DeepDyve

United States

4.0 Policy 4.1 Reasons for Data Retention The company does not wish to simply adopt a "save everything" mentality. That is not practical or cost-effective, and would place an excessive burden on the IT Staff to manage the constantly-growing amount of data. Some data, however, must be retained in order to protect the company's interests, preserve evidence, and generally conform to good business practices. Some reasons for data retention include: • Litigation • Accident investigation • Security incident investigation • Regulatory requirements • Intellectual property preservation 4.2 Data Duplication As data storage increases in size and decreases in cost, companies often err on the side of storing data in several places on the network. A common example of this is where a single file may be stored on a local user's machine, on a central file server, and again on a backup system. When identifying and classifying the company's data, it is important to also understand where that data may be stored, particularly as duplicate copies, so that this policy may be applied to all duplicates of the information. 4.3 Retention Requirements This section sets guidelines for retaining the different types of company data. Personal There are no retention requirements for personal data. In fact, the company encourages that it be deleted or destroyed when it is no longer needed. Public There are no retention requirements for public data beyond what the owner of the data desires. Operational Most company data will fall in this category. Operational data must be retained for 1 year. Critical Critical data must be retained for 2 years. Confidential Confidential data must be retained for 2 years. 4.4 Retention of Encrypted Data If any information retained under this policy is stored in an encrypted format, considerations must be taken for secure storage of the encryption keys. Encryption keys must be retained as long as the data that the keys decrypt is retained. 4.5 Data Destruction Data destruction is a critical component of a data retention policy. Data destruction ensures that the company will not get buried in data, making data management and data retrieval more complicated and expensive than it needs to be. Exactly how certain data should be destroyed is covered in the Data Classification Policy. When the retention timeframe expires, the company must actively destroy the data covered by this policy. If a user feels that certain data should not be destroyed, he or she should identify the data to his or her supervisor so that an exception to the policy can be considered. Since this decision has long-term legal implications, exceptions will be approved only by a member or members of the company's executive team. The company specifically directs users not to destroy data in violation of this policy. Particularly forbidden is destroying data that a user may feel is harmful to himself or herself, or destroying data in an attempt to cover up a violation of law or company policy. 4.6 Applicability of Other Policies This document is part of the company's cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.

4.0 Policy 4.1 Treatment of Confidential Data For clarity, the following sections on storage, transmission, and destruction of confidential data are restated from the Data Classification Policy. 4.1.1 Storage Confidential information must be removed from desks, computer screens, and common areas unless it is currently in use. Confidential information should be stored under lock and key (or keycard/keypad), with the key, keycard, or code secured. 4.1.2 Transmission Confidential data must not be 1) transmitted outside the company network without the use of strong encryption, 2) left on voicemail systems, either inside or outside the company's network. 4.1.3 Destruction Confidential data must be destroyed in a manner that makes recovery of the information impossible. The following guidelines apply: • Paper/documents: cross cut shredding is required. • Storage media (CD's, DVD's): physical destruction is required. • Hard Drives/Systems/Mobile Storage Media: at a minimum, data wiping must be used. Simply reformatting a drive does not make the data unrecoverable. If wiping is used, the company must use the most secure commercially-available methods for data wiping. Alternatively, the company has the option of physically destroying the storage media. 4.2 Use of Confidential Data A successful confidential data policy is dependent on the users knowing and adhering to the company's standards involving the treatment of confidential data. The following applies to how users must interact with confidential data: • Users must be advised of any confidential data they have been granted access. Such data must be marked or otherwise designated "confidential."; • Users must only access confidential data to perform his/her job function. • Users must not seek personal benefit, or assist others in seeking personal benefit, from the use of confidential information. • Users must protect any confidential information to which they have been granted access and not reveal, release, share, email unencrypted, exhibit, display, distribute, or discuss the information unless necessary to do his or her job or the action is approved by his or her supervisor. • Users must report any suspected misuse or unauthorized disclosure of confidential information immediately to his or her supervisor. • If confidential information is shared with third parties, such as contractors or vendors, a confidential information or non-disclosure agreement must govern the third parties' use of confidential information. Refer to the company's outsourcing policy for additional guidance. 4.3 Security Controls for Confidential Data Confidential data requires additional security controls in order to ensure its integrity. The company requires that the following guidelines are followed: • Strong Encryption. Strong encryption must be used for confidential data transmitted external to the company. If confidential data is stored on laptops or other mobile devices, it must be stored in encrypted form. • Network Segmentation. Separating confidential data by network segmentation is strongly encouraged. • Authentication. Strong passwords must be used for access to confidential data. • Physical Security. Systems that contain confidential data should be reasonably secured. • Printing. When printing confidential data the user should use best efforts to ensure that the information is not viewed by others. Printers that are used for confidential data must be located in secured areas.

4.0 Policy 4.1 Data Classification Data residing on corporate systems must be continually evaluated and classified into the following categories: 1. Personal: includes user's personal data, emails, documents, etc. This policy excludes personal information, so no further guidelines apply. 2. Public: includes already-released marketing material, commonly known information, etc. There are no requirements for public information. 3. Operational: includes data for basic business operations, communications with vendors, employees, etc. (non-confidential). The majority of data will fall into this category. 4. Critical: any information deemed critical to business operations (often this data is operational or confidential as well). It is extremely important to identify critical data for security and backup purposes. 5. Confidential: any information deemed proprietary to the business. See the Confidential Data Policy for more detailed information about how to handle confidential data. 4.2 Data Storage The following guidelines apply to storage of the different types of company data. 4.2.1 Personal There are no requirements for personal information. 4.2.2 Public There are no requirements for public information. 4.2.3 Operational Operational data must be stored where the backup schedule is appropriate to the importance of the data, at the discretion of the user. 4.2.4 Critical Critical data must be stored on a server that gets the most frequent backups (refer to the Backup Policy for additional information). System- or disk-level redundancy is required. 4.2.5 Confidential Confidential information must be removed from desks, computer screens, and common areas unless it is currently in use. Confidential information should be stored under lock and key (or keycard/keypad), with the key, keycard, or code secured. 4.3 Data Transmission The following guidelines apply to transmission of the different types of company data. 4.3.1 Personal There are no requirements for personal information. 4.3.2 Public There are no requirements for public information. 4.3.3 Operational No specific requirements apply to transmission of Operational Data, however, as a general rule, the data should not be transmitted unless necessary for business purposes. 4.3.4 Critical There are no requirements on transmission of critical data, unless the data in question is also considered operational or confidential, in which case the applicable policy statements would apply. 4.3.5 Confidential Confidential data must not be 1) transmitted outside the company network without the use of strong encryption, 2) left on voicemail systems, either inside or outside the company's network.

United States

Cloud hosted

Google Cloud Platform (GCP)

no

What personal information can I access? Upon request DeepDyve will provide you with information about whether we hold any of your personal information. You may correct, update or remove your personal information at any time by logging into your account and accessing the account settings feature or by emailing us at support@deepdyve.com. We will respond to your request within a reasonable timeframe. Currently you may access and update the following information: Account Information (such as name, email address and billing information) User profile (you may update your profile at any time which includes some of your account information and any other information you choose to share) User preferences (you decide who see’s and does not see your profile, and who is able to message you) Search History (you are able to edit any searches that you may have performed while using the site) We will retain your information for as long as your account is active, as needed to provide you services, and for other purposes described in this privacy policy. If you wish to cancel your account or request that we no longer use your information to provide you services, contact us at support@deepdyve.com. We will retain and use your information as necessary to comply with our legal and accounting obligations, resolve disputes, and enforce our agreements. Even if we delete some or all of your Personal Information, we may continue to retain and use information that has been aggregated or anonymized so that it can no longer be used for personal identification. What other choices do I have? As stated previously, you can always opt not to disclose information, even though it may be needed to take advantage of certain DeepDyve features. You are able to add or update certain information on pages, such as those listed in the “What Personal Information Can I Access” section above. When you update information, however, we often maintain a copy of the unrevised information in our records. You may request deactivation of your account and deletion of personal information in your account by sending an e-mail to support@deepdyve.com. Please note that when your personal information is deleted we no longer have the availability to send you information or payments. Additionally, some of your information may remain in our records after deactivation of your account.

no

2021-02-06

no

no

yes

customercare@deepdyve.com

no

no

no

no