Dated: 4/6/2020

1. Purpose

Captivated must restrict access to confidential and sensitive data to protect it from being lost or compromised in order to avoid adversely impacting our customers, incurring penalties for non-compliance and suffering damage to our reputation. At the same time, we must ensure users can access data as required for them to work effectively.

2. Scope

2.1 In Scope This data security policy applies all customer data, personal data, or other company data defined as sensitive by the company’s data classification policy. Therefore, it applies to every server, database and IT system that handles such data, including any device that is regularly used for email, web access or other work-related tasks. Every user who interacts with company IT services is also subject to this policy.

2.2 Out of Scope Information that is classified as Public is not subject to this policy. Other data can be excluded from the policy. Information that is classified as Public is not subject to this policy. Other data can be excluded from the policy by company management based on specific business needs, such as that protecting the data is too costly or too complex.

3. Policy

3.1 Principles  The company shall provide all employees and contracted third parties with access to the information they need to carry out their responsibilities in the most effective and efficient manner possible.

3.2 General

    • Each user shall be identified by a unique user ID so that individuals can be held accountable for their actions
    • The use of shared identities with access to Captivated is strictly prohibited
    • Each user shall read this data security policy and the login and logoff guidelines, and sign a statement that they understand the conditions of access.
    • Access shall be granted based on the principle of least privilege, which means that each user will be granted the fewest privileges necessary to complete their tasks.

3.3 Access Control authorizations  Access to company programming resources and services will only be given through the provision of a unique user account and complex password. Accounts are provided by Senior Management or our CTO.

3.4 Network Access

    • All employees/1099 contractors shall be given network access in accordance with business access control procedures and the least-privilege principle.
    • All staff or temporary contractors who have remote access to Captivated shall be restricted by the same login privileges as if they were on-site at the Captivated office.

3.5 User Responsibilities

    • All users must lock their screens whenever they leave their desks to reduce the risk of unauthorized access.
    • All users must keep their passwords confidential and not share them.

3.6 Access to Confidential, Restricted information

    • Access to data classified as ‘Confidential’ or ‘Restricted’ shall be limited to authorized persons whose job responsibilities require it, as determined by this policy or determined by senior management.
    • The responsibility to implement access restrictions lies with the CTO and President ONLY.
    • Any and all customer data is considered confidential and any assistance with data imports shall be handled only by designated Captivated personnel.

4. Customer Logins and Permissions

    • Logins to customer accounts must be approved by the designated admin for each account and approval must be recorded within the Captivated system.
    • Permission levels for new users must be approved by the designated admin for each account and must be recorded within the Captivated support system.
    • New-users must use the New Password or Password Reset process that is built into the Captivated technology.
    • Remote assistance and or invitations to screen share must be at the written request of the subscriber.
    • Permission to use the following require Administrative approval at the subscriber account level and those approvals must be recorded within the Captivated support system:
      • Text-to-pay (payment requests)
      • Location requests
      • Secure-Chat requests
      • Secure Video-Chat requests

5. Reporting Requirements

    • Any data concerns or suspected breach in security must be reported to senior management immediately.
    • Unusual support requests through the Captivated Support Chat regarding data or data access should be noted in the customer record and reported to support management immediately.
    • Any requests for additional permission or access by users should be noted in the customer support record.
    • Approval of additional access (example: Member to Manager or Manager to Admin, should be duly noted in the customer record and received in writing in the chat request.

6. Responsibilities & Roles

    • Support Specialist is an employee designated by Captivated to support our customers through our own internal chat tool to receive requests from our customers. Support specialists must be proactively aware of odd requests on behalf of the subscriber’s users and must escalate any concerns regarding the security of our subscriber’s data.
    • Trainers include everyone who does online sessions using the current solution provided by Captivated and has the customer share their screen for the purposes of onboarding or follow-up training. If subscribers are sharing their screens for these purposes, the session may not be recorded.
    • Senior Management is defined as any Director or higher level that supervises onboarding, support or training. It is mandatory that this role is proactive in teaching, promoting, and enforcing any and all, future and past, security and data policies.

7. Enforcement

    • All infractions of this security policy are cause for immediate termination by the company without further cause.
    • Senior managers may choose, with the approval of the President, must write up all personnel for any infraction of this policy as an alternative to termination.

8. Related Security Links to our Technology Stack/Vendor Partners: