Simulated Biology. Real Learning.

SimBiotic Software Privacy Policy

Introduction 

In order to operate efficiently SimBiotic Software ® (SimBio) has to collect and use information about individuals and institutions with whom it works. These may include members of the public, current, past and prospective employees, clients, customers (students and educational institution personnel) and suppliers. SimBio’s Data Policy focuses on the data stored within SimBio Active Learning SystemTM. This is the only place within SimBio where data from students is stored.

SimBio is committed to ensuring information is properly managed and SimBio will make every effort to meet its obligations under this policy and will regularly review procedures to ensure that it is doing so.

SimBio’s data security policy balances three principal goals against the needs of operating our business and fulfilling the needs of our users:

  1. Minimize the amount and value of user data we store
  2. Minimize the chances that user data is leaked or lost
  3. Have procedures in place to detect, inform, and trace sources of any losses or leaks in user data

Overview 

SimBio’s data security starts by limiting the data that is stored. SimBio only stores the following personal information about users of the SimBio Active Learning SystemTM:

  • Name
  • Email address
  • Student ID (for students)
  • Phone number (optional)
  • Password (stored indirectly as a hash)
  • Data from student work within the SimUText System (such as answers to multiple choice questions)

SimBio deletes data from student work on a regular basis. Data on student work is not retained longer than one year after the end of the class in which they conducted the work.

SimBio does not store credit card information or other high value information. Even in the event of a data breach, there would be nothing of high value to be found within the SimBio Active Learning SystemTM.

In addition to limiting the data stored, SimBio has a variety of industry standard policies, processes, and systems to reduce the possibility of data loss. SimBio also has plans in place for recovering from and reporting data loss. These are detailed below.

People and policies 

SimBio’s data security policy applies to all employees, contractors, agents and representatives and temporary staff working for or on behalf of SimBio. A Data Controller appointed by SimBio management has overall responsibility for compliance with the SimBio Data Protection Policy.

The SimBio Data Protection Policy stipulates that anyone processing information must comply with following principles of good practice. The principles require that information:

  • Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes;
  • Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed;
  • Shall be accurate and where necessary, kept up to date;
  • Shall not be kept for longer than is necessary for that purpose or those purposes;
  • Shall be kept secure i.e. protected by an appropriate degree of security;
  • Shall not be transferred to an agency other than SimBio unless that agency ensures an adequate level of data protection.

Among the policies in place to reduce the chance of data loss are:

  • Direct access to user data is only given to SimBio employees
  • All employees and contractors sign non-disclosure agreements
  • All employees with access to user data receive periodic training on cybersecurity.
  • All new employees submit to a background check prior to final offer of employment
  • Each person with access to user data has their own individual login for accessing that data
  • Each employee receives the minimal set of access to SimBio’s systems and user data which will allow them to perform their duties
  • SimBio periodically reminds employees and enforces the use of good passwords (upper and lower case, numbers, symbols, and/or randomly generated), and stores all passwords securely in a password management application
  • When an employee leaves the company, their accounts to access company information are promptly invalidated

Systems

SimBio uses cloud-based servers from AWS. SimBio relies on AWS who maintains the physical hardware for first-line protection of the servers and for maintaining operating system updates. AWS is SOC certified, and you can examine a copy of the report here: https://d1.awsstatic.com/whitepapers/compliance/AWS_SOC3.pdf

Among the systems we have implemented to reduce the chance of data loss are:

  • Maintaining sensitive systems behind a VPN where possible
  • Using https or similar encryption for transferring data to and from users and between internal systems
  • No credit card information stored or processed by SimBio – all credit card processing is done directly by our provider for that service
  • All employee’s individual work-computers are protected by passwords and contain anti-virus software
  • Schedule regular off-site backups

Company Processes 

SimBio has implemented a number of processes that aid in preventing data loss, among them:

  • De-identifying user data before using it on test and development systems
  • Conducting periodic external vulnerability scans
  • Conducting periodic cybersecurity training for employees who have contact with user data or other sensitive information
  • Conducting scheduled tests of restoration of our systems in the event of an attack or failure
  • Reviewing this data policy yearly to identify changes that would better address the goals of the policy given changes in the threat environment and SimBio’s own software and business

The customer’s right to access their personal information 

Any person whose details are held by SimBio is entitled to ask for a copy of all information held about them.

When a request is received it will be dealt with as soon as possible, and in no case with a delay longer than 30 calendar day

When providing the information SimBio will also provide a description of why the information is processed, details of anyone it may be disclosed to and the source of the data.

Breach of the policy 

Non-compliance with the requirements of this policy by the members of staff could lead to serious action being taken by third parties against SimBio.  Non-compliance by a member of staff is therefore considered a disciplinary matter that, depending on the circumstances, could lead to dismissal.

Procedures for Notifying Interested Parties in the Event of a Data Incident 

In the event that there is a breach of SimBio’s database security or any other incident involving user data stored by SimBio, SimBio will, within 5 business days:

  • To the best of our ability, notify all users who were directly affected by the data incident.
  • Notify the appropriate personnel at any institutions to which those users were associated in their use of SimBio’s software.
  • Notify the appropriate personnel of any third parties, such as publishers, whose customers may have been affected by SimBio’s data incident.