ProjectLibre Security Compliance Overview

ProjectLibre Security Compliance Overview

ProjectLibre, Inc. pursuant with various statutes and regulations act as the controllers of your Personal Data. In that capacity, we are responsible for the processing, unless otherwise noted in our Privacy Policy Statement. It is important to note, our Privacy Policy Statement does not apply when we process Personal Data in the role of the processor on behalf of our customers. The reference to ProjectLibre” , “we,” “us” or the “Company” is a reference to ProjectLibre, Inc. and its affiliates involved in the processing activity. Please contact us at [email protected] for details of our Data Protection Officers (located in the United States and France).

Your Personal Data may be collected, transferred to and stored by us in the United States and by our affiliates and third parties (as disclosed in the full Privacy Statement) in other countries. Therefore, your Personal Data may be processed outside your country or jurisdiction, including in places that may not provide the same level of protection. As described in our full Privacy Policy Statement, we have implemented safeguards to ensure an adequate level of protection where your Personal Data is transferred.

We may share Personal Data with the following, including:

  • Our contracted service providers on our behalf, processing Personal Data for credit card processing, marketing, customer support, IT and system administration;

  • If you are using our software or services as an authorized user, with the ProjectLibre customer responsible for your access to the services for verifying your account, and reviewing compliance with our usage terms and policies;

  • Third-party networks and websites so that we can advertise on their platforms;

  • Professional advisers, including banking, legal, accounting , insurance, consulting,

  • Legal obligations to public and government authorities if compelled to disclose Personal Data to comply with our legal obligations.

Please review our full Privacy Policy Statement for more detailed information. We collect and process Personal Data for multiple purposes, including:

  • our website and social media pages;

  • to send communications;

  • to manage contact and user support requests;

  • to deliver and optimize the performance of our services; 

  • to bill for our services and manage our accounts; 

  • to maintain the security of ProjectLibre and its services;

  • to administer surveys and conduct research; and

  • to comply with our legal obligations.

 

Personal Data processing

For the list of purposes for which we Process your Personal Data, please see the full Privacy Statement

We only process and collect your Personal Data as necessary for these purposes and where we can rely on a legal basis for such processing as set out in our full Privacy Policy Statement.

It is important for you to review the "Personal Data we collect" and "Purposes/reasons for our processing Personal Data. This includes the legality which we rely" sections in our full Privacy Policy Statement for additional information. It is also important to review the "How long we keep your Personal Data?" on how long we store your Personal Data. We don’t store “special” personal information like criminal convictions, sexual preference and other “special” personal data as defined in the EU GDPR standards. We also don’t ‘make decisions’ based on personal data. We also have role based access within each provisioned company.

 

GDPR overview

 

GDPR applies to ProjectLibre because we sell to and have community members in EU and have people visit our website from EU. We do not monitor the behavior of people within the EU. You can contact us to obtain additional information. We have identified and documented each system which stores or processes EU or UK personally identifiable information (PII). This includes systems such as our Database, Application, Hosting and service provider. We have also identified the retention period for PII in each system. We do not store any information which would be considered “Special Categories” of PII.

You can also contact us for more information on our Data Map which meets the requirements for Record Processing Activities (ART. 30). This includes ProjectLibre as the controller and our security measures, sharing policies and time limits on storage. Our Privacy Policy has information on contacting ProjectLibre’s contact and the purpose of processing the data. We also have a description of the data to be processed and who will receive the data. We also note the safegaurds for data transfers to 3rd country or international organization with retention timing. We also note the grounds for lawful processing of the data. This includes; consent from data subject, contract or subscription with data subject or necessary compliance with a legal obligation.

We have also taken an inventory of current customer and vendor contracts confirming new GDPR provisions. This includes all customer contracts have appropriate data protection addendums, appropriate contract language ( ex. data protection addendums) We also ensure people authorized to process the personal data are subject to confidentiality agreement or professional /statuatory obligations of confidentiality. The vendors have adequate information security in place, technical and organizational. The Vendors will not disclose any personal data to any sub processor unless required or authorized and will delete or return all personal data at end of services. All vendors will make available all information to demonstrate compliance and we contact vendors on risk assessment processing PII

We have assessed we do not need a Data Protection Impact Assessment. This is because we have no automated profiling which decisions are made, no special categories like criminal convictions, we don’t manage publicly accessible areas

We have posted our ProjectLibre Privacy Policy on our Website. https://www.projectlibre.com/projectlibre-privacy-policy . ProjectLibre has not hired outside auditors for an external certification. Our onboarding process for employees and contractors includes trainings to demonstrate compliance with GDPR principles. We also have an incidence response plan jin case of a data breach. It includes timelines, authorities, controllers and data subjects. We also ensure Technical and organization personnel only access personal data which are necessary for each specific purpose

 

 

SOC 2 and ISO 27001

 

SOC 2

 

This is an overview. SOC 2 is more accepted in the USA  ISO 27001 is more an international standard. We have evaluated compliance with each Trust Service Criteria (TSC). It is important to note not every TSC applies to ProjectLibre. The minimum compliance for companies is the Security TSC. ProjectLibre complies. The other TSCs include Availability, Processing Integrity, Confidentiality and Privacy. SOC 2 does not give specific actions for compliance to satisfy TSC’s. ProjectLibre has not hired outside auditors for an external certification.

Security

The Security TSC notes that ProjectLibre is required to protect our systems from outside access. The purpose of this TSC is to minimize the risk of data theft, misuse, or disclosure.  We restrict access to customer data in the cloud using Firewalls, two-factor authentication, and threat alerts are just a few ways ProjectLibre complies with this TSC. We monitor our IT infrastructure for any potential security problems and have policies to monitor. We maintain audit logs and have security alerts.

 

Availability

Our customers quickly and easily access their data when they log in. Their Administrators have access to the data in a timely, reasonable way. We are a SaaS company, we provide a minimum level of performance at all times. Our current SLA contract with our provider has a guarantee of 99.98%.  

Processing Integrity

This TSC requires ProjectLibre does what it’s supposed to do. We comply with this and securely send data at the right time, to the right company/users.   We proccess all data timely, accurately, and authorized access via User Roles and Teams.  This TSC also requires we protect the data in your systems.  

Confidentiality

The fourth TSC requires ProjectLibre being responsible for restricting data access so that only relevant, authorized parties can use sensitive customer data. ProjectLibre has created policies and procedures for keeping this data confidential during transfer, storage, and access.  We do this with Encryption, firewalls, and access controls.

Privacy

ProjectLibre does have some basic Personal Identifiable Information (PII).  We comply with privacy rules any time we use, collect, disclose, or delete a customer’s data. This conforms with AICPA’s Privacy Management Framework. Each employee has a unique ID and login. We also restrict access to certain data in our cloud applications based on user roles and permissions. When an employee leaves ProjectLibre, we quickly deactivate their accounts 

 

 

 

ISO 27001

 

ProjectLibre complies with the ISO 27001 standard. As an overview, it comprises 114 controls in 14 categories. There is no specific requirement to implement the full list of controls. There are many that overlap with SOC 2. ProjectLibre has not hired outside auditors for an external certification. The 14 categories are:
 

  • Information security policies

    • Please note the description in our SOC 2 overview.

  • Organization of information security and assignment of responsibility

    • Please note the description in our SOC 2 overview.

  • Human resource security

    • Please note the description in our SOC 2 overview.

  • Information asset management

    • Please note the description in our SOC 2 overview.

  • Employee access control

    • Please note the description in our SOC 2 overview.

  • Encryption and management of sensitive information

    • Please note the description in our SOC 2 overview.

  • Physical and environmental security

    • Please note the description in our SOC 2 overview.

  • Operations security

    • Please note the description in our SOC 2 overview.

  • Communications security

    • Please note the description in our SOC 2 overview.

  • System acquisition, development, and maintenance

    • Please note the description in our SOC 2 overview.

  • Supplier relationships

    • Please note the description in our SOC 2 overview.

  • Information security incident management

    • Please note the description in our SOC 2 overview.

  • Information security aspects of business continuity management

    • Please note the description in our SOC 2 overview.

  • Compliance

    • Please note the description in our SOC 2 overview.

California Consumer Privacy Act

This is a note on the California Consumer Privacy Act (CCPA) for California residents. ProjectLibre is covered by the CCPA. ProjectLibre has not hired outside auditors for an external certification. We do not sell personal data but may share with 3rd parties. We also may allow collection of personal data from our site, if they are authorized service providers or partners who have agreed to our policy on retention, disclosure or use.

The CCPA requires that ProjectLibre indicates which categories of personal data we are disclosing for business purposes. We do have service providers assisting to secure our services and marketing ProjectLibre and other entities described in the ProjectLibre Privacy Policy. These categories include: Commercial information, internet activity information, identifiers, financial information, education information, professional/employment related information and any inferences drawn from the previous information categories.

The CCDP grants rights to California residents including access to specific personal data, how we process the data and request deletion of their personal data. The California residences allos cannot be denied services from exercising these rights. If you are under age 18 and have an account with ProjectLibre, you can ask us to remove content you have posted on our website. It is important to note, that such request does not ensure complete and comprehensive removal of content or information. This may for example because another user may have reposted. If you wish to exercise your rights please access our Privacy Policy and contact us at [email protected]. We may need to verify your place of residence and identity before completing your request.

 

ProjectLibre Privacy policy 

 

https://www.projectlibre.com/projectlibre-privacy-policy

 

 

Payment Card Industry Data Security Standard (PCI DSS)

 

ProjectLibre and our partners comply with the The Payment Card Industry Data Security Standard (PCI DSS). These are requirements developed by the major payment card brands. PCI DSS is a global standard that applies to any business that accepts, processes, stores, transmits, or impacts the security of cardholder data. ProjectLibre has not hired outside auditors for an external certification.

Join The ProjectLibre Global Community

and your regional user groups!
 
ProjectLibre cares about your privacy and will never violate your trust.  Here is the ProjectLibre privacy policy:
Link
JOIN COMMUNITY