GRMS provides supplier risk assessment services to a global clientele of companies and organizations in many diverse industries and regions. In order to provide these services, GRMS typically needs to collect or otherwise process both online and offline records and data relating to a client’s suppliers. Some of this information is collected directly from suppliers and their agents, while some may be collected from other sources such as insurance companies, rating agencies, business databases and public records including but not limited to, business filings, license registrations, Uniform Commercial Code filings and court records or any other information lawfully requested by our client. Some of this information may constitute “personal information” or “personal data” relating to an identified, or reasonably identifiable, individual under applicable law, which we refer to as “Client Personal Information.”
We collect or otherwise process Client Personal Information strictly on behalf of our client to fulfill the purpose of our agreement with the client. In its role as a service provider and data processor with respect to Client Personal Information, GRMS is committed to complying with applicable privacy and data protection laws, and to helping clients comply with their own obligations under those laws
Some of our clients may be “businesses” as defined in the California Consumer Privacy Act of 2018, as amended (the “CCPA”). To the extent our services to those clients require us to collect, use, retain, disclose or otherwise process Client Personal Information that is subject to the CCPA, we do so strictly as our client’s “service provider” as defined in the CCPA.
Some of our clients may be subject to industry-specific federal laws regulating data privacy, such as the Health Insurance Portability And Accountability Act (HIPAA), as amended, or the Gramm-Leach-Bliley Act (GLBA). To the extent our services to those clients require us to collect, use, retain, disclose or otherwise process Client Personal Information that is subject to federal privacy laws, we do so strictly as our client’s service provider pursuant to business associate agreements or other appropriate terms.
We do not sell Client Personal Information. We do not collect, retain, use, disclose or otherwise process Client Personal Information for any purpose other than for the purpose of performing the services specified in our agreement with the client. We do not collect, retain, use, disclose or otherwise process Client Personal Information outside of our direct business relationship with the client. We work with clients and our own sub-contractors to ensure that our agreements with them incorporate those and other restrictions as necessary, and to support responses to consumer requests under the CCPA or applicable federal law.
Some of our clients are “data controllers” as defined in the EU’s General Data Protection Regulation (“GDPR”) or other laws governing data protection in countries outside of the United States. To the extent our services to those clients require us to process Client Personal Information that is subject to those laws, we do so strictly as our client’s “data processor” as defined in the GDPR or other applicable law.
We follow our clients’ instructions regarding the purposes for which Client Personal Information is to be processed, and endeavor to conduct that processing subject to conditions set forth in Article 28 of the GDPR or elsewhere under applicable law. We work with clients and our authorized sub-processors to ensure that our agreements with them incorporate those conditions as necessary, and to support responses to data subject requests, and other obligations our clients may have, under the GDPR and other laws that may apply. Where necessary and appropriate, our agreements with clients incorporate other appropriate safeguards, such as standard data protection clauses adopted by the European Commission or another supervisory authority for international transfers of personal data.
We maintain reasonable security measures to ensure that access to any Client Personal Information is restricted only to authorized individuals who need access for a legitimate business purpose, and to protect Client Personal Information against unauthorized access, theft, or loss. As part of those measures, we use a proprietary platform, GRMS Veritas, to provide clients with supplier risk assessment information, which may include Client Personal Information, in the most secure way. We have designed this platform using the latest Microsoft .NET Framework.
Veritas is hosted on the Amazon Web Services cloud and is built according to AWS best practices for high availability, disaster recovery, security, and scalability. There is no single point of failure in network or infrastructure and both utilize regularly-rotated 256-bit encryption. Data is backed up in multiple locations and AWS services are leveraged to recover from hardware or system errors without data loss.
Veritas uses Amazon S3 to store supplier risk assessment data. S3 provides comprehensive security and compliance capabilities that meet even the most stringent regulatory requirements and security standards including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, and FISMA, helping satisfy compliance requirements for virtually every regulatory agency around the globe.