Nested Knowledge

Bringing Systematic Review to Life

User Tools

Site Tools


wiki:policies:third_party

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
wiki:policies:third_party [2023/09/29 02:22]
kholub
wiki:policies:third_party [2024/06/24 18:11] (current)
kholub
Line 1: Line 1:
-====== Third-Party Services Policy ======+====== Third-Party Services and Subprocessors Policy ======
  
 ===== I. Purpose ===== ===== I. Purpose =====
Line 29: Line 29:
 Subprocessors handle user data processing tasks on behalf of the software application. Subprocessors handle user data processing tasks on behalf of the software application.
  
-^Name (Manufacturer)^ \\ Data Processing Agreement^Critical to application?^Purpose^Data Processed| +^Name (Manufacturer)^ \\ Data Processing Agreement^Critical to application?^Purpose^Data Processed^Country
-|Airplane.dev|Signed, available upon request \\  \\ [[https://airplane.dev|https://airplane.dev]]| \\ No|Internal customer support applications|User emails and billing data| +|Abstra|Signed, available upon request \\  \\ [[https://www.abstra.io/|https://www.abstra.io/]]|No|Internal customer support applications|User emails and billing data|Brazil
-|Auth0|[[https://cdn.auth0.com/website/legal/files/dpa/data-processing-addendum-8-20.pdf?_ga=2.258302026.118688053.1602587623-55110928.1602587623|Auth0 DPA]]|Yes|Authentication of user accounts|User emails & credentials+|Auth0|[[https://cdn.auth0.com/website/legal/files/dpa/data-processing-addendum-8-20.pdf?_ga=2.258302026.118688053.1602587623-55110928.1602587623|Auth0 DPA]]|Yes|authentication of users accounts for the NK application.\\ User email and password or social login account identifiers and Login history|United States
-|HubSpot|[[https://legal.hubspot.com/dpa|https://legal.hubspot.com/dpa]]|No|Send release and marketing emails to users|User emails+|HubSpot|[[https://legal.hubspot.com/dpa|https://legal.hubspot.com/dpa]]|No|Send release and marketing emails to users|Full name and email addresses of users. \\ Users can have their personal or organizational data deleted at any time. All user data is deleted from HubSpot if an account is deleted.|MA, United States
-|Metabase|[[https://www.metabase.com/license/hosting|https://www.metabase.com/license/hosting]]|No|User analytics|User accounts & activity| +|Metabase|[[https://www.metabase.com/license/hosting|https://www.metabase.com/license/hosting]]|No|User analytics|User accounts & activity|United States
-|OpenAI|Signed, available upon request|No|Screening model features|Record abstracts| +|OpenAI|Signed, available upon request|No|Screening model features|Record abstracts|United States
-|Scite|[[https://scite.ai/policy|https://scite.ai/policy]]|No|Screening model features, record display badge|Record DOIs| +|Scite|[[https://scite.ai/policy|https://scite.ai/policy]]|No|Screening model features, record display badge|Record DOIs|United States
-|Stripe|[[https://stripe.com/legal/dpa|https://stripe.com/legal/dpa]]|No|Payment services|User email, location, subscription, and payment details|+|Stripe|[[https://stripe.com/legal/dpa|https://stripe.com/legal/dpa]]|No|Payment services|User email, location, subscription, and payment details|United States|
  
 ==== List of Infrastructure Providers ==== ==== List of Infrastructure Providers ====
Line 42: Line 42:
 Infrastructure Providers house the physical hardware used to run the application. These providers do not process user data, although they contain it. Infrastructure Providers house the physical hardware used to run the application. These providers do not process user data, although they contain it.
  
-^Name (Manufacturer)^Data Processing Agreement^Purpose| +^Name (Manufacturer)^Data Processing Agreement^Purpose^Data Processed
-|AWS (Amazon)|[[https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.html|https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.html]]|Production Infrastructure (servers, services, databases)| +|AWS (Amazon)|[[https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.html|https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.html]]| \\ Production Infrastructure (servers, services, databases)|All user accounts and data generated on the NK application are stored in databases in AWS, behind a firewall (VPC). This data, including personal information, is not shared with AWS in a structured or meaningful way, instead only being processed by NK application code within the VPC.
-|GCP (Alphabet)|[[https://cloud.google.com/terms/data-processing-addendum|https://cloud.google.com/terms/data-processing-addendum]]|Storage of production database backups|+|GCP (Alphabet)|[[https://cloud.google.com/terms/data-processing-addendum|https://cloud.google.com/terms/data-processing-addendum]]|Storage of production database backups|
  
 ==== List of third-party providers ==== ==== List of third-party providers ====
Line 67: Line 67:
  
 We will document roles. responsibilities, and controls between Nested Knowledge and third parties, where applicable. Documentation and risk assessment should be stored in our filesystem drive in the respective directory for the third party provider. We will document roles. responsibilities, and controls between Nested Knowledge and third parties, where applicable. Documentation and risk assessment should be stored in our filesystem drive in the respective directory for the third party provider.
 +
 +Upon client request, disclosure of all contracts with third party service providers where such third party service providers are involved in the client's deliverables shall be made.
  
 ==== Compliance and Updates ==== ==== Compliance and Updates ====
Line 74: Line 76:
 ==== Communicating Updates ==== ==== Communicating Updates ====
  
-When new third party vendors are to be added, data supplied to vendors is to change, or the vendor's processing agreement are to change, all users will be notified via email with at least 7 days notice.+When new third party sub-processors are to be added, data supplied to vendors is to change, or the vendor's processing agreement are to change, all affected users will be notified via email with at least 7 days notice. 
 + 
 +==== Termination of Services ==== 
 + 
 +When Nested Knowledge terminates a contract with a sub-processor, within 60 days we will request deletion of all personal data. Nested Knowledge will review the data deletion/backup retention policies of our sub-processor and inquire about practices if it is not sufficently documented. 
 + 
 +===== V. Third-Party Provider Data Breaches ===== 
 + 
 +^Timestamp^Event^Description^Reporting^Status| 
 +| \\ 07-13-2023 - \\  \\ 07-28-2023|Detection of vulnerabilities|Vulnerabilities with the H2 database.|[[https://www.metabase.com/blog/security-incident-summary|Metabase Post-Mortem]]|No impact on Nested Knowledge data as Nested Knowledge is a Metabase's Cloud customer.| 
 +| \\ 03-20-2023 1:00AM PT - \\  \\ 03-20-2023 10:00 AM PT|Leakage of other users' personal data|Other active users name, email address, credit card number, and credit card expiration date were visible to active Open AI users managing their subscriptions.|[[https://openai.com/blog/march-20-chatgpt-outage|Open AI Statement]]|No impact on Nested Knowledge data.| 
 +|03-18-2023|Compromised employee account|Affected 30 accounts in the Cryptocurrent industry.|[[https://ir.hubspot.com/news/hubspots-statement-regarding-march-18-2022-security-incident|Hubspot statement]]|No impact on Nested Knowledge data.|
  
 ===== Revision History ===== ===== Revision History =====
Line 81: Line 94:
 |K. Kallmes|1/26/2023|Reviewed| |K. Kallmes|1/26/2023|Reviewed|
 |K. Cowie|1/26/2023|Drafted| |K. Cowie|1/26/2023|Drafted|
-|K. Holub|9/28/2023|Monitoring updates|+|K. Holub|6/24/2024|Updating subprocessors (remove Airplane.dev)|
  
 [[:wiki:policies|Return to Policies]] [[:wiki:policies|Return to Policies]]
  
  
wiki/policies/third_party.1695954168.txt.gz · Last modified: 2023/09/29 02:22 by kholub