eXpress badging® is committed to protecting the confidentiality, integrity, and availability of customer data.
📘 This Customer Data Privacy Policy describes how we collect, use, retain, and protect non-public information (NPI), personally identifiable information (PII), and sensitive customer information processed within our solutions, including the Veonics® Portal.
🔒 Data Collection & Use
-
Customer data is collected only as necessary for photo ID badge issuance and management.
-
eXpress badging® does not sell, share, or disclose customer data to unauthorized third parties.
-
Data use is limited to the intended purpose defined by the customer.
👥 Access Control
-
Access to customer data is role-based, following the principle of least privilege.
-
Unique credentials are required for every user; MFA is available when enabled.
-
Session timeouts and monitoring enforce secure access standards.
-
Customers maintain administrative control over their own Portal accounts and users.
🗄️ Data Retention & Obliteration
-
Scoped Data is retained only as long as the customer maintains an active license.
-
By default, data is obliterated 30 days after non-renewal or upon written request.
-
Certificates of Destruction are provided to customers upon request.
-
Customers remain responsible for their own retention requirements when managing their own Veonics® Portal accounts.
🌐 International Data Transfers
-
eXpress badging® hosts all customer data within AWS U.S. regions (Northern Virginia).
-
No customer data is transferred outside the U.S. unless specifically contracted.
🛡️ Incident Response & Breach Notification
-
eXpress badging® maintains a documented Cybersecurity Incident & Breach Response Process.
-
Customers will be notified promptly in the event of unauthorized access, disclosure, or data breach in accordance with applicable regulations.
📊 Privacy Governance & Accountability
-
Compliance oversight is managed by the Compliance Lead with accountability assigned to Department Heads.
-
Policies are reviewed quarterly under our EOS governance model.
-
Employees receive annual privacy and security training with testing and remediation requirements.
🔗 Third-Party Access & Contracts
-
In rare use cases, customer data is disclosed only to approved third parties under contractual agreements (e.g., printer manufacturers, development partners).
-
Since there are no current needs or requirements to comply with HIPAA, as eXpress badging does not handle or store such data within the Veonics Portal, the use of Business Associate Agreements (BAAs) is not relevant.
⚖️ Enforcement & Discipline
-
Violations of privacy or confidentiality requirements result in corrective action, up to and including termination.
-
Privacy violations are logged, tracked, and reviewed by the Compliance Lead.
📊 NIST CSF 2.0 Alignment
Function | Practice |
---|---|
Identify (ID) | Data classification and customer ownership |
Protect (PR) | Encryption, least privilege, MFA |
Detect (DE) | SOC monitoring, vulnerability scans |
Respond (RS) | Breach response and customer notification |
Recover (RC) | Data obliteration and restoration processes |
Govern (GV) | EOS compliance oversight and quarterly reviews |