Customer Support: 866-817-2210
The purpose of this policy is to define the conditions of privacy under which Highwire operates its general website and under which it uses, processes, and stores the data that it collects from enrolled clients who log into and use the Highwire vendor-prequalification application.
The scope of this policy applies to the public Highwire website (www.Highwire.com) as well as all Highwire networks and IT systems and all end user data that is provided by enrolled clients related to the use of the Highwire System. End user data includes, but is not limited to, names, business emails, and business phone numbers. Users of the Highwire Inspect module may also opt to provide their business cell phone numbers in order to receive alerts regarding inspection findings. This personal end user data is required as part of an enrolled client’s interaction and use of the Highwire application to allow users to set up secure accounts and to receive messages and alerts from the system. This policy is in full effect for the duration of an active client account.
The Highwire Privacy Policy is intended to clearly and thoroughly explain our policies around cookies, data collection, data use, data processing, data transfer, data retention and deletion, notifications of personal data breaches, and how you can contact Highwire to manage or delete your information/account.
The Highwire website is openly available and Visitors to the website are not required to input any personal information in order to navigate our pages and learn about our products. Highwire does, however, use cookies as a way to help us improve the visitor experience, as further described in Section 4 below. First-time visitors to the Highwire site are immediately informed of our use of cookies via a pop-up banner and there is also a link to this policy provided within the text of the pop-up banner and at the bottom of every page on our website.
Users of the Highwire system are defined within this policy as individuals who are enrolled in one or more of Highwire’s software products, including Highwire Safety, Highwire Financial, Highwire Tracker, and/or Highwire Inspect. This policy encompasses all of the client end Users who use any aspect of the Highwire system, as well as Highwire employees.
Highwire Users can be set up with 1 of 2 types of access to the Highwire web based application – either Administrative or General. The only standard distinction between the two access levels is that Administrative Users are initially set up in the system by Highwire and are given the capability to create General Users so that they can internally manage the list of their employees who will be using the Highwire application based on their specific business needs.
When a General User is added by a client Administrator, the only identifiable data that is provided by the Administrator is the name, business email address, and telephone number of the General User. Once a client Administrator sets up a General User profile, an automatic email is sent from the Highwire system to the General User that provides a link to initiate the formal creation of a unique General User profile. During this set-up process, we use a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), which is a challenge-response system test that is designed to differentiate humans from automated programs. A CAPTCHA differentiates between human and bot by requiring completion of a task that is easy for most humans to perform but is more difficult and time-consuming for current bots to complete. Further, during set-up, all users must create and adhere to a strict password system that is described in detail in the Highwire Password Policy.
End user accounts are unique to each user and are never shared. Based on the unique username and password, a General User is only able to access the specific data that he/she enters. In addition, end users only have access to the specific modules of the Highwire application (e.g., Highwire Safety, Highwire Financial, Highwire Tracker, Highwire Inspect) that are defined by their client contract agreement.
Specific regulations and frameworks that are relevant to this policy include, but are not limited to:
The overarching policies that describe Highwire’s commitment to information safety is this Highwire Privacy Policy and the Highwire Information Security Policy. The purpose of the Highwire Information Policy is to provide a high-level understanding of the principles and practice of Highwire’s Information Security Management System (ISMS). While the Highwire Information Security Policy provides a general approach to information security, it is supplement by very specific technical policies that define the measures we take to ensure the confidentiality and integrity of our data, including:
In addition, there are several internal Highwire manuals that contain organizational information that is relevant to our information security and how we communicate that to employees and clients, including:
To make the Highwire website work properly, small data files called cookies are sometimes placed on a Visitor or User’s device. These cookies are stored in text files on a device so that the preferences of a Visitor or User (such as language, font size, login, and other display preferences) are “remembered” when the Highwire website is subsequently loaded in a browser. This common practice does not in any way minimize Highwire’s commitment to maintaining the highest standards for the security and protection of a customers’ information. Like most websites, Highwire uses cookies to help ensure a consistent and efficient experience for Visitors and Users, and to perform essential functions such as allowing enrolled users to register and remain logged in.
Highwire may also use Cookies to help analyze how Visitors and Users interact with and navigate through our sites so that we can make improvements. Cookie-related information is also used to remember and log the actions of enrolled Users. Cookies are not used for any purpose other than those described herein. Specifically, the Highwire website does not enable 3rd-party tracking mechanisms to collect data over time and across unaffiliated websites for use in interest-based advertising. In addition, Highwire flags all cookies with a special HttpOnly flag that tells the browser that this particular cookie should only be accessed by the browser. This HttpOnly flag ensures any attempt by an attacker to access the cookie with malicious JavaScript is strictly prohibited.
Visitors and Users can block any cookies from any website through their browser settings. Note that the procedures for changing settings and cookies differ from browser to browser. For more information about how to disable cookies for the top browsers, please refer to the instructions on their respective websites:
In addition to changing a browsers’ settings to prevent cookies from being placed, an individual can also delete all cookies that are already stored on a device. If a Visitor or User chooses this option, they may have to manually adjust some preferences every time they visit the Highwire site and some services and functionalities may not work at all.
First-time visitors to the Highwire website are immediately informed of Highwire’s use of cookies via a pop-up banner.
End user data that is collected as part of enrollment in the Highwire Application that is categorized as Personal Data or Personally Identifiable Information (PII) includes user full names, business emails, and business phone numbers. Users of the Highwire Inspect module may also opt to provide their business cell phone numbers in order to receive alerts regarding inspection findings. This personal end user data is required as part of an enrolled client’s interaction and use of the Highwire application to allow users to set up secure accounts and to receive messages and alerts from the system.
Highwire’s ISMS is ISO 27001 compliant and is managed internally by our Vice President of Engineering, who acts as our Chief Information Security Officer (CISO) as defined in ISO 27001 and as our Data Protection Officer as defined in Article 37 of the GDPR. As clients use our services and systems, the Vice President of Engineering sets clear parameters on how their data is used and the ways in which a user’s privacy is protected, including but not limited to:
As noted above, Highwire uses Personal Data solely for the purposes defined in the Client Software License and Services Agreement and/or the Subcontractor Participation Agreement. In addition, as detailed in the Highwire Administrative Manual, Highwire contracts with Amazon Web Services, a leader in cloud technology, to create a logically isolated section of AWS where we can create a Virtual Private Cloud (VPC) for our system. While AWS falls outside the scope of Highwire’s ISMS, one of the reasons for choosing AWS was their own certification under ISO/IEC 27001:2013. Specifically, AWS was issued Certificate #2013-009 on 11/18/10, which was updated and re-issued most recently on 1/18/22.
In addition, as part of our agreement with AWS, we are a party to their Data Processing Addendum (DPA). This is a critical component of our commitment to data security and privacy because Amazon’s DPA is fully compliant and meets all of the requirements of the General Data Protection Regulation (GDPR), the EU-US and SWISS-US Privacy Shield Frameworks, and the California Consumer Protection Act. Our DPA with AWS provides us with assurance on important data security requirements, including but not limited to:
Highwire does not share data with or transfer data to any third parties and does not use any third party advertising providers.
The Highwire Application is a SaaS based, web-hosted application. As noted in earlier sections, Highwire contracts with Amazon Web Services for cloud service. As part of that contract, AWS maintain servers for Highwire in both the United States and Europe (Frankfort, Germany) to ensure that data from European Union (EU) countries (including Iceland, Liechtenstein, Norway, and Switzerland) is kept in an EU country. AWS maintains compliance with both the EU-US Privacy Shield Framework and the SWISS-US Privacy Shield Framework and both certifications are classified as “Active”.
Highwire retains all end user data only for as long as we have an ongoing legitimate need to do so and are working under a client or subcontractor agreement. Specific user accounts and Personally Identifiable Information are deleted immediately upon account deletion (by a client Administrative User or by Highwire) or upon contract termination. Highwire tries to ensure that our services protect information from accidental or malicious deletion. Because of this, there may be slight delays between when a user deletes something and when copies are deleted from our active and back-up systems.
As noted above, for deletion of specific user accounts, a client Administrative User has the functionality to delete an account that they created from the Highwire system. In addition, upon termination of a client or subcontract agreement, the Vice President of Engineering will remove the access rights of associated end user accounts by disabling their logins, removing their profiles from the system, and verifying that access has been terminated.
As detailed in the Highwire Subcontractor Participation Agreement, Highwire may de-identify and aggregate information submitted by subcontractors and that Highwire owns all aggregated information and may use it for any purpose and communicate it to any third party without obligation to a subcontractor. Aggregated information is anonymous information and is no longer Personal Data subject to data protection laws or regulations.
Implementing an ISO 27001 compliant Information Security Management System (ISMS) is not only best practice, but it is also integral to demonstrating data protection compliance to clients, subcontractors, and third parties. In addition, by implementing ISO 27001, Highwire has created a strong framework to ensure compliance with the European Union General Data Protection Regulation (GDPR) that went into effect on 5/25/2018.
To ensure GDPR compliance, Highwire complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the United States Department of Commerce regarding the collection, use, and retention of Personal Data transferred from The European Union and Switzerland to the United States. Highwire has certified to the US Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in the Highwire Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield Program, and to view our certification, please visit:
https://www.privacyshield.gov/.
As part of the Privacy Shield Framework and Principles, Highwire certifies the following:
Highwire also maintains compliance with the California Consumer Privacy Act (CCPA) that went into effect on 1/1/20 and the Lei Geral de Protecão de Dados (LGPD) that went into effect in Brazil on 2/1/20. If the California Consumer Privacy Act (CCPA) or the LGPD applies to a user’s information, Section 13 of this policy describes the process available to a user to exercise his/her rights to receive information about Highwire data practices and/or to request deletion of his/her information/account.
Highwire does not share, sell, or transfer a user’s Personal Data. Highwire uses and processes Personal Data for business purposes only as defined in the Client Software License and Services Agreement, the Subcontractor Participation Agreement, and this policy.
Highwire reserves the right to revise the Highwire Privacy Policy at any time. If substantial changes are made to this privacy notice, Highwire will post notification of such changes on the “Highwire Announcements” that is linked from our website at www.Highwire.com. In addition, all new versions of this policy will be immediately re-posted on the Highwire website, as accessed by the direct “Privacy Policy” link that is found at the bottom of every page on the Highwire website.
In addition, Highwire will notify clients immediately via email of any personal data breach (and never later than 72 hours after having become aware of it). This notification will include any necessary documentation to enable clients to notify this breach to the competent supervisory authority if required, including:
Highwire is located at 700 District Avenue, 7th Floor, Burlington, Massachusetts, 01803.
If users have any questions or complaints about Highwire’s data practices, if they would like to request deletion of their information/account, or if they have any reports of fraud, they can contact the Vice President of Engineering or the Vice President of Compliance at the above address, by email at support@Highwire.com, or telephone at 866-817-2210. Direct links to Highwire’s email address are also available on our public website and after users log in to the Highwire system.
Highwire responds to written complaints by contacting the person who made the complaint to resolve any issue directly and quickly in accordance with the Service Level Agreement (SLA) outlined in the Highwire client or subcontractor agreement. In addition, in accordance with the principles of the EU-US and Swiss-US Privacy Shield Frameworks and as detailed in Section 10, Highwire will work with the appropriate independent resource authorities, including but not limited to, the United States Department of Commerce, the United States Federal Trade Commission, The EU Data Protection Authorities (DPAs), and the Swiss Federal Data Protection and Information Commissioner (FDPIC), as necessary to resolve any complaints to a user’s satisfaction and at no cost to the user.
a. Compliance Criteria
When evaluating the effectiveness and adequacy of this document, the following criteria must be considered:
b. Compliance Measurement
The specific compliance criteria bulleted above are included as part of an ISMS Comprehensive Compliance Measurement Table that has been prepared by Highwire and is provided in the Highwire Information Security Policy, Appendix 1. The Vice President of Engineering will verify compliance with our overall Information Security Policy, and all other technical policies, by performing an annual review using the ISMS Comprehensive Compliance Measurement Table. The results of the review will be tracked, analyzed, and included as part of the ISMS Management Review meeting(s).
In addition to the formal annual review, compliance is also measured on a continual basis through various methods, including but not limited to, periodic walk-throughs, business tool reports, and feedback to the policy owner.
Training and awareness with this policy is conducted as part of Highwire’s overall employee training program as detailed in the Highwire Employee Handbook.
c. Exceptions
Any exception to the policy must be approved by the policy owner in advance.
d. Non-Compliance
An employee found to have willfully violated this policy may be subject to disciplinary action, up to and including termination of employment.
The author of this policy is considered the owner and has the responsibility for updating it whenever changes are dictated by the work. In addition, an annual review of this policy will be conducted by the Vice President of Engineering to ensure that it remains appropriate considering any relevant changes to the law, organizational policies, and/or contractual obligations.
As specified in the Highwire Administrative Manual, all changes to an ISMS document must be made using “Track changes,” making visible only the revisions to the previous version, either showing them in red text or strikeout. In addition, for reference, all previous versions of an ISMS document are stored on the personal user drive of the Highwire Vice President of Compliance. The versioning history for this document is defined in the table below:
Copyright © 2022 Highwire. All Rights Reserved. Privacy Policy EEA Privacy Notice
