Eptura Security and Privacy Information
- Last updated
- Save as PDF
We take privacy and security very seriously
Protecting personal privacy is a concern for most organizations in the modern world. Most companies want to know how Serraview assists to manage and address privacy concerns.
Top 9 Tips for Protecting Personal Privacy
1 Understand what PII data Serraview collects
Serraview collects specific data, classified as Personally Identifiable Information (PII) about utilization of our Client's Personnel use of their workplace. This information can include the individual’s name, email address, unique identifier(s), phone number(s), company position, business unit, cost center number, and individual’s location throughout the workplace at different times of the day. No other sensitive data is captured or processed.
2 Understand why Serraview collects this data
Serraview utilizes the data to:
a. To provide workplace management and optimization services, enabling our customers to drive millions of dollars in real-estate savings and cost avoidance through a better understanding of space utilization and productivity improvements.
b. Provide real-time wayfinding services to all personnel, helping them to find their colleagues and facilities that are currently available.
c. Support business continuity teams in managing disasters.
d. Ensure occupational health and safety requirements are met in agile environments e.g. enough first aid officers and fire wardens are on the floor. There's a strong business case for collecting this data for both the business and people utilizing the workplace.
3 Understand the Current Environment
The information that Serraview collects is normally already available throughout an organization. Employee directories and much of it already public. Physical security systems (e.g. badge swipes) and computer networks already collect information on location of employees.
We have also seen an increase in individuals opting in to share this type of information via social networks in their personal lives. Email signatures and LinkedIn already contain much of the PII collected by Serraview.
4 Understand what the Concerns/Fears may be
The most common concerns/fears we hear are:
a. Attendance/Performance Monitoring
b. Personal Security Concerns
Certain employees (typically executives, some lawyers, and people under witness protection) have legitimate security concerns about other people being able to find them. The PII information Serraview processes is not publicly available and is only viewable by employees within the organization. Serraview supports an opt-out for these individuals if required.
5 Understand what PROTECTIONS Serraview has in Place
a. EU-US Privacy Shield Certified
Serraview is independently certified to the EU-US Privacy Shield framework, which enables the secure collection and transfer of personal data from Europe to the United States. The new mechanism complies with the more stringent European data protection laws, replacing the Safe Harbor privacy framework that was ruled inadequate in 2015. Serraview's privacy management practices have been certified by TrustArc, an independent auditor for privacy compliance (TrustArc are used by several leading SaaS providers to certify privacy compliance, including salesforce.com and Workday).
b. Compliant with Australian Privacy Principles
Serraview remains compliant with the Australian Privacy Act 1988, and associated Privacy Principles.
Serraview allows certain individuals to remain anonymous.
e. Data Security & Integrity
Serraview takes data security seriously, refer Serraview Information Security Policy ISP.
f. Serraview is independently audited and certified to ISO27001
The most internationally recognized and used information security framework. The ISO27001 security framework is used to develop and host secure applications and protect our client’s data.
g. Data Sovereignty
Australian Customers: Serraview stores data on secure servers located in Australia
American Customers: Serraview stores on secure servers located in the United States.
h. Recourse for Non-Compliance
Serraview has a documented process for managing privacy complaints. Any unresolved privacy or data use concern relevant to the EU-US Privacy Shield can be reported to Arc, a third party dispute resolution provider (free of charge). Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
6 Understand what Protections your Organization has in Place
Under international privacy standards, your organization will be classified as an information provider, known as the Data Controller, and as such be responsible for taking steps required by applicable data protection and/or privacy laws. These laws usually require that your organization notify each individual of the information that's being collected, the intended recipients of that information, the purpose for the data collection and an individual’s right to obtain access to that information. Serraview is the Data Processor and take its instruction from the Data Controller.
7 Understand the Regulatory Environment
Work with your Human Resources team to understand if there are any regulatory requirements in your country.
8 Serraview adheres to International Best Practices and Privacy Principles
As part of Serraview’s compliance, we follow the OECD Privacy Principles. Internationally the OECD Privacy Principles provide the most commonly used privacy framework, and tie closely to the European Union member nations' data protection legislation. The 8 principles include:
a. Collection limitation principle
b. Data quality principle
c. Purpose specification principle
d. Use limitation principle
e. Security safeguards principle
f. Openness principle
g. Individual participation principle
h. Accountability principle
9 Seek Legal Advice
International privacy legislation is diverse and continually evolves. In an abundance of caution, we recommend that our Customers take steps to ensure compliance with the various privacy and surveillance laws in each of the jurisdictions in which they operate.
Security Policy, Certificates, and Information List
Information Security Policy (ISP)
Issued: December 2020
Serraview IRAP (ISM) Compliance Statement - Client Report
Information Security Management System - ISO/IEC 27001:2013
We are now officially ISO27001 certified. The certification scope includes: US & Australia and Archibus, Inc - Serraview America, Inc - Serraview Australia, Pty Ltd. - SpaceIQ, LLC - iOffice, LP - Manager Plus Solutions, LP - Hippo Facility Management Technologies, Inc - Teem Technologies, LLC
EU-US Privacy Shield
We are certified to the to U.S. Department of Commerce and the European Commission’s EU-US Privacy Shield and for more details refer to the Covered Entities.
GDPR Data Processor and Controller Obligations
Issued: April 2020
Personally Identifiable Information (PII) Data Flow
Issued: April 2020