Transformative Healthcare developed proprietary software and services in response to the COVID pandemic and has securely processed millions of COVID tests and vaccinations through our platform. Our diagnostic testing and vaccine administration platform (www.app.transformativehealthsite.com) manages every aspect of the testing or vaccination process including event scheduling, staffing, booking appointments, in-field test or vaccine administration, lab order generation & transmittal, receipt & communication of test results and reporting of testing or vaccination data as required by federal, state or local governmental authorities. Our Crowd-Safe platform (www.app.crowd-safe.us) enables participants to link their identity to certain health characteristics to automate compliance with their organization’s vaccination and testing requirements. Given the nature of the information we collect, any software that collects or reports private health information is provisioned on secure HIPAA compliant servers provided by Amazon Web Services under a Business Associates Agreement and access to that data is tightly controlled. This policy also covers data collected on our websites at www.transformativehc.com and www.crowd-safe.us.
Effective Date: December 15, 2021
Transformative is committed to providing a robust and comprehensive security program for its Services, including the security measures set forth below under “Enterprise Security Measures”. During the Subscription Term, these Security Measures may change without notice, as standards evolve or as additional controls are implemented or existing controls are modified as we deem reasonably necessary.
Enterprise Security Measures Utilized by Us
We will abide by these Enterprise Security Measures to protect Service Data as is reasonably necessary to provide the Services:
1. Security Policies and Personnel. We maintain a security program to identify risks and implement preventative technology, as well as processes for common attack mitigation. This program is reviewed on a regular basis to provide for continued effectiveness. We maintain an information security resource responsible for monitoring and reviewing security posture for our systems and services, responding to security incidents, and developing and delivering training to our employees in compliance with our security policies.
2. Data Transmission. We will maintain commercially reasonable administrative, physical and technical safeguards to protect the security, confidentiality, and integrity of Service Data. These safeguards include encryption of Service Data at rest and in transmission with our user interfaces or APIs (using TLS or similar technologies) over the internet, except for any Service that does not support encryption.
3. Audits and Certifications. Upon Client request, and subject to the confidentiality obligations set forth in our Client Agreement, Transformative shall make available to Clients (that are not a competitor of Transformative) information regarding our compliance with the obligations set forth in this Agreement in a mutually agreeable form (and under appropriate non-disclosure protections).
4. Incident Response. We have an incident management process for security events that may affect the confidentiality, integrity, or availability of our systems or data that includes a response time under which Transformative will contact its Clients upon verification of a security incident that affects their Service Data. The incident response program includes centralized monitoring systems and on-call staffing to respond to service incidents. Unless ordered otherwise by law enforcement or government agency, Clients will be notified within seventy-two (72) hours of a Service Data Breach. “Service Data Breach” means an unauthorized access or improper disclosure that has been verified to have affected Client’s Service Data.
5. Access Control and Privilege Management. We restrict administrative access to production systems to approved personnel. We require such personnel to have unique login credentials and strong passwords changed on a regular basis. Upon termination of personnel, or where compromise of such credentials is suspected, these credentials are revoked. Access rights and levels are based on our employees’ job function and role, using the concepts of least-privilege and need-to-know basis to match access privileges to defined responsibilities.
6. Network Management and Security. The Sub-Processors utilized by us for hosting services maintain industry standard fully redundant and secure network architecture with reasonably sufficient bandwidth as well as redundant network infrastructure to mitigate the impact of individual component failure. Our IT team monitors security advisory lists for vulnerabilities, and undertakes periodic external vulnerability scans and audits.
7. Data Center Environment and Physical Security. The Sub-Processors’ environments which are utilized by us for hosting services in connection with our provision of Services employ the following security measures:
•A security organization responsible for physical security functions 24x7x365.
•Access to areas where systems or system components are installed or stored within data centers is restricted through security measures and policies consistent with industry standards.
•N+1 uninterruptible power supply and HVAC systems, backup power generator architecture and advanced fire suppression.
Technical and Organizational Enterprise Security Measures for Third-Party Service Providers Who Process Service Data
Third-party service providers, if any, that are utilized by Transformative will only be given access to Client Account and Service Data as is reasonably necessary to provide the Services. Transformative requires any third-party service providers who have access to Service Data to maintain compliance with the following appropriate technical and organizational security measures:
1. Physical Access Controls. Third-party service providers shall take reasonable measures, such as security personnel and secured buildings, to prevent unauthorized persons from gaining physical access to data processing systems in which Service Data is Processed.
2. System Access Controls. Third-party service providers shall take reasonable measures to prevent data processing systems from being used without authorization. These controls shall vary based on the nature of Processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and/or logging of access on several levels.
3. Data Access Controls. Third-party service providers shall take reasonable measures to provide that Service Data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to access Service Data only have access to Service Data to which they have the privilege of access; and, that Service Data cannot be read, copied, modified, or removed without authorization in the course of Processing.
4. Transmission Controls. Third-party service providers shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Service Data by means of data transmission facilities is envisaged so Service Data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport.
5. Input Controls. Third-party service providers shall take reasonable measures to ensure that it is possible to check and establish whether and by whom Service Data has been entered into data processing systems, modified or removed; and, any transfer of Service Data to a third-party service provider is made via a secure transmission.
6. Data Protection. Third-party service providers shall take reasonable measures to provide that Service Data is secured to protect against accidental destruction or loss.
These terms were last updated on December 15, 2021.
1. INFORMATION WE OBTAIN
We may obtain personal information about you from various sources. The types of personal information we may obtain include:
•Contact details (such as name, email and postal address and, telephone number);
•Business contact information (such as employer’s name and address, job title and business email address and telephone number);
•Biometric data (such as facial images or scans);
•Physical characteristics (such as gender);
•Government-issued identification information (such as driver’s license number, as well as copies of government-issued identification documents);
•Digital photographs (such as images from your mobile device camera);
•Demographic details (such as date of birth, race, ethnicity);
•Location information (such as GPS data from your mobile device to enable a location-based service);
•Information about your health, as described further in Section 14;
•Contact information for family or others you would like us to contact;
•Survey information; and
•Other information you may provide to us or authorize to be provided to us (such as language preferences).
We also may collect personal information typed into forms on our websites, whether or not the form is submitted.
In addition, when users visit our websites, we may collect certain information by using cookies, web beacons and other tracking tools to collect certain information including your device’s IP address, device type, browser type, operating system, referring URLs, actions taken on our sites, and dates and times of website visits. A “cookie” is a text file that websites send to a visitor’s computer or other Internet-connected device to uniquely identify the visitor’s browser or to store information or settings in the browser. A “web beacon”, also known as an Internet tag, pixel tag or clear GIF, links web pages to web servers and their cookies and may be used to transmit information collected through cookies back to a web server. Through these automated collection methods, we may obtain “clickstream data”, which is a log of content on which a visitor clicks while browsing a website. As the visitor clicks through the website, a record of the action may be collected and stored. Clickstream data also can tell us the type of computer and browsing software a visitor uses, the address of the website from which the visitor linked to our site, and the pages she visits on our site.
2. HOW WE MAY USE THE INFORMATION WE OBTAIN
A. BIOMETRIC DATA AND OTHER PERSONAL INFORMATION, INCLUDING HEALTH INFORMATION
We may use biometric data, health information and other personal information we obtain about you to:
•Facilitate and manage the testing, vaccination and related services provided by Transformative Healthcare
•Deliver automated appointment confirmations, reminders and test results via email, text and /or automated voice calls
•Operate and administer the Crowd-Safe vaccine and test status automation platform
•Verify individuals’ identities, including authenticating users of our services
We also may use the information in other ways with your express consent, such as when you choose to use a service or participate in a program we may offer jointly with another entity.
B. NON-BIOMETRIC AND NON-HEALTH PERSONAL INFORMATION
In addition to the uses described in 2.A. above, we also may use non-biometric and non-health personal information to:
•Provide services to our consumers
•Respond to and communicate with you about questions and comments
•Create and manage online accounts that you may establish on our sites
•Send news and updates about our services or those offered by our marketing partners
•Offer our consumers products or services we believe may be of interest to them
•Communicate with our consumers about, and administer participation in, special events, programs, surveys, and other offers and promotions
•Operate, evaluate and improve our business (including developing new products and services; analyzing our products and services; managing our communications; and performing accounting, auditing and other internal functions)
•Perform data analyses (including market and consumer research)
We do not collect personally identifiable information about a consumer’s online activities over time and across third-party websites or online services. Therefore, “do not track” signals transmitted from web browsers do not apply to our website, and we do not alter any of our data collection and use practices upon receipt of such a signal.
We also may use the information we obtain about you in other ways for which we provide specific notice at the time of collection.
C. HEALTH INFORMATION
In addition to the uses described in 2.A. above, we may use health information as described in greater detail below in Section 14.
D. INTEREST-BASED ADVERTISING
3. INFORMATION WE SHARE
We never sell or rent personal information about you.
A. BIOMETRIC DATA AND OTHER PERSONAL INFORMATION, INCLUDING HEALTH INFORMATION
B. NON-BIOMETRIC AND NON-HEALTH PERSONAL INFORMATION
C. HEALTH INFORMATION
D. SERVICE PROVIDERS
We contractually prohibit our service providers who access our consumers’ personal information from using or disclosing the information other than to perform services on our behalf or comply with legal requirements. We require these service providers to appropriately safeguard the privacy and security of the consumer personal information they collect, use, disclose or otherwise process on our behalf.
E. DISCLOSURES FOR OTHER PURPOSES
We may disclose information we obtain about you (1) if we are required to do so by law or pursuant to legal process (such as a court order or subpoena); (2) in response to requests by government agencies, such as law enforcement authorities; (3) to establish, exercise or defend our legal rights; (4) when we believe disclosure is necessary or appropriate to prevent physical or other harm or financial loss; (5) in connection with an investigation of suspected or actual illegal activity; or (6) otherwise with your consent or at your direction.
We also may share the information we obtain about you in other ways for which we provide specific notice at the time of collection.
F. NOTICE FOR PARTICIPANTS RESIDENT OUTSIDE OF THE UNITED STATES
Your personal information may be maintained and processed by Crowd-Safe, its affiliates and third-party service providers in the United States. Personal information transferred to the U.S. will be subject to U.S. laws and may be disclosed to or accessed by the courts, law enforcement and governmental authorities in accordance with those laws.
We or our service providers may also disclose information we obtain about you if we are required or permitted to do so by law or pursuant to legal process (such as court order or subpoena), which may include lawful access by U.S. courts, law enforcement or other government authorities in those jurisdictions. If you have any questions about the manner in which we or our service providers treat your personal information, please contact us at the contact information in Section 11 below.
4. YOUR CHOICES
We offer you certain choices in connection with the personal information we maintain about you. At any time, you may tell us not to use your personal information for marketing purposes. In addition, you may ask us to refrain from sharing the personal information we maintain about you with third parties for the third parties’ own marketing purposes.
5. ACCESS AND CORRECTION
6. OTHER ONLINE SERVICES AND THIRD-PARTY FEATURES
Our websites may provide links to other online services for your convenience and information, and may include third-party features such as apps, tools, widgets and plug-ins. These online services and third-party features may operate independently from us. The privacy practices of the relevant third parties, including details on the information they may collect about you, is subject to the privacy statements of these parties, which we strongly suggest you review. To the extent any linked online services or third-party features are not owned or controlled by us, Crowd-Safe is not responsible for these third parties’ information practices.
7. HOW WE PROTECT PERSONAL INFORMATION
We maintain administrative, technical and physical safeguards designed to protect personal information against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use.
To safeguard certain sensitive information (such as biometric data and government-issued identification information), we implement security measures such as encryption, firewalls, and intrusion detection and prevention systems.
In addition, the following are examples of security measures that are used to safeguard all types of personal information we maintain about our consumers:
•Procedures for the identification and classification of personal information and implementation of safeguards appropriate to the sensitivity of the information;
•access control procedures designed to verify a business need before access to personal information is granted, and procedures for the periodic review of access permissions;
•procedures for termination of access to personal information designed to curtail access to the information by terminated personnel or when there is no longer a business need for access;
•personnel security controls designed to reduce the risk of human error, theft, fraud or misuse of facilities.
8. RETENTION OF PERSONAL INFORMATION
9. CHILDREN’S PERSONAL INFORMATION
We recognize the importance of protecting children’s online privacy. Our websites are intended for a general audience and are not directed to children. We do not knowingly collect personal information online from children under the age of 13 unless required to provide the requested services.
11. HOW TO CONTACT US
Chief Privacy Officer
Crowd-Safe by Transformative Healthcare
275 Grove Street – Suite 2-400
Newton, MA 02466
12. BIOMETRIC DATA RETENTION FOR ILLINOIS RESIDENTS
For Illinois residents, in accordance with Illinois state law Crowd-Safe will retain biometric data only until the occurrence of the first of the following:
(a) The initial purpose for collecting or obtaining such biometric data has been satisfied
(b) Three years following your last interaction with Crowd-Safe
13. NOTICE TO CALIFORNIA USERS
The information provided in this section applies only to California residents.
We are required by the California Consumer Privacy Act of 2018 (“CCPA”) to provide an explanation of the rights and choices we offer California residents regarding our handling of their personal information, along with information regarding the categories of personal information we collect, use and share.
A. CALIFORNIA RESIDENTS’ PRIVACY RIGHTS
The CCPA grants California residents the following rights:
·Information. You can request information about how we have collected, used and shared and used your personal information during the past 12 months.
·Access. You can request a copy of the personal information that we maintain about you.
·Deletion. You can ask us to delete the personal information that we collected or maintain about you.
Please note that the CCPA limits these rights by, for example, prohibiting us from providing certain sensitive information in response to an access request and limiting the circumstances in which we must comply with a deletion request. If we deny your request, we will communicate our decision to you. You are entitled to exercise the rights described above free from discrimination.
B. HOW TO SUBMIT A REQUEST
·To request access to or deletion of personal information from our databases:
•Send an email to us at: [email protected].
·Identity verification. CCPA requires us to verify the identity of the individual submitting a request for their personal information before providing a substantive response to the request. Because we take the privacy and security of your personal information seriously, we will verify your identity by asking you to both (a) provide certain information about yourself, and then (b) provide us with a notarized affidavit. Once your identity is verified, we will work to provide you with your requested information in a timely manner.
·Authorized agents. California residents can empower an “authorized agent” to submit requests on their behalf. To protect your privacy we will require the authorized agent to have a written authorization confirming that authority.
C. PERSONAL INFORMATION THAT WE COLLECT, USE AND SHARE
Crowd-Safe will never sell or rent your personal information.
We describe the sources through which we collect Personal Information in Section 1, Information We Obtain, above. We describe the purposes for which we use and share this information in Section 2, How We Use the Information We Obtain, above, and Section 3, Information We Share.
14. DIAGNOSTIC TESTING, VACCINE ADMINISTRATION & CROWD-SAFE
Transformative Healthcare provides a range of diagnostic testing and vaccination services, tracked and managed using proprietary and HIPAA compliant testing and vaccine administration software. Crowd-Safe is a HIPAA compliant web-based service that enables individuals to securely submit and share their vaccination or test result status with employers to indicate eligibility for work or for statistical reporting purposes, or to employers and other organizations to gain access to facilities or event venues. Crowd-Safe may collect, use or share personal health information, such as responses to a health symptom and exposure questionnaire, the results of a body temperature check, vaccination status and/or diagnostic test results. We may receive such health information from you directly or from third parties (such as health care providers or labs) that are permitted to share this information with us. We may also share your health information with third parties (such as health care providers, labs, state vaccination registries) if required to deliver the services we provide.
If you use the Crowd-Safe, we may use your health information or information derived from this data to operate and administer Crowd-Safe’s services, to evaluate and improve our service, as well as for the purposes set forth above in Section 2A. Additionally we may share health information we obtain about you or information based on this information with your employer or with locations that use the Crowd-Safe platform, solely for the purpose of managing authorization to work or granting access to buildings or venues as allowed by law. We may also share de-identified information with public interest organizations, health care organizations and researchers. We will prohibit these organizations from attempting to re-identify the information we share with them.