CCM Security and Privacy Practices
CCM Platform - Version 1 – 29July2022
ACL shall maintain and implement the following technical and organizational measures in relation to the security of any Customer Configuration.
1. Administrative Controls
1.1 Screening - ACL will perform pre-employment background screening of its employees who have access to customers’ accounts, and is committed to employee supervision, training, and management.
1.2 ACL Access - ACL will restrict the use of administrative access codes for customer accounts to its employees and other agents who need the access codes for the purpose of providing the Services. ACL personnel who use access codes shall be required to log on using an assigned username and password.
1.3 Customer Access - As the primary application administrator, you are responsible for the management of your accounts, including creation, change management, and termination.
2. Reports of and Response to Security Breach
ACL will report to you as soon as reasonably practicable in writing and in accordance with applicable law and/or implemented security standard, of a material breach of the security of your Customer Configuration which results in unauthorized access to your Customer Data resulting in the destruction, loss, unauthorized disclosure or alteration of your data of which we become aware. Upon request, we will promptly provide to you all relevant information and documentation that we have available to us regarding your Customer Configuration in connection with any such event.
3. Customer Data Return
The Services enable you to retrieve, correct, or delete Customer Data. Depending on your Services, you may not have access to your Customer Configuration or Customer Data during a suspension of Services or following the termination of the Agreement. You are responsible for retrieving a copy of your Customer Data prior to the termination of the Agreement.
4. Privacy and Personal Data Processing
4.1 Roles - In respect to “Personal Data" processed under the Services, you may act as “controller" or “processor" and ACL may act as “processor" or “sub processor".
4.2 Instructions for Data Processing - ACL will process Personal Data only to the extent and in such a manner as is necessary to provide the Services under the Agreement or as otherwise instructed by Customer from time to time.
4.3 Notifications - ACL shall notify you as soon as reasonably practicable in writing: (a) of any communication received from an individual relating to (i) an individual’s rights to access, modify, correct, delete or block his or her Personal Data and (ii) any complaint about your Processing of Personal Data; and (b) to the extent not prohibited by law, of any complaint, notice or other communication that relates to Customer’s compliance with data protection and privacy law and the processing of Personal Data.
You agree to make any required notifications to and obtain required consents and rights from, individuals in relation to ACL’s provision of any work or Services to you. Where ACL receives the communication described in this section and notifies you of such communication, it is your responsibility to respond to and take all other appropriate action with regard to the communication required under the applicable law.
5. Additional Security Parameters
- In this Service, we offer GPF encryption for storing and transporting the Customer Data, unless a different mechanism is specified by the Customer.
- Files are transferred to the Service using the secured FTP (SFTP) access from the Customer on TLS 1.2 unless a different mechanism is specified by a Customer.
- ACL team members working on Customer Communication Management (CCM) Service are given system access with logging.
- To secure the generated PDF, we offer password protection, but this is subject to initial agreement of requirement, if required by the Customer.
- Generated PDFs can have digital signature that are cryptographically bound and secured with a tamper-evident seal, but this is subject to initial agreement of requirement, if required by the Customer.
- Restricted and Role based access: The ACL team member working in the whole process of generation cannot view any file, only instructions can be executed to execute the campaign.
- ACL follows exceptional approval process for troubleshooting file or related issues.