Internet Testing Systems understands the importance of data security and takes its responsibility to protect stakeholder data seriously. The following statement outlines the approach we take to ensure compliance with principles defined in the General Data Protection Regulation (GDPR).
Roles and Services
Internet Testing Systems provides assessment services for assessment sponsor partners. The assessment sponsor is the company or organization that owns the assessment content and data. Assessments, including surveys, quizzes, and tests, are delivered on Internet Testing Systems servers.
Internet Testing Systems functions as a data processor for partners, providing delivery and result/data feed services as requested. Internet Testing Systems maintains data required to perform these services, including allowing partners to access data on Internet Testing Systems servers or sending the data to the partners for input into systems they maintain.
Adequate Assurances of Data Protection
Internet Testing Systems make adequate assurances of data protection via participation in the EU-U.S. Privacy Shield program. Internet Testing Systems complies with the EU-U.S. Privacy Shield framework with respect to the collection, processing and retention of personal information transferred from the EU to the United States. More information can be found at https://www.privacyshield.gov/ and https://www.testsys.com/privacy.
Internet Testing Systems uses this information and data internally to deliver the assessment, analyze the outcome, and provide reporting. This information is shared with the assessment sponsor.
By taking an assessment provided by Internet Testing Systems, users agree to information and data being transmitted to the applicable assessment sponsor. Assessment sponsors have their own privacy policies, so please reference those for any additional use cases for information and data beyond transmission between Internet Testing Systems and the assessment sponsor.
Internet Testing Systems uses this information internally to associate products and assessments with the user profile. This information is shared with the assessment sponsor as required.
If a credit card is used to make a purchase, Internet Testing Systems does not retain a copy of the card number. A secure credit card handling service is used to process the transaction.
Users can always choose not to provide information. However, if users choose not to provide essential information they might not be able to make an online purchase.
Internet Testing Systems only collects data as required by the assessment sponsor. As such, all data collected is required to administer an exam, so users who do not wish to provide the data will not be able to sit for an assessment. A user may elect to request the removal of all data collected in conjunction with an assessment after the assessment has been given.
Data Storage and Transfer
Information and data collected by Internet Testing Systems is stored on servers in the United States. Data is only shared with assessment sponsors, but those sponsors may be in the United States or many other countries, so the data may be transmitted around the world. By taking an assessment or purchasing products through our catalogs, users are consenting to this transmission.
All data collected by Internet Testing Systems is treated as confidential and is subject to our data protection standards. Access to the data, including database access, server access, and site access, is strictly limited on a need to know basis. Users are required to use unique IDs and strong password for site access, and an additional second authentication factor for server or database access.
Servers used for data storage reside in a secure Production facility. Industry standard physical access controls are in place. Industry standard firewall technology is employed at the perimeter of the Production network. The firewall is connected to the Internet Gateway’s load balancer, which decrypts all HTTPS traffic before packets encounter the firewall. A passive backup firewall is connected to the network at all times. The Production network also includes an integrated Intrusion Detection System (IDS). All ingress, egress and lateral traffic is mirrored to the IDS device. Issues and threats are monitored and addressed in real-time.
Data stored by Internet Testing Systems is stored securely. Data is encrypted at rest.
Data collected for assessment services and purchases are transmitted from the end user machine to the Production data center via secure HTTPS connection. Data stored by Internet Testing Systems can be transmitted to the Internet Testing Systems Corporate network for data services requested by the partner, to the partner for processing into their systems, or to a secure Amazon S3 bucket for backup storage. All transfers of data occur using secure methods, such as HTTPS or SFTP. Data is encrypted in transit.
Internet Testing Systems does not sell or rent any personal information or data that it collects. Information and data is only shared with the assessment sponsor. Internet Testing Systems does not transfer personal data to third party agents.
Internet Testing Systems maintains data classification, data management, and hardware management policies. All policies are reviewed at least annually. Internet Testing Systems employees receive training on security best practices and are expected to adhere to all security policies at all times, including policies limiting access to data and prohibiting unapproved storage or transmission of data.
User Data Rights
Internet Testing Systems maintains information and data as requested by the assessment sponsor, which is usually indefinitely. Internet Testing Systems will act in good faith to provide information we have. This policy only applies to information held by Internet Testing Systems. Information transmitted to assessment sponsors or held by other content owners is not covered in this policy, so privacy policies for assessment sponsors should be reviewed to determine access policies for those sponsors.
Users may opt-out of an assessment by declining the user agreement, when available. Users may also opt-out of providing all information requested by the assessment sponsor, but doing so may result in the user being unable to take the assessment.
Users may request their personal information for review or to correct or delete any information Internet Testing Systems retains by sending an email request to firstname.lastname@example.org. Internet Testing Systems is required to obtain partner agreement before removing or modifying data.
Internet Testing Systems is committed to addressing reasonable requests within 60 days.
Internet Testing Systems notifies assessment partners of any data or security breaches as specified in the contract with the partner. Timelines for notification vary by program and partner. Internet Testing Systems will work with our partners to determine processes for user notification, depending on the severity and impact of the data breach.
Risk and Compliance
The risk of negative impact to users based on data collection by Internet Testing Systems is low. The data collected is applicable to assessment services specifically. None of the data collected by Internet Testing Systems could be used to put the rights or freedoms of users at risk.
Internet Testing Systems complies with the expectations of a processor as described in Article 28 of the GDPR. Internet Testing Systems implements appropriate technical and organizational measures to ensure the protection of the rights of the data subject. Processing is governed by a contract with the assessment partner. All processing is done to perform assessment services and transfers are only made between Internet Testing Systems and the assessment partner. Data is securely stored and transferred. Internet Testing Systems works closely with partners to ensure proper technical and organizational measures are reviewed, maintained, and updated as needed to ensure continued data security.
Changes to This Policy
Internet Testing Systems reserves the right to change or modify this policy at any time. If the policy is changed, the new version will be posted to our website and the last modified date will be updated.
Last updated: March 2018