Privacy Policy

1. Purpose and Scope

The purpose of this policy is to define the conditions of privacy under which Highwire operates its general website and under which it uses, processes, and stores the data that it collects from enrolled partners who log into and use the Highwire vendor-prequalification application.

The scope of this policy applies to the public Highwire website (www.Highwire.com) as well as

all Highwire networks and IT systems, and all end-user data that is provided by enrolled clients and contractors related to the use of the Highwire application. This policy is in full effect for the duration of an active client or contractor account.

The Highwire Privacy Policy is intended to clearly and thoroughly explain our policies around cookies, data collection, data use, data processing, data transfer, data retention and deletion, notifications of personal data breaches, and how you can contact Highwire to manage or delete your information/account.

2. Visitors vs. Users

The Highwire website is openly available and Visitors to the website are not required to input any personal information in order to navigate our pages and learn about our products. Highwire does, however, use cookies as a way to help us improve the visitor experience, as further described in Section 4 below. First-time visitors to the Highwire site are immediately informed of our use of cookies via a pop-up banner and there is also a link to this policy provided within the text of the pop-up banner and at the bottom of every page on our website.

Users of the Highwire system are defined within this policy as individuals who are enrolled in Highwire’s software application, including Highwire Advanced Safety, Highwire Prequalification, Highwire Comprehensive, Highwire Inspections, and Highwire Incidents. This policy encompasses all the client and contractor users who use any aspect of the Highwire application, as well as Highwire employees.

Highwire users can be set up with one of two types of access to the Highwire web-based application - either Administrator or General User. The only standard distinction between the two access levels is that Administrators are initially set up in the system by Highwire and are given the capability to create General Users so that they can internally manage the list of their employees who will be using the Highwire application based on their specific business needs.

When a General User is added by a client or contractor Administrator, the only identifiable data that is provided by the Administrator is the name, business email address, title, and telephone number of the General User. Once an Administrator sets up a General User profile, an automatic email is sent from the Highwire system to the General User that provides a link to initiate the formal creation of a unique General User profile. During this set-up process, we use a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), which is a challenge-response system test that is designed to differentiate humans from automated programs. A CAPTCHA differentiates between humans and bots by requiring completion of a task that is easy for most humans to perform but is more difficult and time-consuming for current bots to complete. Further, during set-up, all users are required by the system to create a password that adheres to the application’s strict password system, which is described in detail in the Highwire Password Policy.

All user accounts (clients or contractors) are unique to each user and are never shared. Based on the unique username and password, a General User can only access the specific data that he/she enters. In addition, users only have access to the specific modules of the Highwire application (e.g., Highwire Advanced Safety, Highwire Inspections, Highwire Incidents) that are defined by their contractual agreement.

3. Reference Documents

Specific regulations and frameworks that are relevant to this policy include, but are not limited to:

ISO/IEC 27001:2022

General Data Protection Regulation (GDPR)

EU-U.S. & Swiss-U.S. Data Privacy Frameworks (DPF) and UK Extension to the EU-U.S. DPF, U.S. Department of Commerce

California Consumer Privacy Act (CCPA)

Lei Geral de Proteção de Dados (LGPD)

The overarching policies that describe Highwire’s commitment to information safety is this Highwire Privacy Policy and the Highwire Information Security Policy. The purpose of the Highwire Information Policy is to provide a high-level understanding of the principles and practice of Highwire’s Information Security Management System (ISMS). While the Highwire Information Security Policy provides a general approach to information security, it is supplemented by very specific technical policies that define the measures we take to ensure the confidentiality and integrity of our data, including:

Highwire Acceptable Use Policy

Highwire Access Control Policy

Highwire Change Management Policy

Highwire Clear Desk and Clear Screen Policy

Highwire Data Backup Policy

Highwire Document & Data Control Policy

Highwire Encryption Policy

Highwire External Audit Policy

Highwire Incident Management Policy

Highwire Internal Audit Policy

Highwire Logging and Monitoring Policy

Highwire Password Policy

Highwire Secure engineering and Development Policy

To make the Highwire website work properly, small data files called cookies are sometimes placed on a visitor's or user’s device. These cookies are stored in text files on a device so that the preferences of a Visitor or User (such as language, font size, login, and other display preferences) are “remembered” when the Highwire website is subsequently loaded in a browser. This common practice does not in any way minimize Highwire’s commitment to maintaining the highest standards for the security and protection of a customer’s information. Like most websites, Highwire uses cookies to help ensure a consistent and efficient experience for visitors and users, and to perform essential functions such as allowing enrolled users to register and remain logged in.

Highwire may also use Cookies to help analyze how visitors and users interact with and navigate through our sites so that we can make improvements. Cookie-related information is also used to remember and log the actions of enrolled users. Cookies are not used for any purpose other than those described herein. Specifically, the Highwire website does not enable 3rd-party tracking mechanisms to collect data over time and across unaffiliated websites for use in interest-based advertising. In addition, Highwire flags all cookies with a special HttpOnly flag that tells the browser that this particular cookie should only be accessed by the browser. This HttpOnly flag ensures that any attempt by an attacker to access the cookie with malicious JavaScript is strictly prohibited.

Visitors to the Highwire website are immediately informed of Highwire’s use of cookies via a pop-up banner and must give consent to the use of cookies. At the same time, users are also provided with a link to a statement that explains the use of cookies/tracking mechanisms and are given the option to selectively manage their preferences.

In addition, visitors and users can block any cookies from any website through their browser settings. Note that the procedures for changing settings and cookies differ from browser to browser. For more information about how to disable cookies for the top browsers, please refer to the instructions on their respective websites:

  • Mozilla Firefox
  • Google Chrome
  • Safari
  • Opera

In addition to changing a browser’s settings to prevent cookies from being placed, an individual can also delete all cookies that are already stored on a device. If a visitor or user chooses this option, they may have to manually adjust some preferences every time they visit the Highwire site, and some services and functionalities may not work at all.

5. Data Collection

For the purposes of data collection, it is important to distinguish between Client users and Contractor users. It is also important to note that we do not knowingly collect data from children under the age of 18, and we do not target our services to children under 18.

5.1 Client Data

Client data that is collected as part of enrollment in the Highwire application, which may be categorized as Personal Data or Personally Identifiable Information (PII), includes user's full name, title, and business email address. Client users of Highwire Inspection may also opt to provide their business cell phone number to receive real-time alerts regarding inspection findings. This personal data is required as part of an enrolled client’s interaction and use of the Highwire application to allow users to set up secure accounts and to receive messages and alerts from the system.

5.2 Contractor Data

Contractor data that is collected as part of enrollment in the Highwire application, which may be categorized as Personal Data or Personally Identifiable Information (PII), includes user's full name, title, and business email. Contractor users of Highwire Inspection may also opt to provide their business cell phone number to receive real-time alerts regarding inspection findings. This personal data is required as part of an enrolled contractor’s interaction and use of the Highwire application to allow users to set up secure accounts and to receive messages and alerts from the system.

Additional information that is input and/or uploaded by a contractor as part of their use of the Highwire software may include, but is not limited to, trades performed, scope of services, geographic service areas, labor composition, safety policies/procedures/metrics, certificates of insurance, and financial statements.

No detailed safety or financial information will be shared with a client unless/until a contractor explicitly designates that client as an Authorized Recipient within the Highwire application. However, limited public information (e.g., company or entity name, trade(s), scope of services, geographic service areas) is provided to all clients in the Highwire application, which allows clients to extend bid invitations to any contractor enrolled in the Highwire application.

6. Data Use

Highwire’s ISMS is ISO 27001:2022 compliant and is managed internally by our Vice President of

Product and Engineering, who acts as our Chief Information Security Officer (CISO) as defined in ISO 27001 and as our Data Protection Officer as defined in Article 37 of the GDPR. As clients and contractors use our services and systems, the Vice President of Product and Engineering sets clear parameters on how their data is used and the ways in which a user’s privacy is protected, including but not limited to:

For users of the Highwire application, Highwire processes data solely for the purposes defined in the Client Software License and Services Agreement and/or the Contractor Participation Agreement and utilizes Amazon Web Services for all of our cloud computing as described in Section 7 below.

Highwire guarantees the confidentiality of personal data that is processed as defined in the contract agreements and within this document;

Highwire does not share data with any third parties and does not use any third party advertising providers;

Highwire ensures that its employees are fully vetted and receive the appropriate personal data protection training as defined in the Highwire Administrative Manual and the Highwire Employee Handbook;

Highwire employees acknowledge and sign the non-disclosure requirements set forth in the Highwire Employee Handbook;

Any data transfer or download happens via the SSL protocol;

To access data, the user must login with a username/password as fully defined in the Highwire Password Policy;

During uploading of data, files are encrypted and stored as fully defined in the Highwire Encryption Policy, including the requirement that each encrypted file has its own key;

Stored backups and logs are encrypted as fully defined in the Highwire Data Backup Policy, including the requirement that Highwire does not use any temporary storage.

7. Data Processing

As previously noted, Highwire uses personal data exclusively for the purposes outlined in the Client Software License and Services Agreement and/or the Contractor Participation Agreement. The Highwire Data Processing Addendum (DPA) is incorporated by reference into these agreements and is thus legally considered an integral part of them.

Highwire contracts with Amazon Web Services, a leader in cloud technology, to create a logically isolated section of AWS where we can create a Virtual Private Cloud (VPC) for our application. While AWS falls outside the scope of Highwire’s ISMS, one of the reasons for choosing AWS was their own certification under ISO/IEC 27001:2022. Specifically, AWS was issued Certificate #2013-009, which was most recently updated and reissued on 11/30/25.

In addition, as part of our agreement with AWS, we are a party to their Data Processing Addendum (DPA). This is a critical component of our commitment to data security and privacy because Amazon’s DPA is fully compliant and meets all of the requirements of the General Data Protection Regulation (GDPR), the EU-US and SWISS-US Data Privacy Frameworks (DPF) and UK Extension to the EU-U.S. DPF, and the California Consumer Protection Act. Our DPA with AWS provides us with assurance on important data security requirements, including but not limited to:

  • AWS will process customer data only in accordance with customer instructions.
  • AWS has implemented and will maintain robust technical and organizational measures for the AWS network.
  • AWS will notify its customers of a security incident without undue delay after becoming aware of the security incident.

Clients and contractors agree that, to the extent Highwire acts as a data processor, Highwire may use Amazon Web Services as a sub-processor for the processing and cloud storage of Personal Data in connection with the provision of the Highwire Services. Other subproccesors that may be used by Highwire can be found here.

8. Data Transfers

Highwire does not share data with or transfer data to any third parties and does not use any third party advertising providers.

The Highwire Application is a SaaS based, web-hosted application. As noted in earlier sections, Highwire contracts with Amazon Web Services for cloud services. As part of that contract, AWS maintains two separate servers for Highwire in the United States with high availability, business continuity, and disaster recovery in mind. For data transfers to the United States, Highwire has elected to self-certify to the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework as fully detailed in Section 10. AWS also maintains compliance with EU-US and SWISS-US Data Privacy Frameworks (DPF) and UK Extension to the EU-U.S. DPF, and those AWS certifications are classified as “Active”.

9. Data Retention and Deletion

Highwire retains all user data only for as long as we have an ongoing legitimate need to do so and are working under a client or contractor contractual agreement. Specific user accounts and Personally Identifiable Information are deleted immediately upon account deletion (by a client or contractor Administrator or by Highwire) or upon contract termination. Highwire tries to ensure that our services protect information from accidental or malicious deletion. Because of this, there may be slight delays between when a user deletes something and when copies are deleted from our active and backup systems.

As noted above, for deletion of specific user accounts, a client Administrator has the functionality to delete an account that they created from the Highwire system. In addition, upon termination of a client or contractor agreement, the Vice President of Product and Engineering will remove the access rights of associated user accounts by disabling their logins, removing their profiles from the system, and verifying that access has been terminated.

As detailed in the Highwire Contractor Participation Agreement, Highwire may de-identify and aggregate information submitted by contractors, and Highwire owns all aggregated information and may use it for any purpose and communicate it to any third party without obligation to a contractor. Aggregated information is anonymous information and is no longer Personal Data subject to data protection laws or regulations.

10. GDPR Requirements and Data Privacy Statement

Highwire complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Highwire has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. Highwire has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPFPrinciples) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. Highwire has certified to the U.S. Department of Commerce that it adheres to the UK Extension to the EU-U.S. Data Privacy Framework. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles (and the UK Extension) and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program and to view our certification, please visit the DPF Website. As part of the Data Privacy Frameworks, Highwire certifies the following:

  • Highwire’s self-certification is subject to the investigatory and enforcement authority of the Department of Commerce.
  • Highwire collects limited Personal Data as described previously in Section 5, and we use this information only for the purposes described previously in Section 6.
  • Your Rights and Choices: Individual users of the Highwire application have the right to access their Personal Data and to review, correct, amend, delete, or limit the use and/or disclosure of their Personal Data. EU, Swiss, and UK users, like all users, can securely log in to the Highwire application at any time using their unique username and password to access, review, correct, and amend their personal data. If any user of the Highwire application would like to limit the use and/or disclosure of their personal data and/or delete/erase their personal data, they can contact Highwire at support@highwire.com as described in more detail in Section 13.
  • Highwire does not share data with or transfer data to any third parties and does not use any third party advertising providers. However, Highwire acknowledges that any entity, including Highwire, that does share or transfer data to third parties would remain liable if that third party processes personal data in a manner inconsistent with the principles.
  • Highwire, in accordance with our legal obligations and subject to a lawful request, may transfer Personal Data to public authorities for law enforcement or national security purposes.
  • Highwire encourages EU, Swiss, and UK users, and all users, who have questions, complaints, or objections about how we process their Personal Data under the Data Privacy Frameworks to contact us as described in Section 13. Highwire will work to resolve your issues as quickly as possible, but no later than 30 days after receiving a question or complaint.

In compliance with the EU-U.S. DPF and the Swiss-U.S. DPF, Highwire commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the Swiss-U.S. DPF to the International Centre for Dispute Resolution, the International Division of the American Arbitration Association (ICDR-AAA), an alternative dispute resolution provider based in New York, NY. If you do not receive a timely acknowledgment of your DPF Principles-related complaint from us or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit the DPF Website for more information or to file a complaint. The services of ICDR-AAA are provided at no cost to you.

11. California and Brazil Requirements

Highwire also maintains compliance with the California Consumer Privacy Act (CCPA) that went into effect on 1/1/20 and the Lei Geral de Protecão de Dados (LGPD) that went into effect in Brazil on 2/1/20. If the California Consumer Privacy Act (CCPA) or the LGPD applies to a user’s information, Section 13 of this policy describes the process available to a user to exercise his/her rights to receive information about Highwire data practices and/or to request deletion of his/her information/account.

Highwire does not share, sell, or transfer a user’s Personal Data. Highwire uses and processes Personal Data for business purposes only as defined in the Client Software License and Services Agreement, the Contractor Participation Agreement, and this policy.

12. Notification of Changes to the Privacy Policy or Personal Data Breaches

Highwire reserves the right to revise the Highwire Privacy Policy at any time. If substantial changes are made to this privacy notice, at a minimum, Highwire will post notification of such changes on the “Resources” link from our website at www.highwire.com. In addition, all new versions of this policy will be immediately re-posted on the Highwire website, as accessed by the direct “Privacy Policy” link found at the bottom of every page on the Highwire website.

In addition, Highwire will notify clients immediately via email of any Personal Data breach (and never later than 72 hours after having become aware of it). This notification will include any necessary documentation to enable clients to notify this breach to the competent supervisory authority if required, including:

  • The nature and description of the breach including the number of users who are affected;
  • Analysis and root cause of the failure;
  • Immediate corrective action to address the breach and mitigate the adverse effects; and,
  • Other corrective actions proposed or taken to prevent any future breaches of the same nature and type.

13. Contacting Highwire

Highwire’s headquarters are located at 700 District Avenue, 7th Floor, Burlington, Massachusetts, 01803.

If you have:

  • Questions
  • Complaints
  • Objections about Highwire’s services, employees, or data practices
  • Reports of fraud

Or if you want to:

  • Request deletion of your information/account

You can contact Highwire at:

Highwire, Inc.

700 District Avenue

Burlington, MA 01803

support@highwire.com

866-817-2210

Direct links to Highwire’s email address are also available on our public website and within the application for users logged into the Highwire system.

Highwire responds to written complaints by contacting the person who made the complaint to resolve any issue directly and quickly in accordance with the Service Level Agreement (SLA) outlined in the Highwire client or contractor agreement. In addition, in accordance with the principles of the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) and as detailed in Section 10, Highwire will work with the appropriate independent resource authorities, including but not limited to, the United States Department of Commerce, the ICDR-AAA, the EU Data Protection Authorities (DPAs), and the Swiss Federal Data Protection and Information Commissioner (FDPIC), as necessary to resolve any complaints to a user’s satisfaction and at no cost to the user.

14. Policy Compliance

14.1. Compliance Criteria

When evaluating the effectiveness and adequacy of this document, the following criteria must be considered:

  • Number of breaches of the system.
  • Number of account deletions.
  • Number of requests for data security information and resolution times.
  • Number of data security complaints and resolution times.

14.2 Compliance Measurement

The specific compliance criteria bulleted above are included as part of an ISMS Comprehensive Compliance Measurement Table that has been prepared by Highwire and is provided in the Highwire Information Security Policy, Appendix 1. The Vice President of Compliance will verify compliance with our overall Information Security Policy and all other technical policies by performing an annual review using the ISMS Comprehensive Compliance Measurement Table. The results of the review will be tracked, analyzed, and included as part of the ISMS Management Review meeting(s).

In addition to the formal annual review, compliance is also measured on a continual basis through various methods, including but not limited to periodic walk-throughs, business tool reports, and feedback to the policy owner.

Training and awareness of this policy are conducted as part of Highwire’s overall employee training program, as detailed in the Highwire Employee Handbook.

14.3 Exceptions

Any exception to the policy must be approved by the policy owner in advance.

14.4 Non-Compliance

An employee found to have willfully violated this policy may be subject to disciplinary action, up to and including termination of employment.

15. Review and Development

The author of this policy is considered the owner and has the responsibility for updating it whenever changes are dictated by the work. In addition, an annual review of this policy will be conducted by the Vice President of Engineering to ensure that it remains appropriate considering any relevant changes to the law, organizational policies, and/or contractual obligations.

As specified in the Highwire Document and Data Control Policy, all changes to an ISMS document must be made using "Track changes," making visible only the revisions to the previous version, either showing them in red text or strikeout. In addition, for reference, all previous versions of an ISMS document are stored on the personal user drive of the Highwire Vice President of Compliance. The versioning history for this document is defined in the table below:

Screenshot 2025-06-13 at 10.34.05 AM.png