SECURITY POLICY

Visible Network Labs ("VNL", "we", "our", "us") developed the visiblenetworklabs.com and partnertool.net websites ("Website", "Services") to help you solve complex problems through our comprehensive PARTNER Platform that provides all the tools, data and services in one place to help you measure, visualize and track key relationships and connections (personal and inter-organizational). We understand how important securing your data is and we take reasonable steps to protect your information as if it were our own.

All communication between your browser and our servers is encrypted over HTTPS. Data is recorded into a database running on a password protected HIPAA-compliant Google Compute Engine server located in the United States. The data is only accessible through the visiblenetworklabs.com web interface and requires a valid login. The web interface has a valid SSL certificate so that no clear text data will be transmitted.

Our web interface has five access levels with varying levels of access to data:

• Super Administrator: users in this role can access all data for all users. Super Administrator accounts are limited to VNL leadership.
• Administrator: users in this role can access data for specific users as necessary to perform their role/job responsibilities. Administrator accounts are limited to specific VNL employees.
• PARTNER Account Owners: users in this role can access all data for all projects (or subprojects) under their account.
• Collaborators: users in this role are given either Read Only or Read/Write Access by the Account Owner. Those with Read Only access can only view the data within the PARTNER Analyzer. Those with Read/Write Access can view/edit data within the project same as an account owner.
• Respondents/Participants: users in this role are only able to access the data that they individually contributed to the dataset. These users can modify, change, or view their data.

PARTNER CPRM:

Unless a manager opts-out of inclusion, data are added to our larger PARTNER dataset of cross-sector interorganizational data. We retain all the data, coded by their organizational names (participant contact information is not retained for this dataset). Data are only identifiable to the VNL employees, contractors, research partners, and affiliated organizations (no organization names are made public without expressed permission, which can be given by the manager or the organization that answered the survey). Organizations may be displayed on the data dashboards/visualizations as coded nodes in network maps (for example, coded as a “nonprofit organization.” All data are grouped into one large dataset that is used for network research and general knowledge on networks, and to feed into the online data dashboards.

As a result, we maintain the largest whole network dataset collected using the same survey and methodology. VNL uses that data to conduct descriptive and inferential analysis in exploration of cross-sector network impact and effectiveness to enhance practice. We value privacy at VNL and can make any exceptions and/or exclude your data altogether if you chose not to contribute to this dataset. Electing to exclude your data from the larger data set does not prohibit use of PARTNER.

• You can notify us at any time to destroy all records of your data from the dataset at any time. We will not do this unless we get a request in writing from you.
• You can opt-out of inclusion in the PARTNER inter-organizational dataset if you so choose. Please notify us of your election to opt-out in writing.
• We do not routinely destroy the data.
• All data is backed up daily and the backups are retained for a minimum of 30 days.

PARTNERme:

Visible Network Labs has safeguards in place to guarantee the privacy, integrity, and security of PHI. VNL has set up the necessary infrastructure of personnel, procedures, and systems to 1) develop and implement the necessary HIPAA policies; 2) to monitor, audit, and review compliance with all HIPAA policies; and 3) to provide a mechanism for reporting incidents and HIPAA security violations.

VNL employees take annual HIPAA training and follow a set of policies and procedures to ensure those safeguards are followed on the VNL side. VNL performs annual audits (IT Risk, HIPAA Physical Site, HIPAA Security, HITECH Breach Notification, and Device audits) to ensure we remain in compliance. VNL is continuously monitoring our compliance within HIPAA security standards by conducting security assessments. Assessments determine whether security controls have been properly implemented. When risk assessments are complete, VNL implements risk management to remediate flaws revealed by the assessment.

VNL signs BAAs with all Covered Entities (Account Owners) to document the protection of patient privacy and security. Account Owners are also responsible for taking their own safeguards for not using or sharing PHI when it is not required to perform job responsibilities.

Payments:

All payments are securely managed with full PCI-compliance through Stripe, the industry standard. We do not store any sensitive billing information on our own servers. We do not receive or store credit card information into our servers. These transactions and Stripe's use of your personal information is governed by their privacy policy (available at stripe.com/privacy).

Contingency Plan, Disaster Recovery Plan:

VNL has the necessary contingency, disaster recovery and data backup plans in place to account for situations that may disrupt business continuity. Because our software is hosted on a well-established Cloud provider with strict security policies and built-in storage and network redundancy, the risk of a disaster is lower than it would be if we were hosting our own website. We still recognize that there are extenuating circumstances that can cause a disaster and we have plans in place should they ever occur.

Incident Management Plan

VNL has in place a comprehensive incident management plan designed to respond and inform users (account owners, collaborators, and participants) of any event where their personal information may have been compromised. If any PHI were involved in an incident, VNL will notify all relevant parties involved within the required timeframe per law (notification to individuals, media, Secretary, etc.)

Plan for a data breach:

1. VNL staff and/or partners immediately alerts VNL leadership of the breach
1. An email sent to security@visiblenetworklabs.com will trigger immediate communication of the issue to appropriate parties.
2. VNL quickly assembles the internal team and leadership of associated parties to identify the source and extent of the breach (within the hour).
1. This includes reaching out immediately to customer administrators about the issue if their user information has been breached.
3. Immediate solutions are implemented to prevent breach expansion
1. Examples include:
1. Immediate patches
2. Disabled network access
3. Resetting passwords
4. Other relevant means
4. Assess extent, severity, and impact of breach
1. Identify and gather information of all impacted parties (if user information was accessed)
2. Clarify exactly what information has been accessed and the sensitivity of that information
3. Identify the nature and possible intent of the breach to clarify next steps (i.e., human error vs. malicious hacking)
4. Bring in legal support as needed
5. If applicable, proactively, and quickly notify impacted individuals
1. Provide password reset information or other protections
2. Continue to follow up with clear information as changes are made
6. After immediate steps have been taken, bring the team together to clarify actions to prevent further breaches. This meeting should take place within one week of the initial breach identification.

Data Security Policy Changes

Although most changes are likely to be minor, Visible Network Labs may change its Security Policy from time to time, at Visible Network Labs’ sole discretion. Visible Network Labs encourages visitors to frequently check this page for any changes to its Security Policy. Your continued use of this site after any change in this Security Policy will constitute your acceptance of such change.

Effective Date: March 9, 2018
Updated Date: October 12, 2022

Questions?

If you have any questions about our security policy, you can contact us by email at security@visiblenetworklabs.com or by mail using the following address:

By mail:
Visible Network Labs Inc.
Attn: Security
8045 Flower Court
Arvada, CO 80005