Frequently Asked Questions (FAQ)

1. Information Security Program

·       Q: Who is responsible for Clarivoy’s information security program?

A: Clarivoy assigns designated personnel or a team to develop, implement, and manage its written information security program.

·       Q: What safeguards are included in Clarivoy’s information security program?

A: Clarivoy maintains technological, physical, administrative, and procedural safeguards to ensure the privacy, confidentiality, integrity, and availability of Personal Data.

·       Q: How often is the information security program tested or reviewed?

A: The program is regularly tested, monitored, and evaluated for sufficiency and effectiveness, including incident response procedures.

2. Risk Assessment

·       Q: How does Clarivoy assess data security risks?

A: Clarivoy conducts risk assessments whenever material business or technology changes occur, identifying internal and external threats and assessing their likelihood and impact.

·       Q: Are independent assessments conducted?

A: Yes. At least once every 12 months, Clarivoy conducts a risk assessment by either independent third parties or personnel not involved in maintaining information systems.

3. Data Collection, Retention, and Disposal

·       Q: How much Personal Data does Clarivoy collect?

A: Only the minimum amount necessary to achieve the intended business purpose.

·       Q: How is Personal Data disposed of?

A: Personal Data is securely erased or destroyed so it cannot be reconstructed, following all federal and state regulations.

4. Data Inventory

·       Q: Does Clarivoy track the data it processes?

A: Yes. Clarivoy maintains an inventory of Personal Data and all information systems that contain such data, reviewing them periodically.

5. Personnel Background Checks

·       Q: Are employee background checks conducted?

A: Yes. Reasonable background checks, including criminal checks where permitted, are conducted for personnel with access to Personal Data and repeated periodically.

6. Personnel Training and Education

·       Q: How are employees trained in data security?

A: Employees with access to Personal Data receive regular training on Clarivoy’s information security program, privacy importance, and risks associated with security incidents.

7. Third Party Processor Management

·       Q: How does Clarivoy manage third-party vendors who process Personal Data?

A: Clarivoy performs due diligence before engaging vendors, requires them to maintain equivalent security measures, and monitors their compliance regularly.

8. Segregation of Duties

·       Q: How does Clarivoy prevent misuse of data by personnel?

A: Duties are segregated to reduce opportunities for unauthorized access, modification, or misuse of Personal Data.

9. Access Controls

·       Q: Who can access Personal Data within Clarivoy?

A: Only authorized personnel with documented business needs. Access is recorded, reviewed, and terminated promptly when no longer required.

10. Secure User Authentication

·       Q: How are user credentials managed?

A: Unique IDs and passwords are assigned to users. Passwords must be changed regularly, not reused, and updated at least every three months for sensitive accounts.

·       Q: What happens after multiple failed login attempts?

A: User access is blocked after several unsuccessful attempts and terminated after a period of inactivity.

11. Intrusion Detection and Response

·       Q: How does Clarivoy handle security incidents?

A: Clarivoy has procedures for detecting, documenting, and responding to incidents, including mandatory training and reporting protocols.

12. Encryption

·       Q: How is Personal Data encrypted?

A: Clarivoy uses strong encryption (NIST AES standard or equivalent) for data stored on laptops, mobile devices, or transmitted over public networks.

13. Firewalls

·       Q: What firewall protections are in place?

A: Up-to-date firewalls are maintained between Clarivoy’s systems and public or unnecessary internal networks to safeguard Personal Data.

14. Malicious Code Detection

·       Q: How does Clarivoy protect against viruses and malware?

A: Malicious code detection software runs and updates daily to detect and remove threats like viruses, worms, and Trojans.

15. Change Controls

·       Q: How are changes to systems reviewed?

A: Any system change is evaluated for potential impact on data security and cannot proceed if it increases risk or violates obligations.

16. Off-Premises Information Security

·       Q: How is Personal Data protected outside Clarivoy’s premises?

A: Policies govern the secure handling, transport, and destruction of records offsite, with tracking and backup copies maintained.

17. Physical Security

·       Q: How does Clarivoy secure physical access to Personal Data?

A: Physical access is restricted, workstations are locked when unattended, and facilities are protected against disasters and unauthorized entry.

18. Contingency Planning

·       Q: What happens if there’s an emergency or data loss?

A: Clarivoy maintains contingency procedures to restore Personal Data, support critical business operations, and prioritize recovery activities.

19. Full Documentation

·       Q: Where can I get more information on Clarivoy's security processes?

A: Full documentation is available on the Clarivoy website.