ConstructSecure is now Highwire

ConstructSecure is now Highwire!

Customer Support: 866-817-2210

Sign in
Get Started

Privacy Policy

1. Purpose and Scope

The purpose of this policy is to define the conditions of privacy under which Highwire operates its general website and under which it uses, processes, and stores the data that it collects from enrolled clients who log into and use the Highwire vendor-prequalification application.  

The scope of this policy applies to the public Highwire website (www.Highwire.com) as well as all Highwire networks and IT systems and all end user data that is provided by enrolled clients related to the use of the Highwire System.  End user data includes, but is not limited to, names, business emails, and business phone numbers.  Users of the Highwire Inspect module may also opt to provide their business cell phone numbers in order to receive alerts regarding inspection findings.  This personal end user data is required as part of an enrolled client’s interaction and use of the Highwire application to allow users to set up secure accounts and to receive messages and alerts from the system.  This policy is in full effect for the duration of an active client account.

The Highwire Privacy Policy is intended to clearly and thoroughly explain our policies around cookies, data collection, data use, data processing, data transfer, data retention and deletion, notifications of personal data breaches, and how you can contact Highwire to manage or delete your information/account.

2. Visitors vs. Users

The Highwire website is openly available and Visitors to the website are not required to input any personal information in order to navigate our pages and learn about our products.  Highwire does, however, use cookies as a way to help us improve the visitor experience, as further described in Section 4 below.  First-time visitors to the Highwire site are immediately informed of our use of cookies via a pop-up banner and there is also a link to this policy provided within the text of the pop-up banner and at the bottom of every page on our website.

Users of the Highwire system are defined within this policy as individuals who are enrolled in one or more of Highwire’s software products, including Highwire Safety, Highwire Financial, Highwire Tracker, and/or Highwire Inspect.  This policy encompasses all of the client end Users who use any aspect of the Highwire system, as well as Highwire employees.

Highwire Users can be set up with 1 of 2 types of access to the Highwire web based application – either Administrative or General.  The only standard distinction between the two access levels is that Administrative Users are initially set up in the system by Highwire and are given the capability to create General Users so that they can internally manage the list of their employees who will be using the Highwire application based on their specific business needs.  

When a General User is added by a client Administrator, the only identifiable data that is provided by the Administrator is the name, business email address, and telephone number of the General User.  Once a client Administrator sets up a General User profile, an automatic email is sent from the Highwire system to the General User that provides a link to initiate the formal creation of a unique General User profile.  During this set-up process, we use a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), which is a challenge-response system test that is designed to differentiate humans from automated programs. A CAPTCHA differentiates between human and bot by requiring completion of a task that is easy for most humans to perform but is more difficult and time-consuming for current bots to complete.  Further, during set-up, all users must create and adhere to a strict password system that is described in detail in the Highwire Password Policy.  

End user accounts are unique to each user and are never shared.  Based on the unique username and password, a General User is only able to access the specific data that he/she enters. In addition, end users only have access to the specific modules of the Highwire application (e.g., Highwire Safety, Highwire Financial, Highwire Tracker, Highwire Inspect) that are defined by their client contract agreement.

3. Reference Documents

Specific regulations and frameworks that are relevant to this policy include, but are not limited to:

  • ISO/IEC 27001 Standard. Clauses A.9.1.1, A.9.1.2, A.9.2.1 – A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.3.
  • General Data Protection Regulation (GDPR), 5/25/2018
  • EU-U.S. & Swiss-U.S. Privacy Shield Frameworks, US Department of Commerce/European Commission/Swiss Administration
  • California Consumer Privacy Act (CCPA), 1/1/2020
  • Lei Geral de Proteção de Dados (LGPD), 2/1/2020

The overarching policies that describe Highwire’s commitment to information safety is this Highwire Privacy Policy and the Highwire Information Security Policy.  The purpose of the Highwire Information Policy is to provide a high-level understanding of the principles and practice of Highwire’s Information Security Management System (ISMS).  While the Highwire Information Security Policy provides a general approach to information security, it is supplement by very specific technical policies that define the measures we take to ensure the confidentiality and integrity of our data, including:

  • Highwire Acceptable Use Policy
  • Highwire Access Control Policy
  • Highwire Change Management & Secure Engineering/Development Policy
  • Highwire Clear Desk and Clear Screen Policy
  • Highwire Data Backup Policy
  • Highwire Document & Information Control Policy
  • Highwire Encryption Policy
  • Highwire Incident Management Policy
  • Highwire Internal & External Audit Policy
  • Highwire Logging and Monitoring Policy
  • Highwire Password Policy

In addition, there are several internal Highwire manuals that contain organizational information that is relevant to our information security and how we communicate that to employees and clients, including:

  • Highwire Administrative Manual
  • Highwire Customer Support Manual
  • Highwire Disaster Recovery and Business Continuity Manual
  • Highwire ISMS Risk Assessment and Risk Treatment Methodology
  • Highwire ISMS Risk Assessment and Risk Treatment Report
  • Highwire Employee Handbook
  • Highwire System Architecture Manual
  • Highwire Vendor Management Manual

4. Cookie Policy

To make the Highwire website work properly, small data files called cookies are sometimes placed on a Visitor or User’s device. These cookies are stored in text files on a device so that the preferences of a Visitor or User (such as language, font size, login, and other display preferences) are “remembered” when the Highwire website is subsequently loaded in a browser.  This common practice does not in any way minimize Highwire’s commitment to maintaining the highest standards for the security and protection of a customers’ information.  Like most websites, Highwire uses cookies to help ensure a consistent and efficient experience for Visitors and Users, and to perform essential functions such as allowing enrolled users to register and remain logged in.

Highwire may also use Cookies to help analyze how Visitors and Users interact with and navigate through our sites so that we can make improvements. Cookie-related information is also used to remember and log the actions of enrolled Users. Cookies are not used for any purpose other than those described herein.  Specifically, the Highwire website does not enable 3rd-party tracking mechanisms to collect data over time and across unaffiliated websites for use in interest-based advertising.  In addition, Highwire flags all cookies with a special HttpOnly flag that tells the browser that this particular cookie should only be accessed by the browser.  This HttpOnly flag ensures any attempt by an attacker to access the cookie with malicious JavaScript is strictly prohibited.

Visitors and Users can block any cookies from any website through their browser settings. Note that the procedures for changing settings and cookies differ from browser to browser.  For more information about how to disable cookies for the top browsers, please refer to the instructions on their respective websites:

In addition to changing a browsers’ settings to prevent cookies from being placed, an individual can also delete all cookies that are already stored on a device. If a Visitor or User chooses this option, they may have to manually adjust some preferences every time they visit the Highwire site and some services and functionalities may not work at all.

First-time visitors to the Highwire website are immediately informed of Highwire’s use of cookies via a pop-up banner.  

5. Data Collection

End user data that is collected as part of enrollment in the Highwire Application that is categorized as Personal Data or Personally Identifiable Information (PII) includes user full names, business emails, and business phone numbers.  Users of the Highwire Inspect module may also opt to provide their business cell phone numbers in order to receive alerts regarding inspection findings.  This personal end user data is required as part of an enrolled client’s interaction and use of the Highwire application to allow users to set up secure accounts and to receive messages and alerts from the system.  

6. Data Use

Highwire’s ISMS is ISO 27001 compliant and is managed internally by our Vice President of Engineering, who acts as our Chief Information Security Officer (CISO) as defined in ISO 27001 and as our Data Protection Officer as defined in Article 37 of the GDPR.  As clients use our services and systems, the Vice President of Engineering sets clear parameters on how their data is used and the ways in which a user’s privacy is protected, including but not limited to:

  • For users of the Highwire System, Highwire processes data solely for the purposes defined in the Client Software License and Services Agreement and/or the Subcontractor Participation Agreement and utilizes Amazon Web Services for all of our cloud computing as described in Section 7 below;
  • Highwire guarantees the confidentiality of personal data that is processed as defined in the contract agreements and within this document;
  • Highwire does not share data with any third parties and does not use any third party advertising providers;
  • Highwire ensures that its employees are fully vetted and receive the appropriate personal data protection training as defined in the Highwire Administrative Manual and the Highwire Employee Handbook;
  • Highwire employees acknowledge and sign the non-disclosure requirements set forth in the Highwire Employee Handbook;
  • Any data transfer or download happens via the SSL protocol;
  • To access data, the user must login with a username/password as fully defined in the Highwire Password Policy;
  • During uploading of data, files are encrypted and stored as fully defined in the Highwire Encryption Policy, including the requirement that each encrypted file has its own key;
  • Stored backups and logs are encrypted as fully defined in the Highwire Data Backup Policy, including the requirement that Highwire does not use any temporary storage.

7. Data Processing

As noted above, Highwire uses Personal Data solely for the purposes defined in the Client Software License and Services Agreement and/or the Subcontractor Participation Agreement.  In addition, as detailed in the Highwire Administrative Manual, Highwire contracts with Amazon Web Services, a leader in cloud technology, to create a logically isolated section of AWS where we can create a Virtual Private Cloud (VPC) for our system.  While AWS falls outside the scope of Highwire’s ISMS, one of the reasons for choosing AWS was their own certification under ISO/IEC 27001:2013.  Specifically, AWS was issued Certificate #2013-009 on 11/18/10, which was updated and re-issued most recently on 1/18/22.  

In addition, as part of our agreement with AWS, we are a party to their Data Processing Addendum (DPA).  This is a critical component of our commitment to data security and privacy because Amazon’s DPA is fully compliant and meets all of the requirements of the General Data Protection Regulation (GDPR), the EU-US and SWISS-US Privacy Shield Frameworks, and the California Consumer Protection Act.  Our DPA with AWS provides us with assurance on important data security requirements, including but not limited to: 

  • AWS will process customer data only in accordance with customer instructions;
  • AWS has implemented and will maintain robust technical and organizational measures for the AWS network;
  • AWS will notify its customers of a security incident without undue delay after becoming aware of the security incident.

8. Data Transfers

Highwire does not share data with or transfer data to any third parties and does not use any third party advertising providers.

The Highwire Application is a SaaS based, web-hosted application.  As noted in earlier sections, Highwire contracts with Amazon Web Services for cloud service. As part of that contract, AWS maintain servers for Highwire in both the United States and Europe (Frankfort, Germany) to ensure that data from European Union (EU) countries (including Iceland, Liechtenstein, Norway, and Switzerland) is kept in an EU country.  AWS maintains compliance with both the EU-US Privacy Shield Framework and the SWISS-US Privacy Shield Framework and both certifications are classified as “Active”.

9. Data Retention and Deletion

Highwire retains all end user data only for as long as we have an ongoing legitimate need to do so and are working under a client or subcontractor agreement.  Specific user accounts and Personally Identifiable Information are deleted immediately upon account deletion (by a client Administrative User or by Highwire) or upon contract termination. Highwire tries to ensure that our services protect information from accidental or malicious deletion.  Because of this, there may be slight delays between when a user deletes something and when copies are deleted from our active and back-up systems.

As noted above, for deletion of specific user accounts, a client Administrative User has the functionality to delete an account that they created from the Highwire system.  In addition, upon termination of a client or subcontract agreement, the Vice President of Engineering will remove the access rights of associated end user accounts by disabling their logins, removing their profiles from the system, and verifying that access has been terminated. 

As detailed in the Highwire Subcontractor Participation Agreement, Highwire may de-identify and aggregate information submitted by subcontractors and that Highwire owns all aggregated information and may use it for any purpose and communicate it to any third party without obligation to a subcontractor.  Aggregated information is anonymous information and is no longer Personal Data subject to data protection laws or regulations.

10. GDPR Requirements and Privacy Shield Statement

Implementing an ISO 27001 compliant Information Security Management System (ISMS) is not only best practice, but it is also integral to demonstrating data protection compliance to clients, subcontractors, and third parties.  In addition, by implementing ISO 27001, Highwire has created a strong framework to ensure compliance with the European Union General Data Protection Regulation (GDPR) that went into effect on 5/25/2018.

To ensure GDPR compliance, Highwire complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the United States Department of Commerce regarding the collection, use, and retention of Personal Data transferred from The European Union and Switzerland to the United States.  Highwire has certified to the US Department of Commerce that it adheres to the Privacy Shield Principles.  If there is any conflict between the terms in the Highwire Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield Program, and to view our certification, please visit:

https://www.privacyshield.gov/.

As part of the Privacy Shield Framework and Principles, Highwire certifies the following:

  • Highwire’s self-certification is subject to the investigatory and enforcement authority of the Federal Trade Commission;
  • Highwire collects limited Personal Data as described previously in Section 5 and we use this information only for the purposes described previously in Section 6;
  • Individual users of the Highwire Application have the right to access their Personal Data and to review, correct, amend, delete, or limit the use and/or disclosure of their Personal Data.  EU and Swiss users, like all users, can securely log in to the Highwire System at any time using their unique username and password to access and review their personal data.  If any user of the Highwire application would like to amend, delete, or limit the use and/or disclosure of their personal data, they can contact Highwire at support@Highwire.com as described in more detail in Section 13;
  • Highwire does not share data with or transfer data to any third parties and does not use any third party advertising providers.  However, Highwire acknowledges that any entity, including Highwire, that does share or transfer data to third parties would remain liable if that third party processes personal data in a manner inconsistent with the principles;
  • Highwire, in accordance with our legal obligations and subject to a lawful request, may transfer Personal Data to public authorities for law enforcement or national security purposes;
  • Highwire encourages EU and Swiss users, and all users, who have questions or complaints about how we process their Personal Data under Privacy Shield to contact us as described in Section 13.  Highwire will work to resolve your issues as quickly as possible, but no later than 30 days upon receipt  of a question or complaint;
  • If you have unresolved privacy or data use complaints that we have not addressed satisfactorily, please contact, free of charge, our US-based third party dispute resolution provider, American Arbitration Association, at  https://www.adr.org/TechnologyServices;

11. California and Brazil Requirements

Highwire also maintains compliance with the California Consumer Privacy Act (CCPA) that went into effect on 1/1/20 and the Lei Geral de Protecão de Dados (LGPD) that went into effect in Brazil on 2/1/20.  If the California Consumer Privacy Act (CCPA) or the LGPD applies to a user’s information, Section 13 of this policy describes the process available to a user to exercise his/her rights to receive information about Highwire data practices and/or to request deletion of his/her information/account.  

Highwire does not share, sell, or transfer a user’s Personal Data.  Highwire uses and processes Personal Data for business purposes only as defined in the Client Software License and Services Agreement, the Subcontractor Participation Agreement, and this policy.

12. Notification of Changes to the Privacy Policy or Personal Data Breaches

Highwire reserves the right to revise the Highwire Privacy Policy at any time.   If substantial changes are made to this privacy notice, Highwire will post notification of such changes on the “Highwire Announcements” that is linked from our website at www.Highwire.com.  In addition, all new versions of this policy will be immediately re-posted on the Highwire website, as accessed by the direct “Privacy Policy” link that is found at the bottom of every page on the Highwire website.

In addition, Highwire will notify clients immediately via email of any personal data breach (and never later than 72 hours after having become aware of it).  This notification will include any necessary documentation to enable clients to notify this breach to the competent supervisory authority if required, including:

  • The nature and description of the breach including the number of users who are affected;
  • Analysis and root cause of the failure;
  • Immediate corrective action to address the breach and mitigate the adverse effects; and,
  • Other corrective actions proposed or taken to prevent any future breaches of the same nature and type.

13. Contacting Highwire

Highwire is located at 700 District Avenue, 7th Floor, Burlington, Massachusetts, 01803.  

If users have any questions or complaints about Highwire’s data practices, if they would like to request deletion of their information/account, or if they have any reports of fraud, they can contact the Vice President of Engineering or the Vice President of Compliance at the above address, by email at support@Highwire.com, or telephone at 866-817-2210.  Direct links to Highwire’s email address are also available on our public website and after users log in to the Highwire system.

Highwire responds to written complaints by contacting the person who made the complaint to resolve any issue directly and quickly in accordance with the Service Level Agreement (SLA) outlined in the Highwire client or subcontractor agreement.  In addition, in accordance with the principles of the EU-US and Swiss-US Privacy Shield Frameworks and as detailed in Section 10, Highwire will work with the appropriate independent resource authorities, including but not limited to, the United States Department of Commerce,  the United States Federal Trade Commission, The EU Data Protection Authorities (DPAs), and the Swiss Federal Data Protection and Information Commissioner (FDPIC), as necessary to resolve any complaints to a user’s satisfaction and at no cost to the user.  

14. Policy Compliance

a. Compliance Criteria

When evaluating the effectiveness and adequacy of this document, the following criteria must be considered:

  • Number of breaches of the system.
  • Number of account deletions.
  • Number of requests for data security information and resolution times.
  • Number of data security complaints and resolution times.

b. Compliance Measurement

The specific compliance criteria bulleted above are included as part of an ISMS Comprehensive Compliance Measurement Table that has been prepared by Highwire and is provided in the Highwire Information Security Policy, Appendix 1.  The Vice President of Engineering will verify compliance with our overall Information Security Policy, and all other technical policies, by performing an annual review using the ISMS Comprehensive Compliance Measurement Table.  The results of the review will be tracked, analyzed, and included as part of the ISMS Management Review meeting(s).  

In addition to the formal annual review, compliance is also measured on a continual basis through various methods, including but not limited to, periodic walk-throughs, business tool reports, and feedback to the policy owner.  

Training and awareness with this policy is conducted as part of Highwire’s overall employee training program as detailed in the Highwire Employee Handbook.

c. Exceptions

Any exception to the policy must be approved by the policy owner in advance.

d. Non-Compliance

An employee found to have willfully violated this policy may be subject to disciplinary action, up to and including termination of employment.

15. Review and Development

The author of this policy is considered the owner and has the responsibility for updating it whenever changes are dictated by the work.  In addition, an annual review of this policy will be conducted by the Vice President of Engineering to ensure that it remains appropriate considering any relevant changes to the law, organizational policies, and/or contractual obligations.  

As specified in the Highwire Administrative Manual, all changes to an ISMS document must be made using “Track changes,” making visible only the revisions to the previous version, either showing them in red text or strikeout.  In addition, for reference, all previous versions of an ISMS document are stored on the personal user drive of the Highwire Vice President of Compliance.  The versioning history for this document is defined in the table below:

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from Youtube
Vimeo
Consent to display content from Vimeo
Google Maps
Consent to display content from Google
Spotify
Consent to display content from Spotify
Sound Cloud
Consent to display content from Sound
Get Started
Log in