Engage Squared Pty Ltd (“Engage Squared”) offers tools and platform commercialised as “Board Connect” which provide assistance with the organisation, orchestration and management of meetings. Engage Squared understands the importance of protecting individuals’ privacy and their personal information. For this reason, we strive to have business procedures and security safeguards in place to protect personal information under its control.
1 Application and Scope
2 International Compliance
Engage Squared complies with: (i) data protection laws applicable to Engage Squared; and (ii) applicable industry standards concerning data protection, confidentiality or information security.
Engage Squared has global operations and therefore, in some cases, information managed by Engage Squared may be transferred, processed and stored to other countries, although at all times, Engage Squared will ensure that personal information is protected by confidentiality and security procedures and protections that are, at a minimum, equivalent to those employed by Engage Squared itself.
Engage Squared complies with this Policy as well as applicable Australian data protection laws as well as protection of personal information according to the General Data Protection Regulation (GDPR), being Regulation 2016/679 of the European Parliament and of the Council.
3 Definition of Personal Information
Personal Information has the meaning attributed to that term in the GDPR;
4 Collection and Use of Personal Information through the Service
When providing the Service, Engage Squared only processes personal information in accordance with the Terms and applicable laws. Engage Squared generally uses personal information from or about its Customers and Users (as defined in the Terms), (hereinafter referred to as “Customer’s Personal Information”) for the following purposes:
- to create, establish and administer Customer’s account, to respond to Customer’s inquiries related to its account and to contact Customer about Engage Squared’s services or account-related matters;
- to provide Services, including to provide Customer and its Users with access and use of the Board Connect platform and customer support;
- to measure and analyse User behaviour in order to, among others, monitor, maintain and improve Engage Squared’s Services or features and to create new services or features;
- to personalise or customise the experience when using the services;
- to meet legal and regulatory requirements and to allow Engage Squared to meet contractual requirements relating to the services provided to Customer;
When the Customer signs up to use the Service, we collect the following data types:
Tenant data (such as the Office 365 – tenant directory ID, and the GUID reference to teams where the software has been added).
All Customer data collected and managed by Engage Squared is classified as sensitive and treated as such. Unless required or authorized by law, Engage Squared will not use Personal Information for Customer or User for any other or new purpose without obtaining prior consent. Engage Squared may use information provided by Customers to create de-identified data aggregated for research and benchmarking purposes.
5 Collection and Use of Personal Information through the Website
Engage Squared generally collects and uses personal information from or about its website users as follows:
(a) Information provided by users. In many cases, Engage Squared collects personal information directly from users when they visit or use the website. For instance, Engage Squared may collect the following types of information:
(i) Inquiries and Requests for a Trial or Service. Engage Squared may collect users’ name, contact information, e-mail address, company details and any other information provided when users make an inquiry or contact Engage Squared through the website, when users sign up to receive Engage Squared’s newsletter or when users submit a request or an order for an Engage Squared trial or service. Engage Squared will only use this information to process and answer users’ request or to manage Engage Squared everyday business needs in connection with such request.
(ii) Personalization of Website. When users visit the website, they may, from time to time, be invited to provide information such as user’s title to help Engage Squared personalise or customise the users experience when using the website.
(b) Technical information. When users visit the website, Engage Squared may collect, using electronic means such as cookies, technical information. This information may include information about visits to the website, including the IP address of the users’ computer and which browser was used to view the website, the users’ operating system, resolution of screen, location, language settings in browsers, the site the user came from, keywords searched (if arriving from a search engine), the number of page views, information entered, advertisements seen, etc. This data is used to measure and improve the effectiveness of the website or enhance the experience for users. While most of the time this information is depersonalized, if this information relates to an identifiable individual, Engage Squared will treat this information as personal information. Engage Squared may also, without limitations, collect and use the following type of information when users visit and/or interact with Engage Squared on the website:
(i) Google Analytics: Engage Squared uses Google Analytics which allows it to see information on user website activities including, but not limited to, page views, source and time spent on our website. This information is depersonalized and is displayed as numbers, meaning that it cannot be tracked back to individuals. Users may opt-out of Engage Squared’s use of Google Analytics by visiting the Google Analytics opt-out page.
(d) Privacy Policies of other Websites. This Policy only addresses the use and disclosure of information by Engage Squared. Other websites that may be accessible through the website have their own privacy policies and data collection, use and disclosure practices.
(e) Personal Information from other Sources. Engage Squared may obtain from third parties additional personal information about a website user if such user gave permission to those third parties to share its information.
6 Sharing of Personal Information
Engage Squared will not sell, rent or trade personal information to any third party. However, Engage Squared may share personal information when authorized and/or required by law or as follows:
(a) As permitted or required by law. Engage Squared may disclose personal information as required by applicable law or by proper legal or governmental authority. Engage Squared may also disclose information to its accountants, auditors, agents and lawyers in connection with the enforcement or protection of its legal rights. Engage Squared may also release certain personal information when it has reasonable grounds to believe that such release is reasonably necessary to protect the rights, property and safety of others and itself, in accordance with or as authorized by law. In the event Engage Squared receives a governmental or other regulatory request for any Customer’s Personal Information, it agrees to immediately notify Customer in order that Customer shall have the option to defend such action. Engage Squared shall reasonably cooperate with Customer in such defence.
(b) Business transaction. Engage Squared may disclose personal information to a third party in connection with a sale or transfer of business or assets, an amalgamation, re-organization or financing of parts of our business. However, in the event the transaction is completed, personal information will remain protected by applicable data protection laws. In the event the transaction is not completed, Engage Squared will require the other party not to use or disclose the personal information received in any manner whatsoever and to delete such information.
7 Security of Personal Information for the Service
Engage Squared will store and process the personal information in a manner consistent with industry security standards. Engage Squared has implemented technical, organizational and administrative systems, policies, and procedures to help ensure the security, integrity and confidentiality of personal information and to mitigate the risk of unauthorized access to or use of personal information, including (i) appropriate administrative, technical and physical safeguards and other security measures designed to ensure the security and confidentiality of the personal information it manages; (ii) a security design intended to prevent any compromise of its own information systems, computer networks or data files by unauthorized users, viruses or malicious computer programs; (iii) appropriate internal practices including, but not limited to, encryption of data in transit; using appropriate firewall and antivirus software; maintaining these countermeasures, operating systems and other applications with up-to-date virus definitions and security patches so as to avoid any adverse impact to the personal information that it manages; appropriate logging and alerts to monitor access controls and to assure data integrity and confidentiality; permitting only authorized users access to systems and applications; and (iv) all persons with authorized access to personal information must have a genuine business need-to-know prior to access (Security Program).
8 Training and Supervision
Engage Squared maintains adequate training programs to ensure that its employees and any others acting on its behalf are aware of and adhere to its Security Program. Engage Squared shall exercise necessary and appropriate supervision over its relevant employees to maintain appropriate confidentiality and security of the personal information it manages.
9 Data Incidents involving Customer’s Personal Information
Engage Squared shall immediately notify Customer of any reasonably suspected or actual loss of data or breach or compromise of its Security Program which has or may result in the loss or unauthorized access, disclosure, use or acquisition of Customer’s Personal Information (including hard copy records) or otherwise presents a potential threat to such information (Data Incident). While the initial notice may be in summary form, a comprehensive written notice shall be given within 48 hours to Customer. The notice shall summarize in reasonable detail the nature and scope of the Data Incident (including each data element type) and the corrective action already taken or to be taken by Engage Squared. Engage Squared shall promptly take all necessary and advisable corrective actions, and shall cooperate fully with Customer in all reasonable efforts to mitigate the adverse effects of Data Incident and to prevent its recurrence.
10 European Union
The following sections relate specifically to GDPR for the purpose of delivering the Service to the Customer.
(a) The Customer is the data controller and Engage Squared is the data processor.
(b) All Engage Squared employees and contractors have a responsibility for ensuring that Customer data we collect is stored and handled appropriately. In particular:
(i) The Engage Squared Executive Committee has ultimate responsibility for ensuring that Engage Squared Analytics meets its legal obligations.
(ii) The Engage Squared Analytics Data Protection Officer / Senior Responsible Officer for Security is responsible for:
- Ensuring that information security and privacy requirements are adequately addressed.
- Keeping the Engage Squared Executive Committee updated about data protection responsibilities, risks and issues.
- Reviewing all data protection policies, standards and procedures as per the Information Security Management System (ISMS).
- Arranging data protection training for all Engage Squared analytics employees and contractors.
- Addressing data protection questions from staff, customers or individuals e.g. data subject access requests.
- Approving any contracts or agreements with third parties that may handle sensitive data.
- Approving any data protection statements attached to communications.
- Ensuring marketing initiatives are compliant with data protection principles.
(iii) The Engage Squared – Chief Technology Officer is responsible for:
- Ensuring all systems, software, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security systems are functioning properly.
- Evaluating the on-going effectiveness of third party services used by Engage Squared Analytics.
(c) Our Customers also have certain obligations. These include:
(i) Ensuring consent from data subjects for Engage Squared to process data
(ii) Nominating a point of contact for data subject requests
(iii) Validating data subject requests
(iv) Where relevant, correcting any personal information for users which has been provided to Engage Squared
(d) Engage Squared runs its systems on state-of-the-art data centres located in a region agreed to by the Customer. These state-of-the-art, highly secure and universally trusted data centres provide protection of hardware, software, networks, data and facilities utilising a range of verified controls in compliance with a comprehensive set of international protective security standards.
(e) Engage Squared has implemented a range of comprehensive security controls to protect customer data. These include:
- Encryption of all data at rest and in transit.
- Role based access controls ensuring limited access to data.
- Connections secured via SSL/TLS.
- Secure application development practices that incorporate privacy by-design principles and integrated security reviews throughout design, coding and deployment.
- Annual penetration test and automated monthly perimeter scans
(f) All Engage Squared data is sourced from the Customer’s Microsoft Teams or SharePoint instances. Any update in the Customer Teams or SharePoint system is automatically replicated in the Engage Squared system. Customers can choose to add or remove additional user attribute data to Engage Squared.
(i) Data subject access requests for accessing, changing or removing personal information must be handled by the Customer and applied in the Customer’s own Microsoft Teams or SharePoint instances. Any requests received by Engage Squared will be referred to the Customer
(ii) It is the responsibility of the Customer to update any data inaccuracies in the source Microsoft Teams or SharePoint instances and/or to update any user attribute data provided to Engage Squared.
(g) Engage Squared retains a maximum of two years of Teams/SharePoint data for each customer. Data which has a date stamp in excess of two years is deleted. Upon the expiry of the subscription agreement between Engage Squared and the customer all raw data will be deleted.
(h) Personal information held in Engage Squared will be stored in one of Engage Squared’s regional data centres as nominated by the customer. For support and troubleshooting purposes, some customer data may be accessed by Engage Squared support staff in Australia. Engage Squared has implemented a range of appropriate safeguards via various controls and mechanisms (some described above) to ensure the protection of personal information.
(i) Any requests for support to respond to data subject request must be emailed to firstname.lastname@example.org by the customer’s nominated point of contact. If Engage Squared receives requests from a user directly we will refer the user to the Customer. Any data subject requests received which are not received from the customer’s nominated point of contact, will be forwarded to the nominated point of contact for validation.
11 How to Contact Us
Any questions or complaints regarding this Policy, GDPR or Engage Squared’s handling of personal information can be addressed by sending an email to email@example.com
Engage Squared will review and update its policies and procedures as required to keep current with rules and regulations, new technologies, standards and customer concerns. This Policy may therefore change from time to time.
This Policy was last updated on 31 March 2020.