Register for The Elevation Series →

Customer Support: 866-817-2210

Log in
Get Started

Privacy Policy

Additional Languages:

Chinese (Simplified)Chinese (Traditional)DutchFrenchFrench CanadianGermanGerman (Swiss)HebrewItalianJapanesePortugueseRussianSpanishVietnamese

 

1. Purpose and Scope

The purpose of this policy is to define the conditions of privacy under which ConstructSecure operates its general website and under which it uses, processes, and stores the data that it collects from enrolled clients who log into and use the ConstructSecure vendor-prequalification application. 

The scope of this policy applies to the public ConstructSecure website (www.constructsecure.com) as well as all ConstructSecure networks and IT systems and all end-user data that is provided by enrolled clients related to the use of the CS System. End-user data includes, but is not limited to, names, business emails, and business phone numbers. Users of the CS Inspect module may also opt to provide their business cell phone numbers in order to receive alerts regarding inspection findings. This personal end-user data is required as part of an enrolled client’s interaction and use of the CS application to allow users to set up secure accounts and to receive messages and alerts from the system. This policy is in full effect for the duration of an active client account.

 The CS Privacy Policy is intended to clearly and thoroughly explain our policies around cookies, data collection, data use, data processing, data transfer, data retention and deletion, notifications of personal data breaches, and how you can contact ConstructSecure to manage or delete your information/account. The purpose of this policy is to define the conditions of privacy under which ConstructSecure operates its general website and under which it uses, processes, and stores the data that it collects from enrolled clients who log into and use the CS system. 

2. Visitors vs. Users

The ConstructSecure website is openly available and Visitors to the website are not required to input any personal information in order to navigate our pages and learn about our products. ConstructSecure does, however, use cookies as a way to help us improve the visitor experience, as further described in Section 4 below. First-time visitors to the CS site are immediately informed of our use of cookies via a pop-up banner and there is also a link to this policy provided within the text of the pop-up banner and at the bottom of every page on our website.

Users of the ConstructSecure system are defined within this policy as individuals who are enrolled in one or more of CS’s software products, including CS Safety, CS Financial, CS Tracker, and/or CS Inspect. This policy encompasses all of the client end Users who use any aspect of the CS system, as well as ConstructSecure employees.

CS Users can be set up with 1 of 2 types of access to the CS web based application – either Administrative or General. The only standard distinction between the two access levels is that Administrative Users are initially set up in the system by ConstructSecure and are given the capability to create General Users so that they can internally manage the list of their employees who will be using the CS application based on their specific business needs.

When a General User is added by a client Administrator, the only identifiable data that is provided by the Administrator is the name, business email address, and telephone number of the General User. Once a client Administrator sets up a General User profile, an automatic email is sent from the CS system to the General User that provides a link to initiate the formal creation of a unique General User profile. During this set-up process, we use a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), which is a challenge-response system test that is designed to differentiate humans from automated programs. A CAPTCHA differentiates between human and bot by requiring completion of a task that is easy for most humans to perform but is more difficult and time-consuming for current bots to complete. Further, during set-up, all users must create and adhere to a strict password system that is described in detail in the CS Password Policy. 

End user accounts are unique to each user and are never shared. Based on the unique username and password, a General User is only able to access the specific data that he/she enters. In addition, end users only have access to the specific modules of the CS application (e.g., CS Safety, CS Financial, CS Tracker, CS Inspect) that are defined by their client contract agreement.

3. Reference Documents

Specific regulations and frameworks that are relevant to this policy include, but are not limited to:

· ISO/IEC 27001 Standard. Clauses A.9.1.1, A.9.1.2, A.9.2.1 – A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.3.

· General Data Protection Regulation (GDPR), 5/25/2018

· EU-U.S. & Swiss-U.S. Privacy Shield Frameworks, US Department of Commerce/European Commission/Swiss Administration

· California Consumer Privacy Act (CCPA), 1/1/2020

· Lei Geral de Proteção de Dados (LGPD), 2/1/2020

The overarching policies that describe ConstructSecure’s commitment to information safety is this CS Privacy Policy and the CS Information Security Policy. The purpose of the CS Information Policy is to provide a high-level understanding of the principles and practice of ConstructSecure’s Information Security Management System (ISMS). While the CS Information Security Policy provides a general approach to information security, it is supplement by very specific technical policies that define the measures we take to ensure the confidentiality and integrity of our data, including:

· CS Acceptable Use Policy

· CS Access Control Policy

· CS Change Management & Secure Engineering/Development Policy

· CS Clear Desk and Clear Screen Policy

· CS Data Backup Policy

· CS Document & Information Control Policy

· CS Encryption Policy

· CS Incident Management Policy

· CS Internal & External Audit Policy

· CS Logging and Monitoring Policy

· CS Password Policy

In addition, there are several internal CS manuals that contain organizational information that is relevant to our information security and how we communicate that to employees and clients, including: 

· CS Administrative Manual

· CS Customer/Supplier Engagement and Support Manual

· CS Disaster Recovery and Business Continuity Manual

· CS ISMS Risk Assessment and Risk Treatment Methodology

· CS ISMS Risk Assessment and Risk Treatment Report

· CS Employee Handbook

· CS System Architecture Manual

4. Cookie Policy

To make the ConstructSecure website work properly, small data files called cookies are sometimes placed on a Visitor or User’s device. These cookies are stored in text files on a device so that the preferences of a Visitor or User (such as language, font size, login, and other display preferences) are “remembered” when the CS website is subsequently loaded in a browser. This common practice does not in any way minimize ConstructSecure’s commitment to maintaining the highest standards for the security and protection of a customers’ information. Like most websites, ConstructSecure uses cookies to help ensure a consistent and efficient experience for Visitors and Users, and to perform essential functions such as allowing enrolled users to register and remain logged in.

ConstructSecure may also use Cookies to help analyze how Visitors and Users interact with and navigate through our sites so that we can make improvements. Cookie-related information is also used to remember and log the actions of enrolled Users. Cookies are not used for any purpose other than those described herein. Specifically, the ConstructSecure website does not enable 3rd-party tracking mechanisms to collect data over time and across unaffiliated websites for use in interest-based advertising. In addition, ConstructSecure flags all cookies with a special HttpOnly flag that tells the browser that this particular cookie should only be accessed by the browser. This HttpOnly flag ensures any attempt by an attacker to access the cookie with malicious JavaScript is strictly prohibited.

Visitors and Users can block any cookies from any website through their browser settings. Note that the procedures for changing settings and cookies differ from browser to browser. For more information about how to disable cookies for the top browsers, please refer to the instructions on their respective websites:

· Internet Explorer (http://support.microsoft.com/gp/cookies/en)

· Mozilla Firefox (http://support.mozilla.com/en-US/kb/Cookies)

· Google Chrome (http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95647)

· Safari (http://support.apple.com/kb/PH5042)

· Opera (http://www.opera.com/browser/tutorials/security/privacy/)

In addition to changing a browsers’ settings to prevent cookies from being placed, an individual can also delete all cookies that are already stored on a device. If a Visitor or User chooses this option, they may have to manually adjust some preferences every time they visit the ConstructSecure site and some services and functionalities may not work at all.

First-time visitors to the ConstructSecure website are immediately informed of ConstructSecure’s use of cookies via a pop-up banner. 

5. Data Collection

End user data that is collected as part of enrollment in the ConstructSecure Application that is categorized as Personal Data or Personally Identifiable Information (PII) includes user full names, business emails, and business phone numbers. Users of the CS Inspect module may also opt to provide their business cell phone numbers in order to receive alerts regarding inspection findings. This personal end user data is required as part of an enrolled client’s interaction and use of the CS application to allow users to set up secure accounts and to receive messages and alerts from the system. 

6. Data Use 

ConstructSecure’s ISMS is managed internally by our Chief Technology Officer, who acts as our Chief Information Security Officer (CISO) as defined in ISO 27001 and as our Data Protection Officer as defined in Article 37 of the GDPR. As clients use our services and systems, the Chief Technology Officer sets clear parameters on how their data is used and the ways in which a user’s privacy is protected, including but not limited to: 

· For users of the CS System, ConstructSecure processes data solely for the purposes defined in the Client Software License and Services Agreement and/or the Subcontractor Participation Agreement and utilizes Amazon Web Services for all of our cloud computing as described in Section 7 below;

· ConstructSecure guarantees the confidentiality of personal data that is processed as defined in the contract agreements and within this document;

· ConstructSecure does not share data with any third parties and does not use any third party advertising providers;

· ConstructSecure ensures that its employees are fully vetted and receive the appropriate personal data protection training as defined in the CS Administrative Manual and the CS Employee Handbook;

· ConstructSecure employees acknowledge and sign the non-disclosure requirements set forth in the CS Employee Handbook;

· Any data transfer or download happens via the SSL protocol;

· To access data, the user must login with a username/password as fully defined in the CS Password Policy;

· During uploading of data, files are encrypted and stored as fully defined in the CS Encryption Policy, including the requirement that each encrypted file has its own key;

· Stored backups and logs are encrypted as fully defined in the CS Data Backup Policy, including the requirement that ConstructSecure does not use any temporary storage.

7. Data Processing

As noted above, ConstructSecure uses Personal Data solely for the purposes defined in the Client Software License and Services Agreement and/or the Subcontractor Participation Agreement. In addition, as detailed in the CS Administrative Manual, ConstructSecure contracts with Amazon Web Services, a leader in cloud technology, to create a logically isolated section of AWS where we can create a Virtual Private Cloud (VPC) for our system. While AWS falls outside the scope of ConstructSecure’s ISMS, one of the reasons for choosing AWS was their own certification under ISO/IEC 27001:2013. Specifically, AWS was issued Certificate #2013-009 on 11/18/10, which was updated and re-issued most recently on 3/27/20. 

In addition, as part of our agreement with AWS, we are a party to their Data Processing Agreement (DPA). This is a critical component of our commitment to data security and privacy because Amazon’s DPA is fully compliant and meets all of the requirements of the General Data Protection Regulation (GDPR), the EU-US and SWISS-US Privacy Shield Frameworks, and the California Consumer Protection Act. Our DPA with AWS provides us with assurance on important data security requirements, including but not limited to:

· AWS will process customer data only in accordance with customer instructions;

· AWS has implemented and will maintain robust technical and organizational measures for the AWS network;

· AWS will notify its customers of a security incident without undue delay after becoming aware of the security incident. 

8. Data Transfers

ConstructSecure does not share data with or transfer data to any third parties and does not use any third party advertising providers. 

The ConstructSecure Application is a SaaS based, web-hosted application. As noted in earlier sections, ConstructSecure contracts with Amazon Web Services for cloud service. As part of that contract, AWS maintain servers for ConstructSecure in both the United States and Europe (Frankfort, Germany) to ensure that data from European Union (EU) countries (including Iceland, Liechtenstein, Norway, and Switzerland) is kept in an EU country. AWS maintains compliance with both the EU-US Privacy Shield Framework and the SWISS-US Privacy Shield Framework and both certifications are classified as “Active” with their next certifications due on 1/16/21.

9. Data Retention & Deletion

ConstructSecure retains all end user data only for as long as we have an ongoing legitimate need to do so and are working under a client or subcontractor agreement. Specific user accounts and Personally Identifiable Information are deleted immediately upon account deletion (by a client Administrative User or by ConstructSecure) or upon contract termination. ConstructSecure tries to ensure that our services protect information from accidental or malicious deletion. Because of this, there may be delays between when a user deletes something and when copies are deleted from our active and back-up systems.

 As noted above, for deletion of specific user accounts, a client Administrative User has the functionality to delete an account that they created from the CS system. In addition, upon termination of a client or subcontract agreement, the Chief Technology Officer will remove the access rights of associated end user accounts by disabling their logins, removing their profiles from the system, and verifying that access has been terminated.

As detailed in the ConstructSecure Subcontractor Participation Agreement, ConstructSecure may de-identify and aggregate information submitted by subcontractors and that ConstructSecure owns all aggregated information and may use it for any purpose and communicate it to any third party without obligation to a subcontractor. Aggregated information is anonymous information and is no longer Personal Data subject to data protection laws or regulations.

10. GDPR Requirements and Privacy Shield Statement

Implementing an ISO 27001 compliant Information Security Management System (ISMS) is not only best practice, but it is also integral to demonstrating data protection compliance to clients, subcontractors, and third parties. In addition, by implementing ISO 27001, ConstructSecure has created a strong framework to ensure compliance with the European Union General Data Protection Regulation (GDPR) that went into effect on 5/25/2018. 

To ensure GDPR compliance, ConstructSecure complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the United States Department of Commerce regarding the collection, use, and retention of Personal Data transferred from The European Union and Switzerland to the United States. ConstructSecure has certified to the US Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in the CS Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield Program, and to view our certification, please visit:

https://www.privacyshield.gov/.

As part of the Privacy Shield Framework and Principles, ConstructSecure certifies the following:

· ConstructSecure’s self-certification is subject to the investigatory and enforcement authority of the Federal Trade Commission;

· ConstructSecure collects limited Personal Data as described previously in Section 5 and we use this information only for the purposes described previously in Section 6;

· Individual users of the ConstructSecure Application have the right to access their Personal Data and to review, correct, amend, delete, or limit the use and/or disclosure of their Personal Data. EU and Swiss users, like all users, can securely log in to the CS System at any time using their unique username and password to access and review their personal data. If any user of the ConstructSecure application would like to amend, delete, or limit the use and/or disclosure of their personal data, they can contact ConstructSecure at support@constructsecure.com as described in more detail in Section 13;

· ConstructSecure does not share data with or transfer data to any third parties and does not use any third party advertising providers. However, ConstructSecure acknowledges that any entity, including ConstructSecure, that does share or transfer data to third parties would remain liable if that third party processes personal data in a manner inconsistent with the principles;

· ConstructSecure, in accordance with our legal obligations and subject to a lawful request, may transfer Personal Data to public authorities for law enforcement or national security purposes;

· ConstructSecure encourages EU and Swiss users, and all users, who have questions or complaints about how we process their Personal Data under Privacy Shield to contact us as described in Section 13. ConstructSecure will work to resolve your issues as quickly as possible, but no later than 30 days upon receipt of a question or complaint;

· If you have unresolved privacy or data use complaints that we have not addressed satisfactorily, please contact, free of charge, our US-based third party dispute resolution provider, American Arbitration Association, at https://www.adr.org/TechnologyServices;

· If you are an EU or Swiss User and unable to resolve any complaints through any of the above methods, you may invoke binding arbitration in accordance with the Privacy Shield Framework at https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint.

11. California & Brazil Requirements

ConstructSecure also maintains compliance with the California Consumer Privacy Act (CCPA) that went into effect on 1/1/20 and the Lei Geral de Protecão de Dados (LGPD) that went into effect in Brazil on 2/1/20. If the California Consumer Privacy Act (CCPA) or the LGPD applies to a user’s information, Section 13 of this policy describes the process available to a user to exercise his/her rights to receive information about ConstructSecure data practices and/or to request deletion of his/her information/account. 

ConstructSecure does not share, sell, or transfer a user’s Personal Data. ConstructSecure uses and processes Personal Data for business purposes only as defined in the Client Software License and Services Agreement, the Subcontractor Participation Agreement, and this policy.

12. Notification of Changes to the Privacy Policy or Personal Data Breaches

ConstructSecure reserves the right to revise the CS Privacy Policy at any time. If substantial changes are made to this privacy notice, ConstructSecure will post notification of such changes on the “ConstructSecure Blog” that is linked from our website at www.constructsecure.com. In addition, all new versions of this policy will be immediately re-posted on the ConstructSecure website, as accessed by the direct “Privacy Policy” link that is found at the bottom of every page on the ConstructSecure website.

In addition, ConstructSecure will notify clients immediately via email of any personal data breach (and never later than 72 hours after having become aware of it). This notification will include any necessary documentation to enable clients to notify this breach to the competent supervisory authority if required, including:

· The nature and description of the breach including the number of users who are affected;

· Analysis and root cause of the failure;

· Immediate corrective action to address the breach and mitigate the adverse effects; and,

· Other corrective actions proposed or taken to prevent any future breaches of the same nature and type. 

13. Contacting ConstructSecure

ConstructSecure is located at 450 Bedford Street, Suite 2200, Lexington, Massachusetts, 02420. 

If users have any questions or complaints about ConstructSecure’s data practices or if they would like to request deletion of their information/account, they can contact the Chief Technology Officer or the Vice President of Compliance at the above address, by email at support@constructsecure.com, or telephone at 866-817-2210. Direct links to ConstructSecure’s email address are also available on our public website and after users log in to the ConstructSecure system. 

ConstructSecure responds to written complaints by contacting the person who made the complaint to resolve any issue directly and quickly in accordance with the Service Level Agreement (SLA) outlined in the ConstructSecure client or subcontractor agreement. In addition, in accordance with the principles of the EU-US and Swiss-US Privacy Shield Frameworks and as detailed in Section 10, ConstructSecure will work with the appropriate independent resource authorities, including but not limited to, the United States Department of Commerce, the United States Federal Trade Commission, The EU Data Protection Authorities (DPAs), and the Swiss Federal Data Protection and Information Commissioner (FDPIC), as necessary to resolve any complaints to a user’s satisfaction and at no cost to the user.

14. Policy Compliance

A. COMPLIANCE CRITERIA

When evaluating the effectiveness and adequacy of this document, the following criteria must be considered:

· Number of breaches of the system.

· Number of account deletions.

· Number of requests for data security information and resolution times.

· Number of data security complaints and resolution times.

B. COMPLIANCE MEASUREMENT

The specific compliance criteria bulleted above are included as part of an ISMS Comprehensive Compliance Measurement Table that has been prepared by ConstructSecure and is provided in the CS Information Security Policy, Appendix 1. The Chief Technology Officer will verify compliance with our overall Information Security Policy, and all other technical policies, by performing a quarterly review using the ISMS Comprehensive Compliance Measurement Table. The results of the quarterly review will be tracked, analyzed, and included as part of the annual ISMS Management Review meeting. 

In addition to the formal quarterly review, compliance is also measured on a continual basis through various methods, including but not limited to, periodic walk-throughs, business tool reports, and feedback to the policy owner. 

Training and awareness with this policy is conducted as part of ConstructSecure’s overall employee training program as detailed in the CS Employee Handbook.

C. EXCEPTIONS

Any exception to the policy must be approved by the policy owner in advance.

D. NON-COMPLIANCE

An employee found to have willfully violated this policy may be subject to disciplinary action, up to and including termination of employment.

13. Contacting ConstructSecure

The author of this policy is considered the owner and has the responsibility for updating it whenever changes are dictated by the work. In addition, an annual review of this policy will be conducted by the Chief Technology Officer to ensure that it remains appropriate considering any relevant changes to the law, organizational policies, and/or contractual obligations. 

As specified in the CS Administrative Manual, all changes to an ISMS document must be made using “Track changes,” making visible only the revisions to the previous version, either showing them in red text or strikeout. In addition, for reference, all previous versions of an ISMS document are stored on the personal user drive of the CS Vice President of Compliance. The versioning history for this document is defined in the table below:

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from Youtube
Vimeo
Consent to display content from Vimeo
Google Maps
Consent to display content from Google
Spotify
Consent to display content from Spotify
Sound Cloud
Consent to display content from Sound
Get Started
Log in