VeriCite® Security Policy v4.4

The security of Our clients’ data is paramount.  In the course of providing services, we receive, store and manage data that may contain personally identifiable information that may be restricted from disclosure under one or more provisions such as FERPA (US Family Educational Rights and Privacy Act), or HIPAA (US Health Insurance Portability and Accountability Act) or rules such as COPPA (US FTC’s Child Online Privacy Protection Act).  We treat ALL information from our clients as confidential.   We protect client information with the same measures we use to protect our own information.   We do not share any client information with anyone without express written permission from you.

1.1. Data access

1.1.1 General

1.1.1.1. Data access will be limited to VeriCite® employees with a "need to know" and controlled by you. You will maintain accurate authentication and authorization data to determine access within VeriCite®.  We are not responsible for the security of your authentication services or your passwords that are compromised outside of VeriCite®.

1.1.1.2. All VeriCite® data are stored at regional data centers in the United States.   If it becomes economically feasible, you may be provided with an option to store your VeriCite® data at regional data centers in other countries.  

1.1.2. Physical access

1.1.2.1. Physical access to the data centers at which VeriCite® is hosted is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.  Data center access and information is provided only to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked. All physical access to data centers is logged and audited routinely.

1.1.3. Virtual access

1.1.3.1. All exchanges of your data, including all network connections to VeriCite®, will take place using encrypting protocols over secure network connections. All endpoints (ours and yours) must maintain current certificates. Only under exceptional circumstances should VeriCite® employees store or transport any client data on personal or company- provided mobile devices (laptops, netbooks, smartphones, portable storage devices, etc.). If such storage is needed, data shall be stored for as little time as possible and always encrypted in transport and at rest and password protected. Any exceptions must be reported immediately to VeriCite® management.

1.1.3.2. VeriCite® employees’ access to your services is managed through a centralized LDAP authentication service. This provides a single point of management for VeriCite® staff access as well as convenience so that staff can follow strict credentialing requirements in the VeriCite® Employee Handbook which must be accepted as part of the VeriCite® terms of employment.

1.1.3.3. Access to your data of all types will end immediately upon termination of employment with VeriCite®.

1.1.3.4. Our email and shared document services are hosted by Google Apps for Business, access to which requires two-factor authentication.  Our operational file store is hosted by us, access to which must use encrypted processes.

1.2. Security standards

1.2.1. Our computers and systems including those used by VeriCite® employees in the conduct of their work will be protected by acceptable industry practices for antivirus, firewalls, and network and system intrusion detections systems.

1.2.2. All systems used in the storage, processing, transmittal and display of Your data must have operating systems that are current in release, with unneeded services disabled, with default administrator access shut off, and with all critical security patches updated within 24 hours after the release of the patch.

1.2.3. We will conduct routine event monitoring, promptly investigate suspicious incidents and respond accordingly.

1.2.4. SOC1-2-3 audit certifications will be conducted annually on VeriCite®’s infrastructure.   The most recent report will be made available to You at Your request.  A non-disclosure agreement may be required to receive a copy of any SOC audit report.

1.2.5. We will conduct routine security assessments for vulnerabilities (buffer overflows, open ports, unnecessary services, input filtering, cross site scripting vulnerabilities, SQL injection vulnerabilities, and any other well-known vulnerabilities).  identified issues will be fixed or mitigated within thirty (30) days of the report.

1.2.6. All VeriCite® services that send or receive Your Confidential Information or Your Covered Content must utilize appropriate encryption methods (SSL, sFTP, VPN, etc.).   All network connections to VeriCite® must be encrypted. Clear text transactions are not permitted.

1.3. Changes to the policy

1.3.1. This policy may be updated from time to time.   Updates will become effective as soon as they are published at www.vericite.com/security If there are any material changes to these policies, You will be notified by email prior to the change being published and becoming effective. Your continued use of VeriCite® Services or websites constitutes your agreement to be bound by such changes to the policy. Your only remedy, if you do not accept the updated terms of a VeriCite® policy, is to discontinue use of the VeriCite® Service and VeriCite® websites.

1.4. Definitions

1.4.1. Confidential Information: means the information that you have provided to us as part of the contracting or purchasing process.  By example, this would include names, addresses, email addresses, phone numbers, account numbers, purchase orders, and other information that is not included in Your Covered Content.  Confidential Information would also include the terms and pricing of the VeriCite® Service under this Agreement, Your Covered Content and all information clearly identified as confidential at the time of its disclosure.

1.4.2. Your Covered Content: means all VeriCite® service data that you, your agents or your end users provide to us as part of the process of detecting and reporting plagiarism.  By example, this would include student submissions, course rosters, grades, comments and annotations that may be attached to report results.

1.4.3. Us, We, Our and related terms means the company named VeriCite, LLC who developed and hosts the VeriCite® Service, as represented by Our employees.

1.4.4. You, Your and related terms means the subscribing entity and all affiliated personnel who use the VeriCite® Service. By example, You would mean the college, school district, university or company whose Agents and End Users access the VeriCite® Service.