Blue Mango Learning Systems, LLC

United States

ScreenSteps shall retain data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, it shall be securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data. Retention periods shall be documented in the Data Retention Matrix in Appendix B to this policy.

Data classified as restricted or confidential shall be securely deleted when no longer needed. ScreenSteps shall assess the data and disposal practices of third-party vendors in accordance with the Third-Party Management Policy. Only third-parties who meet ScreenSteps requirements for secure data disposal shall be used to store and process restricted or confidential data. ScreenSteps shall ensure that all restricted and confidential data is securely deleted from company devices prior to, or at the time of disposal.

Confidential Data Handling Confidential data is subject to the following protection and handling requirements: Access for non-preapproved roles requires documented approval from the data owner Access is restricted to specific employees, roles and/or departments Confidential systems shall not allow unauthenticated or anonymous access Confidential Customer Data shall not be used or stored in non-production systems/environments Confidential data shall be encrypted in transit over public networks Mobile device hard drives containing confidential data, including laptops, shall be encrypted Mobile devices storing or accessing confidential data shall be protected by a log-on password or passcode and shall be configured to lock the screen after fifteen of non-use minutes 22Backups shall be encrypted Confidential data shall not be stored on personal phones or devices or removable media including USB drives, CD’s, or DVD’s Paper records shall be labeled “confidential” and securely stored and disposed Hard drives and mobile devices used to store confidential information must be securely wiped prior to disposal or physically destroyed Transfer of confidential data to people or entities outside the company shall only be done in accordance with a legal contract or arrangement, and the explicit written permission of management or the data owner Restricted Data Handling Restricted data is subject to the following protection and handling requirements: Access is restricted to users with a need-to-know based on business requirements Restricted systems shall not allow unauthenticated or anonymous access Transfer of restricted data to people or entities outside the company or authorized users shall require management approval and shall only be done in accordance with a legal contract or arrangement, or the permission of the data owner Paper records shall be securely stored and disposed Hard drives and mobile devices used to store restricted information must be securely wiped prior to disposal or physically destroyed Public Data Handling No special protection or handling controls are required for public data. Public data may be freely distributed.

United States

Cloud hosted

AWS

yes

When someone submits a Data Erasure Request we follow our internal documentation for "Processing a Data Erasure Request". The user is removed from each of our systems in accordance with this document.

no

2022-07-25

yes

SAML (Okta, Azure AD, Salesforce, etc.) and Custom.

yes

no

security@screensteps.com

no

no

no

no