Industries & Regions
The ViziVault solution is designed to work across various industries & regions by managing personal information as a whole and providing custom-built rules & categorizations to handle any legal or compliance mandates. That said, there are number of features & benefits that can be applied to the regulations for specific industries and locales.
Jump to: Finance & E-Commerce (PCI-DSS), Healthcare (HIPAA), Multiple Industries - Minors (COPPA), Education (FERPA), Regional
Finance & E-Commerce (PCI-DSS)
PCI-DSS compliance is not easy. Its 281 directives in 12 categories can be very challenging to fulfill. Here are the ways that ViziVault can help you achieve PCI compliance for cardholder data and go even further by applying the same strategy to all personal information:
Security
All information in ViziVault is maintained behind a separate firewall to protect cardholder data and all ViziVault components use regularly updated antivirus software. Data is encrypted at the API-level, as close as possible to where the information is initially collected. This ensures that all cardholder data is encrypted both at-rest and in-transit. By segregating cardholder data in a secure ViziVault, your security & engineering teams can stay focused on securing the parts of your system where cardholder data is collected and used. All ViziVault components, systems, and processes are regularly tested for security.
Access
Access to the data in ViziVault is only made available through the secure API by authenticated callers, each with their own access keys. Each caller only has access to the specific pieces of information needed to conduct their function, thereby limiting risk of exposure and ensuring access to cardholder data is done on a business need-to-know basis. A full audit log of every read, write, & deletion of data is captured and maintained with custom retention configurations available. Every touch of data is fully tracked, giving you full visibility into the who, what, where, when, and why of information access.
Policy
Maintaining your information security is easy in ViziVault and is built into the core of its programming. Additionally, policies are enforceable in an automated fashion by taking advantage of ViziVault's powerful rules engine. Data administrators determine the type of data being stored and who can access it. Privacy & compliance officers can classify and control how data is being used with custom classifications, regulatory associations, and legal rulesets. Management gets full visibility into how information is being used across the entire organization with our built-in analytics dashboard and the ability to deep-dive into the data with fully customizable reporting capabilities.
Healthcare (HIPAA)
The HIPAA rules and regulations provide guidance for the proper uses and disclosures of protected health information (PHI), how to secure PHI, and what to do if there is a PHI breach.
Privacy
Privacy is built directly into ViziVault and integrated into your applications. Setup classifications to automatically track the 18 fields of ePHI, such items as Name, Diagnosis, Social Security Number, etc. Track & manage data sharing activities, written authorizations, and PHI disclosures back to patients. Since all data is always associated with the corresponding patient, data requests are fully automated with the push-of-a-button, and you have full control over what gets reported, allowing for data minimization of the disclosure.
Security
All data stored in the vault is fully encrypted using military-grade encryption standards, both at-rest and in-transit. Policies and procedures are automated and enforceable with ViziVault, with strict, authorization-enforced role-based access controls (RBAC), advanced reporting capabilities, and customizable legal rulesets. Empower your privacy officer to develop and implement required policies & procedures. With fine-grained RBAC, clearly identify the systems, employees, or classes of employees who will have access to ePHI to complete their function. Manage access functions, like authorization, establishment, modification, and termination. In the case of emergency, all data is fully backed up in geo-redundant storage for rapid recovery. Satisfy audit requirements with both routine and event-based alerts & reporting. Data integrity is maintained, including the use of check sum, double-keying, message authentication, and digital signatures.
Breach Notification
In the event that a data breach does occur, all affected records can quickly & easily be determined using ViziVault's data touch access log, which tracks every touch of data, reads, writes, & deletes. Breach requirements and notifications can be tracked as well, ensuring compliance with HIPAA breach notification requirements.
Multiple Industries - Minors (COPPA)
The Children's Online Privacy Protection Act, or COPPA, is a U.S. law that aims to protect the privacy and personally identifying information of children under the age of 13 who use online services. The law places rules on the use of data from and about children under 13 that are stricter than those governing data about older people, and offers parents the ability to monitor and approve some of the information their children share.
Parental Consent
With ViziVault, keep track of the relationships between parents & children. Build custom classifications and legal rules when the age of a user is below 13 years old. Track the notification and consent of parents, including the date & time of consent to demonstrate verifiable parental consent prior to any collection, use, and/or disclosure of PI from children under 13. Provide a reasonable means to present the PI collected from their child, and track events where parents refuse to permit its further use. Block storage altogether if consent is not given or revoked to ensure compliance.
Security & Confidentiality
Encryption and data security, both at-rest and in-transit is built into ViziVault in order to protect the confidentiality, security, and integrity of the PI collected from children under 13. Maintain an audit log of each disclosure and release of such PI to demonstrate appropriate data sharing practices with parties capable of maintaining data confidentiality and security.
Retention
Use ViziVault's powerful and customizable rules engine to retain PI collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected, and automatically delete the information when necessary to protect against its unauthorized access or use.
Education (FERPA)
The Family Educational Rights and Privacy Act (FERPA) is a federal law that affords parents the right to have access to their children’s education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. When a student turns 18 years old, or enters a postsecondary institution at any age, the rights under FERPA transfer from the parents to the student.
Access
With ViziVault, keep track of the relationships between parents & children. Build in custom rules to determine the appropriate of access of parents for their children's education records. Ensure that information is not disclosed to third parties without parental consent.
Subject Rights
Using ViziVault's data subject access request (DSAR) capabilities, ensure data subject rights are upheld, including requests to inspect and review the student’s education record, schedule a hearing to challenge the content of the record to ensure that it is not inaccurate, misleading, or otherwise in violation of the privacy rights of the student, and insert into such record a written explanation by the parents regarding the content of the record.
Transfer of Ownership
With ViziVault's rules engine, you can easily build rules to determine whether it is the parent or the child who maintains ownership over the data based on the child's age and postsecondary institution status.
Regional Regulations
Whether it's GDPR in the EU, CCPA in California, or any of the other hundreds of locales with data privacy laws, if you do business online, then chances are good that you are subject to one or more of these laws. While each law has its own individual mandates and nuances that must be managed separately (and can be by ViziVault), there are some general commonalities that ViziVault handles right out of the box.
Data Residency
Determine which privacy laws each data subject you collect or process data about is subject to by mapping the subject's citizenship (or residence) to the appropriate regulations. ViziVault uses a technique called data sharding to ensure data stays within its appropriate region. Setup legal rules in ViziVault's powerful rules engine to determine where cross-border data transfers are allowed or prohibited.
Classification & Security
With custom tags and preset list of common regulations, classifying data is a breeze using ViziVault's powerful rules engine. Keep track of data's sensitivity, functional use-case, regulatory implication, or any number of categories to determine how each piece of data needs to treated from a regulatory perspective. Security is built into ViziVault from the ground up. Every piece of data is encrypted in the API-level, ensuring maximum security both at-rest and in-transit throughout the data's lifecycle.
Data Subject Access Requests (DSARs)
Data subject access requests, or DSAR's, can be a nightmare to manage. With ViziVault, DSARs are a breeze since all of the personal information is in one place, associated with the data subject, and fully classified & curated. Be able to handle any of the subject rights, including (but not limited to) confirmation that you process their personal data, access to their personal information, your lawful basis for processing their data, the period for which you’ll store their data (or the criteria you’ll use to determine that period), any relevant information about how the data was obtained, any relevant information about automated decision-making and profiling, the names of any third parties you share their information with, the right to be forgotten, and more.