CritiqueIt Security Policy v1.0
The security of Our clients’ data is paramount. In the course of providing services, we receive, store and manage data that may contain personally identifiable information that may be restricted from disclosure under one or more provisions such as FERPA (US Family Educational Rights and Privacy Act), or HIPAA (US Health Insurance Portability and Accountability Act) or rules such as COPPA (US FTC’s Child Online Privacy Protection Act). We treat ALL information from our clients as confidential. We protect client information with the same measures we use to protect our own information. We do not share any client information with anyone without express written permission from you.
1.1. Data access
220.127.116.11. Data access will be limited to CritiqueIt employees and independent contractors with a “need to know” and controlled by you. You will maintain accurate authentication and authorization data to determine access within CritiqueIt We are not responsible for the security of your authentication services or your passwords that are compromised outside of CritiqueIt.
18.104.22.168. All CritiqueIt data are stored at regional data centers in the United States. If it becomes economically feasible, you may be provided with an option to store your CritiqueIt data at regional data centers in other countries.
1.1.2. Physical access
22.214.171.124. Physical access to the data centers at which CritiqueIt is hosted is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. Data center access and information is provided only to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked. All physical access to data centers is logged and audited routinely.
1.1.3. Virtual access
126.96.36.199. All exchanges of your data, including all network connections to CritiqueIt, will take place using encryption protocols over secure network connections. All endpoints (ours and yours) must maintain current certificates. Only under exceptional circumstances should CritiqueIt employees or independent contractors store or transport any client data on personal or company-provided mobile devices (laptops, netbooks, smartphones, portable storage devices, etc.). If such storage is needed, data shall be stored for as little time as possible and always encrypted in transport and at rest and password protected. Any exceptions must be reported immediately to CritiqueIt management.
188.8.131.52. CritiqueIt employees’ and independent contractors’ access to your services is managed through a centralized LDAP authentication service. This provides a single point of management for CritiqueIt staff access as well as convenience so that staff can follow strict credentialing requirements in the CritiqueIt Employee Handbook which must be accepted as part of the CritiqueIt terms of employment.
184.108.40.206. Access to your data of all types will end immediately upon termination of employment with CritiqueIt .
220.127.116.11. Our email and shared document services are hosted by Google Apps for Business, access to which requires two-factor authentication. Our operational file store is hosted by us, access to which must use encrypted processes.
1.2. Security standards
1.2.1. Our computers and systems including those used by CritiqueIt employees and independent contractors in the conduct of their work will be protected by acceptable industry practices for antivirus, firewalls, and network and system intrusion detections systems.
1.2.2. All systems used in the storage, processing, transmittal and display of Your data must have operating systems that are current in release, with unneeded services disabled, with default administrator access shut off, and with all critical security patches updated within 24 hours after the release of the patch.
1.2.3. We will conduct routine event monitoring, promptly investigate suspicious incidents and respond accordingly.
1.2.4. SOC1-2-3 audit certifications will be conducted annually on CritiqueIt’s infrastructure. The most recent report will be made available to You at Your request. A non-disclosure agreement may be required to receive a copy of any SOC audit report.
1.2.5. We will conduct routine security assessments for vulnerabilities (buffer overflows, open ports, unnecessary services, input filtering, cross site scripting vulnerabilities, SQL injection vulnerabilities, and any other well-known vulnerabilities). identified issues will be fixed or mitigated within thirty (30) days of the report.
1.2.6. All CritiqueIt services that send or receive Your Confidential Information or Your Covered Content must utilize appropriate encryption methods (SSL, sFTP, VPN, etc.). All network connections to CritiqueIt must be encrypted. Clear text transactions are not permitted.
1.3. Changes to the policy
1.3.1. This policy may be updated from time to time. Updates will become effective as soon as they are published at www.critiqueit.com If there are any material changes to these policies, You will be notified by email prior to the change being published and becoming effective. Your continued use of CritiqueIt Services or websites constitutes your agreement to be bound by such changes to the policy. Your only remedy, if you do not accept the updated terms of a CritiqueIt policy, is to discontinue use of the CritiqueIt Service and CritiqueIt websites.
1.4.1. Confidential Information: means the information that you have provided to us as part of the contracting or purchasing process. By example, this would include names, addresses, email addresses, phone numbers, account numbers, purchase orders, and other information that is not included in Your Covered Content. Confidential Information would also include the terms and pricing of the CritiqueIt Service under this Agreement, Your Covered Content and all information clearly identified as confidential at the time of its disclosure.
1.4.2. Your Covered Content: means all CritiqueIt service data that you, your agents or your end users provide to us as part of the process of detecting and reporting plagiarism. By example, this would include student submissions, course rosters, grades, comments and annotations that may be attached to report results.
1.4.3. Us, We, Our and related terms means the company named CritiqueIt, Inc. who developed and hosts the CritiqueIt Service, as represented by Our employees and independent contractors.
1.4.4. You, Your and related terms means the subscribing entity and all affiliated personnel who use the CritiqueIt Service. By example, You would mean the college, school district, university or company whose Agents and End Users access the CritiqueIt Service.
Last updated May 25, 2017