Capitalized terms not otherwise defined have the meanings given in Proof General Terms (“General Terms”) or the Proof Glossary.
- Information Security Controls. Proof has implemented and will maintain reasonable technical, physical and organizational measures that meet or exceed legal requirements and frameworks in compliance with applicable law intended to protect User Data against accidental, unauthorized or unlawful access, disclosure, alteration, loss, or destruction.
- Frameworks, Compliance, and Audits.
2.1 Frameworks. Proof’s security program includes controls that meet the requirements of the:
(a) American Institute of Certified Public Accountants (“AICPA”) Trust Services Criteria, as validated by annual SOC2 audits and the resulting reports;
(b) National Institute of Standards and Technology (“NIST”) Special Publication 800-53 Revision 5, “Security and Privacy Controls for Information Systems and Organizations,” at the moderate level and related security requirements contained in NIST Special Publication 800-63A, at the Identity Assurance Level 2 (“IAL2”), as validated by annual audits;
(c) WebTrust Principles and Criteria For Registration Authorities, as validated by annual audits;
(d) 201 Code of Massachusetts Regulations (“CMR”) 17.00, Standards for the protection of personal information of residents of the Commonwealth, as documented in Proof’s Written Information Security Policy; and
(e) The Payment Card Industry (“PCI”) controls applicable to e-commerce merchants who outsource all payment processing to PCI Data Security Standards (“PCI DSS”) validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises as validated by annual completion of Self-Assessment Questionnaire (“SAQ”) A.
2.2 Additional Legal Requirements. Based on Proof’s controls as implemented under the previously listed frameworks and legal requirements, Proof also meets:
(a) Health Insurance Portability and Accountability Act (“HIPAA”) requirements applicable to Business Associates as defined in HIPAA;
(b) Family Educational Rights and Privacy Act (“FERPA”) requirements applicable under the “School Official” requirements and relevant guidance from the Department of Education;
(c) Gramm Leach Bliley requirements applicable to Service Providers as defined in Gramm Leach Bliley; and
(d) NIST Special Publication 800-171 Revision 2.
- Security Incidents.
3.1 Incident Response Plan. Proof maintains a cyber-incident breach response plan in accordance with Proof’s Written Information Security Policy (“Incident Response Plan”) and implements the procedures required under such plan on the occurrence of a Security Incident.
3.2 Security Incident Notification. If Proof becomes aware of a Security Incident, Proof, after initial investigation, without unreasonable delay: (1) provides a notification of the Security Incident that will be delivered to one or more of Subscriber’s administrators by email ; (2) investigates the Security Incident and, after completing its investigation, provides Subscriber with information about the Security Incident; (3) uses reasonable efforts to mitigate the effects and to minimize any damage resulting from the Security Incident and, after doing so, in forms Subscriber of the steps taken; and (4) once determined, informs Subscriber of any modifications Proof makes to its security procedures that are intended to prevent similar security incidents occurring in the future.
3.3 Information SecurityIncident Management.
(a) Incident Response Process. Proof maintains a record of Security Incidents with a description of the Security Incident, the time period, the consequences of the incident, the name of the reporting person, to whom the Security Incident was reported, and the procedure for recovering any affected data. Proof shall track Security Incidents, including what data has been disclosed and to whom, or what data has been lost, damaged, destroyed or altered (as the case may be), and at what time.
(b) Service Monitoring. Following a Security Incident, Proof security personnel review relevant service-related logs to propose remediation efforts, if necessary.
Priority Level
Conditions
Level 1
Critical Business Impact. The Incident seriously affects the functionality of the Services (or component thereof) and cannot be circumvented such that most of the significant functionality of the Services (or component thereof) is available.
Level 2
Significant Business Impact. The Incident partially affects the functionality of the Services (or component thereof), but can be circumvented so that most of the significant functionality of the Services (or component thereof) is available.
Level 3
Minimal Business Impact. The Incident can be circumvented such that the Services (or component thereof) can be used with only slight inconvenience. The problem can be considered insignificant and has no significant effect on the usability of the Services (or component thereof).
Priority Level
Conditions for Closure of Help-Desk Ticket
Level 1
The Incident is considered resolved and closed when an Incident Resolution has been fully implemented.
Level 2
The Incident is considered resolved and closed when an Incident Resolution has been fully implemented.
Level 3
The Incident is considered resolved and closed when one of the following occurs: (i) an Incident Resolution has been fully implemented, or (ii) 10 business days have elapsed since Proof’s communication of the information that Proof reasonably believes will resolve the Incident (communicated by email to Subscriber’s designated contact for such Incident), and Subscriber has not responded to Proof. The Incident can be reopened later if it has not been resolved.
Cumulative On-Demand Notary Availability Downtime
(in a given calendar month as measured by Proof monitoring systems, converted to minutes)
(in a given calendar month as measured by Proof monitoring systems, converted to minutes)
On-Demand Notary Downtime Credit
Up to 240 minutes
No On-Demand Notary Downtime Credit
241-360 minutes
1%
361-480 minutes
3%
481-600 minutes
5%
601 minutes or greater
7%
Platform Availability Percentage
(in a given calendar month as measured by Proof monitoring systems)
(in a given calendar month as measured by Proof monitoring systems)
Platform Downtime Credit
99.9% or higher
No Platform Downtime Credit
97% - 99.9%
1%
95% - 97%
3%
93% - 95%
5%
Below 93%
7%
Incident Priority
Acknowledgement Time (During Business Hours)
Provision of Incident Resolution or Interim Process
If Interim Process is provided, Maximum Timeframe for Provision of Incident Resolution
Level 1
1 hour
8 hours
36 hours
Level 2
4 hours
24 hours
5 days
Personal Information Category set forth in Cal.Civ. Code § 1798.140
Source(s) of Personal Information Collection
Business or Commercial Purpose(s) for Collection/Use
Third Parties, Service Providers, and Contractors Receiving Personal Information Category
Retention Period
Personal Identifiers, including real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, social security number, driver’s license or passport number, or other similar identifiers.
Directly from you; indirectly from you as you navigate or use our Services; notaries; data analytics providers; social networks; advertising networks; internet or mobile service providers; counterparties in a transaction; credential analysis companies; identity verification services.
For job applicants: directly from you; background check providers; recruiters; recruiting software providers.
For job applicants: directly from you; background check providers; recruiters; recruiting software providers.
Provide you with our Services; communicate with you; protect and secure our environment; verify, maintain, improve, upgrade, or enhance a product or service; identify and repair errors; advertise or market to you.
For job applicants: Asses your application; satisfy legal obligations.
For job applicants: Asses your application; satisfy legal obligations.
Affiliates; advertising networks; social networks; technology service providers; customer relationship management providers; payment processors; mobile application platforms; tag management platforms; video sharing platforms; notaries; customer support platforms; data analytics providers; marketing platforms; mobile linking platforms; counterparties in a transaction; single sign-on providers; collaboration software providers; customer engagement and communication platforms; identity verification and anti-fraud solution providers; background screening companies; mortgage process digitization providers; electronic signature and digital transaction management providers; financial services companies; web mapping platforms.
The length of your business relationship with us plus any legally required additional retention period for this category of Personal Information following conclusion of your business relationship with us or as long as business needs require, whichever is longer.
California Customer Records Personal Information (Cal. Civ. Code § 1798.80(e)), including name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
Directly from you; counterparties in a transaction; credential analysis companies; identity verification services.
For job applicants: directly from you; background check providers; recruiters; recruiting software providers.
For job applicants: directly from you; background check providers; recruiters; recruiting software providers.
Provide you with our Services; communicate with you; protect and secure our environment; verify, maintain, improve, upgrade, or enhance a product or service; identify and repair errors; advertise or market to you.
For job applicants: Process your application; satisfy legal obligations.
For job applicants: Process your application; satisfy legal obligations.
Affiliates; advertising networks; social networks; technology service providers; customer relationship management providers; payment processors; mobile application platforms; tag management platforms; customer support platforms; data analytics providers; marketing platforms; mobile linking platforms; counterparties in a transaction; collaboration software providers; customer engagement and communication platforms; identity verification and anti-fraud solution providers; background screening companies; mortgage process digitization providers; electronic signature and digital transaction management providers; financial services companies; web mapping platforms.
The length of your business relationship with us plus any legally required additional retention period for this category of Personal Information following conclusion of your business relationship with us or as long as business needs require, whichever is longer.
Characteristics of protected classifications under California or federal law.
Directly from you; indirectly from you as you navigate or use our Services; notaries; data analytics providers; social networks; advertising networks; internet or mobile service providers; counterparties in a transaction; credential analysis companies; identity verification services.
For job applicants: directly from you; background check providers; recruiters; recruiting software providers.
For job applicants: directly from you; background check providers; recruiters; recruiting software providers.
Provide you with our Services; communicate with you; protect and secure our environment; verify, maintain, improve, upgrade, or enhance a product or service; identify and repair errors; advertise or market to you; meet our legal obligations.
Affiliates; advertising networks; social networks; technology service providers; customer relationship management providers; payment processors; mobile application platforms; tag management platforms; video sharing platforms; notaries; customer support platforms; data analytics providers; marketing platforms; mobile linking platforms; counterparties in a transaction; collaboration software providers; customer engagement and communication platforms; identity verification and anti-fraud solution providers; background screening companies; mortgage process digitization providers; electronic signature and digital transaction management providers.
The length of your business relationship with us plus any legally required additional retention period for this category of Personal Information following conclusion of your business relationship with us or as long as business needs require, whichever is longer.
Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
Directly from you; indirectly from you as you navigate or use our Services; notaries; data analytics providers; social networks; advertising networks; internet or mobile service providers; counterparties in a transaction.
Provide you with our Services; communicate with you; protect and secure our environment; verify, maintain, improve, upgrade, or enhance a product or service; identify and repair errors; advertise or market to you; meet our legal obligations; maintain transaction records.
Affiliates; advertising networks; social networks; technology service providers; customer relationship management providers; payment processors; mobile application platforms; tag management platforms; video sharing platforms; notaries; customer support platforms; data analytics providers; marketing platforms; mobile linking platforms; counterparties in a transaction; collaboration software providers; customer engagement and communication platforms; identity verification and anti-fraud solution providers; mortgage process digitization providers; electronic signature and digital transaction management providers; financial services companies; web mapping platforms.
The length of your business relationship with us plus any legally required additional retention period for this category of Personal Information following conclusion of your business relationship with us or as long as business needs require, whichever is longer.
Biometric information.
Directly from you; indirectly from you as you navigate or use our Services; internet or mobile service providers; credential analysis companies; identity verification services.
Provide you with our Services; communicate with you; protect and secure our environment; verify, maintain, improve, upgrade, or enhance a product or service; identify and repair errors; meet our legal obligations; maintain transaction records.
Affiliates; technology service providers.
The length of your business relationship with us plus any legally required additional retention period for this category of Personal Information following conclusion of your business relationship with us or as long as business needs require, whichever is longer.
Internet and other electronic network activity information, including, but not limited to, browsing history, search history, and information about individual interactions with an Internet website, application, or advertisement.
Indirectly from you as you navigate or use our Services; data analytics providers; social networks; advertising networks; internet or mobile service providers.
Detect security incidents; protect against malicious, deceptive, fraudulent, or illegal activity; verify, maintain, improve, upgrade, or enhance a service or device that is owned or controlled by us; identify and repair errors; advertise or marketing to you; perform analytics.
Affiliates; advertising networks; social networks; technology service providers; customer relationship management providers; payment processors; mobile application platforms; tag management platforms; video sharing platforms; customer support platforms; data analytics providers; marketing platforms; mobile linking platforms; single sign-on providers; collaboration software providers; customer engagement and communication platforms; identity verification and anti-fraud solution providers; mortgage process digitization providers; electronic signature and digital transaction management providers; financial services companies; web mapping platforms.
Barring any legally required additional retention period, up to one year.
Geolocation data
Indirectly from you; devices you use to access our Services; data analytics providers; social networks; advertising networks; internet or mobile service providers.
Protect and secure our environment; verify, maintain, improve, upgrade, or enhance a product or service; identify and repair errors; advertise or market to you.
Advertising networks; social networks; technology service providers; customer relationship management providers; mobile application platforms; tag management platforms; video sharing platforms; customer support platforms; data analytics providers; marketing platforms; mobile linking platforms; collaboration software providers; customer engagement and communication platforms; identity verification and anti-fraud solution providers; web mapping platforms.
Barring any legally required additional retention period, up to one year.
Sensory data including audio, electronic, visual, thermal, olfactory, or similar information.
Directly from you; indirectly from you as you navigate or use our Services; internet or mobile service providers; credential analysis companies; identity verification services.
Provide you with our Services; communicate with you; protect and secure our environment; verify, maintain, improve, upgrade, or enhance a product or service; identify and repair errors; meet our legal obligations; maintain transaction records.
Affiliates; technology service providers; counterparties in a transaction.
The length of your business relationship with us plus any legally required additional retention period for this category of Personal Information following conclusion of your business relationship with us or as long as business needs require, whichever is longer.
Professional or employment-related information
Directly from you; notaries; data analytics providers; social networks; advertising networks; counterparties in a transaction; credential analysis companies; identity verification services.
For job applicants: directly from you; background check providers; recruiters; recruiting software providers.
For job applicants: directly from you; background check providers; recruiters; recruiting software providers.
Provide you with our Services; communicate with you; protect and secure our environment; verify, maintain, improve, upgrade, or enhance a product or service; identify and repair errors; advertise or market to you.
For job applicants: Process your application.
For job applicants: Process your application.
Affiliates; advertising networks; social networks; technology service providers; customer relationship management providers; payment processors; mobile application platforms; tag management platforms; video sharing platforms; notaries; customer support platforms; data analytics providers; marketing platforms; mobile linking platforms; counterparties in a transaction; collaboration software providers; customer engagement and communication platforms; identity verification and anti-fraud solution providers; background screening companies; mortgage process digitization providers; electronic signature and digital transaction management providers; financial services companies.
The length of your business relationship with us plus any legally required additional retention period for this category of Personal Information following conclusion of your business relationship with us or as long as business needs require, whichever is longer.
For job applicants: Barring any legally required additional retention period, up to 7 years for non-hired applicants.
For job applicants: Barring any legally required additional retention period, up to 7 years for non-hired applicants.
Non-public education information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 C.F.R. Part 99)
For job applicants: directly from you; recruiting software providers; background check providers; recruiters.
For job applicants: Process your application.
Affiliates; background screening companies; technology service providers.
For job applicants: Barring any legally required additional retention period, up to 7 years for non-hired applicants.
Inferences drawn from any of the information identified above to create a profile about you reflecting your preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
Indirectly from you; devices you use to access our Services; data analytics providers; social networks; advertising networks; internet or mobile service providers.
Advertise or market to you; perform analytics; maintain, improve, upgrade, or enhance a product or service.
Affiliates; advertising networks; social networks; technology service providers; customer relationship management providers; mobile application platforms; tag management platforms; video sharing platforms; customer support platforms; data analytics providers; marketing platforms; mobile linking platforms; collaboration software providers; customer engagement and communication platforms; web mapping platforms.