Skip to content
ROC-P

Privacy Policy

Color Bocks Color Bocks 2 design element

 

Last Updated: October 23, 2024

This Privacy Policy (this “Policy”) describes the practices of ROC-P, LLC (“ROC-P”) for collecting, using, maintaining, disclosing, and otherwise processing (collectively, “processing”) the information that we collect from you, as well as how we protect and secure your data. If you have additional questions regarding your rights under this Policy or any agreement you may have with ROC-P regarding your data, please contact us. Please read this Policy carefully to understand our processing of your information and how we will treat it.

This Policy generally applies to the information that ROC-P processes. However, this Policy is subordinate to any specific terms and conditions set forth in any contract for services or other agreement you may have with ROC-P relating to a service or data.

Further, this Policy applies only to information ROC-P processes. This Policy does not apply to information collected by ROC-P’s clients, who may have their own privacy policies that apply to you. It is ROC-P’s policy, however, to treat all Personal Information received from our clients with the same or greater care that they use, and to only process the Personal Information they provide for identified, specific purposes. If you receive ROC-P’s services through one of our clients, which may include your employer, trade association, or other entity of which you are a member (all of which we will refer to in this Policy as our “Clients”), please contact them for more information on how they treat your Personal Information.

1. What information does ROC-P collect?

ROC-P generally collects what can be described as Personal Information and Non-Personal Information. We collect this information when you provide it to us, when you purchase or inquire of our goods or services, and when you have provided it to our Clients who then share it with us.

“Personal Information” is information that can be used to identify, locate, or contact you, a natural person, as well as any other information about you that we may connect with Personal Information. For example, Personal Information that we collect includes:

  • Contact information such as your name, email address, phone number, physical address, username, and password;
  • Relationship information such as your preferences or potential interest in ROC-P goods and services;
  • Transactional information such as purchases, services requested, customer service inquiries, session data or log data (for example, your computer’s Internet Protocol address, browser type, browser version, the pages of our services that you visit, the time and date of your visit, and the time spent on those pages, to the extent any of the foregoing are kept in a form that may be used to identify you), customer account activity, and other customer account information; and
  • Financial information such as credit card or banking information.

“Non-Personal Information,” on the other hand, is information that does not identify you as a natural person and is not identifiable to you as a natural person. For example, Non-Personal Information that we collect includes:

  • Cookies and other similar tracking technologies processed in a non-identifiable way;
  • Information we anonymize by rendering it unidentifiable to a natural person;
  • Information we aggregate by combining it with other data in such a way that no natural person can be identified or linked to any specific information (for example, ROC-P collects aggregated statistics on the performance of its services and the occurrences of errors within the services); and
  • The name, form, contact details, relationship information, transaction history, or financial information of legal persons. By “legal persons,” we refer to legal, business entities other than natural persons, such as corporations, limited liability companies, non-profit organizations, and other business entities.

2. Why does ROC-P collect this information?

ROC-P collects and processes Personal Information for a variety of purposes depending on the information being processed. ROC-P processes Personal Information to perform under its contractual obligations to you, providing its goods and services and processing information as may be necessary to support you in their use. ROC-P also processes Personal Information given its legitimate interest in improving its goods and services, enhancing customer experience, and identifying and marketing goods or services that may be of interest to you. Finally, ROC-P may process Personal Information as may be necessary to comply with a legal obligation.

To summarize, ROC-P processes Personal Information for the following purposes:

  • To oversee and complete transactions with ROC-P customers;
  • To prepare, deliver, maintain, or otherwise provide ROC-P’s services;
  • To support ROC-P’s services;
  • To set up and maintain your user account and allow you to interact with ROC-P and customers of ROC-P’s services;
  • To provide you with customer service by resolving disputes, addressing complaints, and troubleshooting any technical problems encountered;
  • To measure and understand the effectiveness of ROC-P’s services;
  • To comply with applicable laws and regulations; and
  • To communicate offers for goods and services, including offers based on your interests and purchase of ROC-P’s goods and services, to administer promotional events, and to engage in other marketing activities that may be of interest to you. Please note that we will provide you the opportunity to opt out of direct marketing communications or market research inquiries, but we will still need to gather certain Personal Information as necessary to provide our goods and services to you.

If we would like to process your Personal Information for any other purpose, we will disclose this to you at the time it is collected and may request your express consent.

With respect to Non-Personal Information, because this information does not identify a natural person, ROC-P may use and process it for any purpose. ROC-P expressly reserves the right to use anonymized or aggregated information to improve or develop its goods and services, create and publish reports, conduct statistical analyses about customer interest, monitor industry trends, and otherwise engage in activities that do not result in the disclosure of identifiable information.

To be clear, ROC-P is committed to respecting your privacy and will only process your Personal Information for the reasons disclosed herein or as requested at the time of collection, and then only in the context of your customer relationship with ROC-P. ROC-P will not sell, rent, or lease your Personal Information to others.

3. Will ROC-P share this information with third parties?

To provide certain services, ROC-P may have to share information with third parties who use our services or provide services to us, such as our Clients, service providers, vendors, or operators of software used in our services. For example, as noted above we may share information with your employer, trade association, or other entity of which you are a member, which has engaged us to provide our services to you and with which we will share information as necessary to provide our services. In addition, we may use third party services such as Google Analytics for the collection, monitoring, and analysis of information to improve our services, and we may use other technology providers such as Amazon Web Services, or certain products provided by Google, such as Workspace, which may have access to the information we process as necessary to deliver our services to you.

We will maintain controls and oversight appropriate to ensure that any third party who we engage to assist us in processing your Personal Information will only have access to the Personal Information necessary for it to perform specific, designated tasks on our behalf, will only use the information for this purpose, and will protect your Personal Information to at least the same extent that we do. Please note, however, that this Policy applies only to information that we process and share with others—it does not apply to Personal Information that you share with third parties.

ROC-P may also share information to comply with our legal obligations, such as responding to lawful requests from government or judicial entities. In the event we are asked to disclose your Personal Information, we will attempt to validate the request and inform you of it prior to disclosure.

Finally, ROC-P may disclose Personal Information where needed as part of a sale or transfer of our assets, enforce our rights, protect our property, or protect the rights, property, or safety of others, or as is needed to support external auditing, compliance, and governance functions.

If ROC-P needs to share your Personal Information for a purpose not identified here, we will obtain your consent before doing so and will disclose this purpose at the time of obtaining your consent. For example, ROC-P may wish to use your information in demonstrations or other marketing materials and, if so, will contact you before doing so.

4. How long will ROC-P keep my information?

ROC-P keeps different kinds of information for different lengths of time depending on the purpose for which it is processing the information and depending upon your specific situation. In any event, ROC-P will retain your Personal Information as long as is necessary to accomplish the relevant purpose, but no longer.

5. How does ROC-P keep my information secure?

We are currently observing the Security Measures described in this section. All capitalized terms not otherwise defined herein will have meanings as set forth in the General Terms.

A. Access Control

Preventing Unauthorized Product Access

  • Outsourced processing: We host our Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs to protect data processed or stored by these vendors.
  • Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. We do not own or maintain hardware located at the outsourced infrastructure providers’ data centers. Production servers and client-facing applications are logically and physically secured from our internal corporate information systems. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
  • Authentication: We implement a uniform password policy for our customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
  • Authorization: Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
  • Application Programming Interface (API) access: Public product APIs may be accessed using an API key.

Preventing Unauthorized Product Use
We implement industry standard access controls and detection capabilities for the internal networks that support its products.

  • Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
  • Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
  • Static code analysis: Code stored in our source code repositories is checked for best practices and identifiable software flaws using automated tooling.
  • Penetration testing: We maintain relationships with industry-recognized penetration testing service providers for penetration testing of both the ROC-P web application and internal corporate network infrastructure on a scheduled basis. The intent of these penetration tests is to identify security vulnerabilities and mitigate the risk and business impact they pose to the in-scope systems.

Limitations of Privilege & Authorization Requirements

  • Product access: A subset of our employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, product development and research, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access permissions are reviewed at least once every six months.
  • Background checks: Where permitted by applicable law, ROC-P employees undergo a third-party background or reference check. In the United States, employment offers are contingent upon the results of a third-party background check. All ROC-P employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
  • ROC-P employee training: Conducting training to ensure anyone with access to personal data is aware of information security risks and complies with ROC-P policies and standards related to data protection.

B. Transmission Control

  • In-transit: We require HTTPS encryption (also referred to as SSL or TLS) on all login interfaces. Our HTTPS implementation uses industry standard algorithms and certificates.
  • At-rest: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest.

C. Input Control

  • Detection: We designed our infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.
  • Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Agreement.

D. Availability Control

  • Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and heating, ventilation, and air conditioning (HVAC) services.
  • Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones.
  • Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
  • Disaster Recovery Plans: We maintain and regularly test disaster recovery plans to help ensure availability of information following interruption to, or failure of, critical business processes.
  • Failover: Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.

6. What are my choices with respect to my information?

Your first choice is always to limit the information you provide. You may also opt out of certain marketing information by visiting our website and communicating your choices to us, or by clicking “unsubscribe” at the bottom of marketing emails you might receive.

Regarding cookies and other tracking technologies, you can manage these by adjusting the settings on your browser, commonly referred to as the browser’s “Do Not Track” settings. All browsers are different, so you may need to visit the “help” section of your browser to learn more about cookie preferences and other privacy settings that may be available. You can also manage how your mobile device and mobile browser share location information with ROC-P, as well as how your mobile browser handles cookies and related technologies by adjusting your mobile device privacy and security settings. Please refer to instructions provided by your mobile service provider or the manufacturer of your device to learn more. In general, ROC-P will comply with your browser’s “Do Not Track” settings, but may require the use of some cookies as necessary to provide the services.

ROC-P complies with applicable law regarding your ability to access, correct, and delete your identifiable information. If you have an online account, you may be able to log into your account to access and update certain information provided. For identifiable information that is not linked to an online account, please contact us directly.

ROC-P does not intend to collect Personal Information from children aged 16 and under. If you believe a child is providing us Personal Information, please contact us directly so we may investigate and delete it.

For assistance with exercising your choices, or if you have any questions about your choices, please contact us.

7. For California residents:

This notice does not apply to employment-related personal information collected from California-based employees, job applicants, contractors, or similar individuals.

The California Consumer Privacy Act (the “CCPA”) affords those who reside in the State of California certain rights as a data subject. If you are a resident of the State of California, we encourage you to read and learn about those rights on your own, but the following will help you to begin to understand them:

  • Access: You have the right to request that we disclose certain information to you about our collection and use of your Personal Information.
  • Erasure: In some cases, you may have the right to request that we erase your Personal Information in our possession.
  • Data Portability: This allows you to request a copy of your Personal Information that we may have and transfer that information to someone else without any interference from us. In some cases, you may be able to request that we transfer your Personal Information directly to a third party on your behalf.
  • The CCPA further provides California residents the right to direct us not to sell your personal information. WE DO NOT SELL YOUR PERSONAL INFORMATION.

We will not discriminate against you for exercising any of your CCPA rights.

The categories of Personal Information that ROC-P collects from California residents are described in Section 1, above, and include contact information, relationship information, and transactional information. The purposes for which ROC-P collects this Personal Information is described in Section 2, above, and includes fulfilling orders; operating, delivering, maintaining, and otherwise providing the ROC-P goods and services you request; supporting ROC-P goods and services; setting up and maintaining your customer account and allowing you to interact with ROC-P online; providing you with customer service by resolving disputes, addressing complaints, and troubleshooting problems encountered; measuring and understanding the effectiveness of ROC-P goods and services; improving ROC-P goods and services; complying with applicable laws and regulations; and engaging in marketing activities (subject to your right to opt-out of such marketing activities).

In addition, under California’s “Shine the Light” law, we state to you that we do not share your Personal Information with third parties for their direct marketing purposes.

To make a request regarding any of these rights or to ask questions or provide comments about this Privacy Notice for California Residents, please contact us.

It is our policy to post any changes to this Privacy Notice on this page. We may or may not contact you directly concerning significant changes. We encourage you to visit this page periodically and check for changes. To the extent permitted by law, your continued use of our services after a change is deemed to be your consent to any such change. 

8. For international residents:

ROC-P is headquartered in the United States of America. It and its authorized processors may transfer your Personal Information to the United States of America and access it from the United States of America for the purposes described in this Policy. ROC-P protects the privacy and security of Personal Information in the manner described in this Policy regardless of where it is collected, stored, accessed, or otherwise Processed.

This Privacy Policy will apply even if we transfer Personal Data to other countries. We have taken appropriate safeguards to require that your Personal Data will remain protected wherever it is transferred. When we share Personal Data of individuals in the European Economic Area ("EEA"), Switzerland or the United Kingdom ("UK") within and among sub-processors, we rely upon the the Standard Contractual Clauses (approved by the European Commission and Swiss authorities) and UK Addendum to the Standard Contractual Clauses (approved by the UK authorities) where required.  We also have additional safeguards where appropriate (such as commercial industry standard secure encryption methods to protect customer data at rest and in transit, TLS for ROC-P hosted sites, web application firewall protection, and other appropriate contractual and organizational measures).

International Transfers to Third Parties
Some of the third parties described in this Privacy Policy, which provide services to us under contract, are based in other countries that may not have equivalent privacy and data protection laws to the country in which you reside. When we share Personal Data of individuals in the EEA, Switzerland or UK with third parties, we use a variety of legal mechanisms to safeguard the transfer including the European Commission-approved Data Privacy Framework Standard Contractual Clauses, as well as additional safeguards where appropriate. For transfers to or from the United Kingdom, we make use of the UK Addendum. For transfers to or from Canada, we make use of the standard contractual clauses. With respect to personal data received from or transferred to Canada, ROC-P is subject to the regulatory enforcement powers of the Office of the Privacy Commissioner of Canada. Please contact us if you need more information about the legal mechanisms we rely on to transfer personal data outside the EEA, Switzerland, Canada, and UK.

Data Privacy Framework Notice
ROC-P complies with the practices set forth within the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce (collectively “the Data Privacy Framework”). To learn more about the Data Privacy Framework (DPF) program, please visit https://www.dataprivacyframework.gov/

If you are located in the EU, UK or Switzerland, you have the right to request access to the Personal Data that we hold about you and request that we correct, amend or delete your Personal Data if it is inaccurate or processed in violation of the DPF Principles. We will give you an opportunity to opt out where Personal Data we control about you is to be disclosed to an independent third party or used for a purpose that is materially different from those set out in this Privacy Policy. If you would like to exercise any of your rights, please contact us via the details provided below.

ROC-P commits to resolve DPF Principles-related complaints about our collection and use of your Personal Data. We will investigate and attempt to resolve any DPF Principles-related complaints within 45 days. EU, UK and Swiss individuals with inquiries or complaints regarding our handling of Personal Data received in reliance on the DPF Principles should first contact ROC-P.  

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, ROC-P commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.

Under certain conditions, more fully described on the DPF website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. The Federal Trade Commission has jurisdiction over ROC-P’s compliance with the DPF Principles.

In the context of an onward transfer, ROC-P is responsible for the processing of Personal Data it receives under the DPF Principles and subsequently transfers to a third party acting as an agent on our behalf. ROC-P will remain liable under the DPF Principles if our agent processes your Personal Data in a manner inconsistent with the DPF Principles, unless ROC-P is not responsible for the event giving rise to the damage.

Please note that under certain circumstances, we may be required to disclose your Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

9. Does this Policy ever change?

ROC-P may post changes to this Policy on this page. Please refer to the “last updated” date above. We may or may not contact your directly concerning significant changes, and therefore we encourage you to visit this page periodically and check. By using ROC-P’s services or purchasing its goods after a change to this Policy, you are deemed to consent to any changes.

10. What if I have questions?

If you have any questions about this Policy or our information security and data privacy practices generally, or if you wish to provide comments or exercise any of your rights with respect to your personal information as identified above, contact us at support@roc-p.com.  You may also write us at:

ROC-P, LLC;
Attn: Privacy
215 2nd Ave. SE Ste. 300
Cedar Rapids, Iowa 52401

 

 

design element

Let's Talk

Experience ROC-P by requesting a demo or get your questions answered by scheduling a time to connect.

Enewsletter Signup

Subscribe today for certification management solutions straight to your inbox.