Differences

This shows you the differences between two versions of the page.

--- wiki:policies:third_party [2023/08/30 21:46]
kholub
+++ wiki:policies:third_party [2024/03/05 14:48] (current)
katcow
@@ Line 1: / Line 1: @@
-====== Third-Party Services Policy ======
+====== Third-Party Services and Subprocessors Policy ======
 ===== I. Purpose =====
@@ Line 22: / Line 22: @@
   * Disclose the security incident to users.
   * If applicable, we escalate to clients by following the chain on communication described in our service license agreement.
+Third party processors are similarly monitored for policy changes, specifically with regard to changes impacting [[:wiki:policies:regulatory|regulatory requirements]].
 ==== Summary of Sub-processors ====
@@ Line 27: / Line 29: @@
 Subprocessors handle user data processing tasks on behalf of the software application.
-^Name (Manufacturer)^ \\ Data Processing Agreement^Critical to application?^Purpose^Data Processed|
+^Name (Manufacturer)^ \\ Data Processing Agreement^Critical to application?^Purpose^Data Processed^Country|
-|Airplane.dev|Signed, available upon request \\  \\ [[https://airplane.dev|https://airplane.dev]]| \\ No|Internal customer support applications|User emails and billing data|
+|Airplane.dev|Signed, available upon request \\  \\ [[https://airplane.dev|https://airplane.dev]]| \\ No|Internal customer support applications|User emails and billing data|CA, United States|
-|Auth0|[[https://cdn.auth0.com/website/legal/files/dpa/data-processing-addendum-8-20.pdf?_ga=2.258302026.118688053.1602587623-55110928.1602587623|Auth0 DPA]]|Yes|Authentication of user accounts|User emails & credentials|
+|Abstra|Signed, available upon request \\  \\ [[https://www.abstra.io/|https://www.abstra.io/]]|No|Internal customer support applications|User emails and billing data|Brazil|
-|HubSpot|[[https://legal.hubspot.com/dpa|https://legal.hubspot.com/dpa]]|No|Send release and marketing emails to users|User emails|
+|Auth0|[[https://cdn.auth0.com/website/legal/files/dpa/data-processing-addendum-8-20.pdf?_ga=2.258302026.118688053.1602587623-55110928.1602587623|Auth0 DPA]]|Yes|authentication of users accounts for the NK application.| \\ User email and password or social login account identifiers and Login history|United States|
-|Metabase|[[https://www.metabase.com/license/hosting|https://www.metabase.com/license/hosting]]|No|User analytics|User accounts & activity|
+|HubSpot|[[https://legal.hubspot.com/dpa|https://legal.hubspot.com/dpa]]|No|Send release and marketing emails to users|Full name and email addresses of users. \\ Users can have their personal or organizational data deleted at any time. All user data is deleted from HubSpot if an account is deleted.|MA, United States|
-|OpenAI|Signed, available upon request|No|Screening model features|Record abstracts|
+|Metabase|[[https://www.metabase.com/license/hosting|https://www.metabase.com/license/hosting]]|No|User analytics|User accounts & activity|United States|
-|Scite|[[https://scite.ai/policy|https://scite.ai/policy]]|No|Screening model features, record display badge|Record DOIs|
+|OpenAI|Signed, available upon request|No|Screening model features|Record abstracts|United States|
-|Stripe|[[https://stripe.com/legal/dpa|https://stripe.com/legal/dpa]]|No|Payment services|User email, location, subscription, and payment details|
+|Scite|[[https://scite.ai/policy|https://scite.ai/policy]]|No|Screening model features, record display badge|Record DOIs|United States|
+|Stripe|[[https://stripe.com/legal/dpa|https://stripe.com/legal/dpa]]|No|Payment services|User email, location, subscription, and payment details|United States|
 ==== List of Infrastructure Providers ====
@@ Line 40: / Line 43: @@
 Infrastructure Providers house the physical hardware used to run the application. These providers do not process user data, although they contain it.
-^Name (Manufacturer)^Data Processing Agreement^Purpose|
+^Name (Manufacturer)^Data Processing Agreement^Purpose^Data Processed|
-|AWS (Amazon)|[[https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.html|https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.html]]|Production Infrastructure (servers, services, databases)|
+|AWS (Amazon)|[[https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.html|https://docs.aws.amazon.com/whitepapers/latest/navigating-gdpr-compliance/aws-data-processing-addendum-dpa.html]]| \\ Production Infrastructure (servers, services, databases)|All user accounts and data generated on the NK application are stored in databases in AWS, behind a firewall (VPC). This data, including personal information, is not shared with AWS in a structured or meaningful way, instead only being processed by NK application code within the VPC.|
-|GCP (Alphabet)|[[https://cloud.google.com/terms/data-processing-addendum|https://cloud.google.com/terms/data-processing-addendum]]|Storage of production database backups|
+|GCP (Alphabet)|[[https://cloud.google.com/terms/data-processing-addendum|https://cloud.google.com/terms/data-processing-addendum]]|Storage of production database backups| |
 ==== List of third-party providers ====
@@ Line 65: / Line 68: @@
 We will document roles. responsibilities, and controls between Nested Knowledge and third parties, where applicable. Documentation and risk assessment should be stored in our filesystem drive in the respective directory for the third party provider.
+Upon client request, disclosure of all contracts with third party service providers where such third party service providers are involved in the client's deliverables shall be made.
 ==== Compliance and Updates ====
@@ Line 72: / Line 77: @@
 ==== Communicating Updates ====
-When new third party vendors are to be added, data supplied to vendors is to change, or the vendor's processing agreement are to change, all users will be notified via email with at least 7 days notice.
+When new third party sub-processors are to be added, data supplied to vendors is to change, or the vendor's processing agreement are to change, all affected users will be notified via email with at least 7 days notice.
+==== Termination of Services ====
+When Nested Knowledge terminates a contract with a sub-processor, within 60 days we will request deletion of all personal data. Nested Knowledge will review the data deletion/backup retention policies of our sub-processor and inquire about practices if it is not sufficently documented.
+===== V. Third-Party Provider Data Breaches =====
+^Timestamp^Event^Description^Reporting^Status|
+| \\ 07-13-2023 - \\  \\ 07-28-2023|Detection of vulnerabilities|Vulnerabilities with the H2 database.|[[https://www.metabase.com/blog/security-incident-summary|Metabase Post-Mortem]]|No impact on Nested Knowledge data as Nested Knowledge is a Metabase's Cloud customer.|
+| \\ 03-20-2023 1:00AM PT - \\  \\ 03-20-2023 10:00 AM PT|Leakage of other users' personal data|Other active users name, email address, credit card number, and credit card expiration date were visible to active Open AI users managing their subscriptions.|[[https://openai.com/blog/march-20-chatgpt-outage|Open AI Statement]]|No impact on Nested Knowledge data.|
+|03-18-2023|Compromised employee account|Affected 30 accounts in the Cryptocurrent industry.|[[https://ir.hubspot.com/news/hubspots-statement-regarding-march-18-2022-security-incident|Hubspot statement]]|No impact on Nested Knowledge data.|
 ===== Revision History =====
@@ Line 79: / Line 95: @@
 |K. Kallmes|1/26/2023|Reviewed|
 |K. Cowie|1/26/2023|Drafted|
-|K. Holub|5/16/2023|Details about data processed and why|
+|K. Holub|9/28/2023|Monitoring updates|
 [[:wiki:policies|Return to Policies]]

Nested Knowledge

User Tools

Site Tools

Differences

Page Tools