Coral Technology has adopted the following privacy principles:
- Data Minimization. Coral Technology will collect the minimal amount of information necessary from individuals and businesses consistent with legal requirements.
- Transparency. Notice covering the purpose of the collection and use of identifiable information will be provided in a clear manner. Information collected will not be used for any other purpose unless authorized or mandated by law.
- Accuracy. Information collected will be maintained in a sufficiently accurate, timely, and complete manner to ensure that the interests of the individuals and businesses are protected.
- Security. Adequate physical and IT security measures will be implemented to ensure that the collection, use, and maintenance of identifiable information is properly safeguarded and the information is promptly destroyed in accordance with approved records control schedules.
Information the Company Collects
- Personally Identifiable Information. This is data which is provided by Coral Technology's employees or customers and can be used to identify, locate, or contact an individual and includes information like name, date of birth, place of residence, credit card information, phone number, race, gender, criminal record, age, and medical records. We do not disclose, give, sell, or transfer any personal information about our visitors, unless required for law enforcement or statute.
- Non-Personal Information. We may also collect non-personal information for the purposes of operating and improving our website. For example, we collect technical and usage information, such as your Internet Protocol (IP) address, date and time you accessed our website, browser type and referring URL. This information will be used to create summary statistics, which are used for such purposes as assessing what information is of most and least interest, determining technical design specifications and identifying system performance or problem areas.
Purpose and Use of Information Collected
The only information that is automatically collected and stored is:
- The name of the domain from which you access Coral Technology's websites.
- The date and time of your visit.
- The pages you visit on Coral Technology's websites.
- The type of browser and operating system used to access our site.
- The Internet address of the website you came from if it linked you directly to tCoral Technology's websites.
- Search terms that you entered into Coral Technology's website search tool.
If your browser accepts cookies, we may use a session cookie to learn how many different visitors come to Coral Technology's websites. This information for statistical purposes to monitor and enhance our web pages.
The following list is not intended to be exhaustive, but should provide the company with guidelines on what type of information is typically considered confidential. Confidential data can include:
- Employee or customer social security numbers or personal information
- Medical and healthcare information
- Electronic Protected Health Information (EPHI)
- Customer data
- Company financial data (if company is closely held)
- Sales forecasts
- Product and/or service plans, details, and schematics
- Network diagrams and security configurations
- Communications about corporate legal matters
- Bank account information and routing numbers
- Payroll information
- Credit card information
- Any confidential data held for a third party (be sure to adhere to any confidential data agreement covering such information
Storage, Transmission and Destruction of Confidential Data
For clarity, the following sections on storage, transmission, and destruction of confidential data are restated from the Data Classification Policy.
Confidential information must be removed from desks, computer screens, and common areas unless it is currently in use. Confidential information should be stored under lock and key (or keycard/keypad), with the key, keycard, or code secured.
Confidential data must not be 1) transmitted outside the company network without the use of strong encryption, 2) left on voicemail systems, either inside or outside the company's network.
Confidential data must be destroyed in a manner that makes recovery of the information impossible. The following guidelines apply:
- Paper/documents: cross cut shredding is required.
- Storage media (CD's, DVD's): physical destruction is required.
- Hard Drives/Systems/Mobile Storage Media: at a minimum, data wiping must be used. Simply reformatting a drive does not make the data unrecoverable. If wiping is used, the company must use the most secure commercially-available methods for data wiping. Alternatively, the company has the option of physically destroying the storage media.
Use of Confidential Data
A successful confidential data policy is dependent on the users knowing and adhering to the company's standards involving the treatment of confidential data. The following applies to how users must interact with confidential data:
- Users must be advised of any confidential data they have been granted access. Such data must be marked or otherwise designated "confidential."
- Users must only access confidential data to perform his/her job function.
- Users must not seek personal benefit, or assist others in seeking personal benefit, from the use of confidential information.
- Users must protect any confidential information to which they have been granted access and not reveal, release, share, email unencrypted, exhibit, display, distribute, or discuss the information unless necessary to do his or her job or the action is approved by his or her supervisor.
- Users must report any suspected misuse or unauthorized disclosure of confidential information immediately to his or her supervisor.
- If confidential information is shared with third parties, such as contractors or vendors, a confidential information or non-disclosure agreement must govern the third parties' use of confidential information. Refer to the company's outsourcing policy for additional guidance.
Security Controls for Confidential Data
Confidential data requires additional security controls in order to ensure its integrity. The company requires that the following guidelines are followed:
- Strong Encryption. Strong encryption must be used for confidential data transmitted external to the company. If confidential data is stored on laptops or other mobile devices, it must be stored in encrypted form.
- Network Segmentation. Separating confidential data by network segmentation is strongly encouraged.
- Authentication. Strong passwords must be used for access to confidential data.
- Physical Security. Systems that contain confidential data should be reasonably secured.
- Printing. When printing confidential data the user should use best efforts to ensure that the information is not viewed by others. Printers that are used for confidential data must be located in secured areas.
- Faxing. When faxing confidential data, users must use cover sheets that inform the recipient that the information is confidential. Faxes should be set to print a confirmation page after a fax is sent; and the user should attach this page to the confidential data if it is to be stored. Fax machines that are regularly used for sending and/or receiving confidential data must be located in secured areas.
- Emailing. Confidential data must not be emailed outside the company without the use of strong encryption.
- Mailing. If confidential information is sent outside the company, the user must use a service that requires a signature for receipt of that information.
- Discussion. When confidential information is discussed it should be done in non-public places, and where the discussion cannot be overheard.
- Confidential data must be removed from documents unless its inclusion is absolutely necessary.
- Confidential data must never be stored on non-company-provided machines (i.e., home computers).
- If confidential data is written on a whiteboard or other physical presentation tool, the data must be erased after the meeting is concluded.
Emergency Access to Data
A procedure for accessing confidential and critical data during an emergency is often a good idea if the company handles information that is integral to the health, well-being, or protection of other persons or entities. If the company maintains this type of data, it should consider establishing such a procedure in case the normal mechanism for access to the data becomes unavailable or disabled due to system or network problems.
Last update: June 29, 2022