Enterprise Compliance
Our annual SOC 2 audit serves as the foundation for helping customers satisfy vendor management needs and meet their own compliance requirements, including HIPAA.
The report contains an Auditor’s Opinion on the suitability of the design of our controls evaluated over a 12-month period to determine if they are functioning as described.
To request a copy of the audit report, email [email protected].
We comply with GDPR through the information-collection disclosures in our Privacy Policy.
We utilize servers located in the United States as well as the European Economic Area (EEA) and Asia to collect, store, and process the data we collect, all of which are based within areas where the EU has determined adequate data protection laws are in place to protect your data.
We reserve the right to keep network logging data for a period of time adequate to ensure network security and safety for the systems we use and host customer data on in any country. Pursuant to regulatory, legal, and security requirements in Chapter 2 of the General Data Protection Regulation, this timeline is determined based on the type of data, the security implications of storing the data, the legal requirements we must meet with the data, and the privacy of the individual referenced in the data.
We take the security of our data very seriously and have a responsibility to the individuals we hold data on behalf of on our systems and servers. Please refer to our Privacy Policy for more specifics on the security measures we put in place to protect your data on our systems or the following headings below to review what kind of data we keep and the process to request, review, change, or remove data we hold.
Services that are in scope for PCI DSS compliance include colocation, custom private clouds, and custom public clouds.
Our annual AT-101 SOC 2 Type II audit serves as the foundation for helping our healthcare customers meet HIPAA compliance requirements.
We also regularly enter into Business Associate Agreements (BAAs) to support healthcare customers.
We may collect, capture, or otherwise obtain Biometric Data and may provide such Biometric Data to our vendors and the licensor of our Systems. This policy covers the requirements for collecting, storing and erasing Biometric Data on our Systems.
Definitions
Biometric Data – includes “Biometric Identifier” and “Biometric Information” as defined in the Illinois Biometric Information Privacy Act, 740 ILCS § 14/1, et seq. – See below.
Biometric Identifier – means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996.
Biometric Information – means any information, regardless of how it is captured, converted, stored, or shared, based on an individual’s Biometric Identifier used to identify an individual. Biometric Information does not include information derived from items or procedures excluded under the definition of Biometric Identifiers.
Systems – means, for the purpose of this Policy, computer systems, applications and software used to collect, store and process Biometric Data. Examples may include door access systems, time & attendance systems and systems used to provide authorization.
Purpose for Collection of Biometric Data
Summit, its vendors, and/or the licensor of Systems we utilize, collects, stores, and uses Biometric Data for employee identification, fraud prevention, pre-employment hiring purposes, and access control to various facilities and Systems.
Note: The data center manages and maintains their own access control system independent of Summit and will require a separate consent to collect biometric data.
Authorization
Before collecting Biometric Data, we must first:
- Inform the individual that Summit is collecting, capturing, or otherwise obtaining their Biometric Data, and that Summit is providing such Biometric Data to its vendors and the licensor of our Systems;
- Inform the individual in writing of the specific purpose and length of time for which their Biometric Data is being collected, stored, and used; and
- Summit, its vendors, and/or the licensor of our systems will not sell, lease, trade, or other-wise profit from Biometric Data; provided, however, that our vendors and the licensor of our systems may be paid for products or services used by Summit that use such Biometric Data.
Disclosure
Summit will not disclose or disseminate any Biometric Data to anyone other than its vendors and the licensor of Summit’s systems using Biometric Data without/unless:
- First obtaining written consent to such disclosure or dissemination;
- The disclosed data completes a financial transaction requested or authorized by the individual whose Biometric Data is being collected;
- Disclosure is required by state or federal law or municipal ordinance; or
- Disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.
Retention Schedule
Summit shall retain Biometric Data only until, and shall request that its vendors and the licensor of Summit’s Systems permanently destroy such data when, the first of the following occurs:
- The initial purpose for collecting or obtaining such Biometric Data has been satisfied, such as the termination of the individual’s relationship with Summit;
- The individual requests the removal of Biometric Data; or
- Within three (3) years of the individual’s last interaction with Summit.
Data Storage
Summit shall use a reasonable standard of care to store, transmit and protect from disclosure any Biometric Data collected. Such storage, transmission, and protection from disclosure shall be performed in a manner that is the same as or more protective than the manner in which Summit stores, transmits and protects from disclosure other confidential and sensitive information, including personal information that can be used to uniquely identify an individual or an individual’s account.