely need to manage your account, we may have to suspend/block your account. Also note that, according to applicable data protection regulations, the right of objection or restriction are subject to certain limitations, which we will take into account to assess the legitimacy of your request.


– Verify your identity
We will send you an email to the address you used to register your account with some steps to verify your identity.


– Data access/rectification/objection/restriction
Once we confirm your identity we will proceed with the access/rectification/objection/restriction to/of your Personal Data.


Data deletion
To maintain and improve service continuity and quality, data is deleted upon account termination or by explicit request either on our platform or by email, provided and insofar that such deletion does not prevent ONGAGEMENT or the Data Subject to comply with their legal or contractual obligations. If you want us to delete your data without accessing our platform, follow the procedure below:


– Request data deletion
Send us an email from the email you shared with us to support@ONGAGEMENT.com with subject ‘Data deletion request’.

– Verify your identity
We will send you an email to the address you used to register your account with some steps to verify your identity.


– Data deletion 
Once we confirm your identity and we confirm that the requested deletion does not prevent ONGAGEMENT or the user to comply with their legal or contractual obligations, we will proceed insofar with the deletion of your Personal Data.

Data export and portability

In compliance with applicable data protection regulations, ONGAGEMENT enables Data Subjects to export their data via our platform or by explicit request. If you want to export all the Personal Data that ONGAGEMENT holds from you, please follow the procedure below:


– Request data export
Send us an email from the email upon which you created your ONGAGEMENT account to support@ONGAGEMENT.com with subject ‘Data export request’.


– Verify your identity
We will send you an email to the address you used to register your account with some steps to verify your identity.


– Data export 
Once we confirm your identity, we will export all the Personal Data we have from you and send it by email, in a structured, commonly used and machine-readable format.


Other rights
In compliance with applicable data protection regulations, the Data Subjects have always the right to withdraw any provided consent upon any time, without affecting the lawfulness of processing based on consent before its withdrawal.


Also, the Data Subjects may lodge a complaint with a relevant Data Protection Authority regarding any processing carried out by ONGAGEMENT.



PERSONAL DATA PROTECTION

All the communication involving ONGAGEMENT follows high security standards, being transported over an encrypted secure channel. In the same way, data is also encrypted at rest, meaning that data is stored within encrypted databases with appropriate level of access security.



DATA SECURITY


In the section below you can find an overview on how we enforce data security at ONGAGEMENT.


Pseudonymization 
All content passing through ONGAGEMENT’s Gamification Pipeline from its Clients goes through an automated pseudonymization process which removes Personal Data (credit cards, social security numbers, URLs and email addresses, etc.) and restores it before delivery. No Personal Data is shared with Community.


Access control 
All access to ONGAGEMENT’s products and services is encrypted and protected by firewall. All access credentials are segregated by work-group areas, provided to staff on a need-to-know basis, and audited based on internal security heuristics.


Two factor authentication 
Access to administration applications are secured by 2FA on top of standard user account authentication.


Audits and external validation 
ONGAGEMENT applies internal security policies to increase penetration barriers, from digital to physical, and regularly performs information security audits by third-party vendors to validate their compliance with best practices procedures and performance.


Encryption 
Data are encrypted in transit and at rest. More details on this process can be provided on request.


NDA and security training 
Both all our employees and Community members are bound by NDA’s and subject to a continuous security awareness training.