Privacy & Data Protection

eXpress badging® takes privacy seriously and enforces administrative, technical, and physical safeguards to protect non-public information (NPI), personally identifiable information (PII), and sensitive customer data.

🔒 This article outlines our policies and practices to align with enterprise customer and regulatory requirements.

Yes — Customer data classified as NPI, PII, or sensitive financial information may be transmitted, processed, or stored only as required for ID badge production.
All use is governed by our Privacy Policy and Veonics Portal Terms of Use.
Scoped data is used solely for badge issuance and never shared, sold, or reused.

No — Personal data is not transmitted outside the United States by default.
Self-Certifications: eXpress badging® is not currently registered under the EU-U.S. Data Privacy Framework or Swiss equivalent, as we do not process EU or Swiss citizen data.

Yes — Privacy compliance is managed by the Compliance Lead (Executive role) in partnership with Department Heads.
Accountability is documented in our EOS Accountability Chart and reviewed quarterly.

Yes — We maintain written procedures for protecting confidential information:

Yes — Privacy risks are assessed as part of our quarterly EOS reviews, vulnerability scans, and overall AWS instance and local server data control monitoring.

Yes — Employees receive:
- New Hire Training on cybersecurity and privacy.
- Annual Refresher Training (2 hours).
- Quarterly Cybersecurity Lunch & Learns.
Documentation:
- Cybersecurity Awareness Education and Training,
- Vendor Security Questionnaire

Yes — Documented in our Incident Response & Breach Notification Process.
Complaints and issues are submitted via our Contact US webform, email, or phone.
Complaints and issues are logged in Jira/HubSpot and resolved under compliance oversight.

Yes — Data is classified as high-risk PII or low-risk project data.
Retention limits:
- Data is obliterated 30 days after project completion or non-renewal.
- Customers control retention within their Portal subscription.
Documentation: Identification Badge Data Classification & Retention Standards

No — Customer or user data is not disclosed to third parties
Only exceptions include:
- If remote support is required by our third-party development team, which is highly unlikely, we can enable this feature per authorized customer approval under an Enterprise SaaS subscription. This level of technical support is protected under our NDA with our contractors.
- Or, under contracted printing projects, customer data is provided to our third-party card printing factory, and only done so with customer approval. All data is obliterated per our terms of aggreemtent oth our vendors.

Yes — When third parties are involved (e.g., printer manufacturers, dev partners), contracts restrict use of data to defined purposes.

Yes — All users must agree to our Users License Agreement that covers privacy.
Data is used only for badge issuance, which is consistent with our Privacy Policy .

Yes — Accuracy is maintained under customer direction. Customers own and provide all badgeholder data.
Yes — Data is used only for badge issuance, which is consistent with our Privacy Policy .

Yes — Customer employees are responsible for all data provided
Customers are responsible for their employees' work.
Customers are responsible for all data provided to eXpress badging
eXpress badging is not responsible for the content of the data provided, only ensuring that is secure.

Yes, first, to the degree of least privileges assigned by the customer admin user, or to request new user creation, an authorized eXpress badging admin user, user privileges will never change. The customer's responsible for changing or requesting changes, if/when needed. This restricts privacy exposure.
Second, by managing who can import, export, and what data elements users have access to, or can view, will further reduce customer privacy risks.
Customers can Enable SSO to manage this process automatically.
Defined in Security Roles & Responsibilities in the Veonics Ecosystem.

Yes. eXpress badging® enforces least-privilege, role-based access control (RBAC) and organizational segmentation in the Veonics® Portal, with unique user IDs, manager approval for access, quarterly reviews, rapid de-provisioning, and full audit logging. Controls are documented here:
🔐 Access Control & Remote Access Policy — unique IDs, MFA, session timeouts, RBAC, remote-access limits:
- https://support.expressbadging.com/knowledge/access-control-and-remote-access-policy
👥 Security Roles & Responsibilities in the Veonics Ecosystem — who can access what, by role:
- https://support.expressbadging.com/knowledge/security-roles-responsibilities-in-the-veonics-ecosystem
🛡️ Endpoint Protection Policy — device controls that reinforce least privilege:
- https://support.expressbadging.com/knowledge/endpoint-protection-policy
🚨 Incident & Breach Response — escalation/account lock, notifications:
- - https://support.expressbadging.com/knowledge/what-is-express-badgings-cyber-incident-and-breach-response-process

Yes, acknowledgement is uncovered during quarterly evaluations and reviews.
Employees, contractors, and vendors who violate privacy or confidentiality policies face corrective action, remediation, and depending on the severity, termination.
Documented in the Employee Handbook and reinforced during training.
Documented in Contractor onboarding agreements.

Yes — eXpress badging® complies with FCPA, Anti-Bribery, and Anti-Money Laundering requirements.
Training is incorporated into employee onboarding and annual refreshers.
Documented in FCPA, Anti-Bribery & Anti-Money Laundering (AML) Compliance

Function	Privacy Practice
Identify (ID)	Data classification & retention
Protect (PR)	Policies, encryption, least privilege
Detect (DE)	SOC monitoring, audits
Respond (RS)	Incident reporting & breach response
Recover (RC)	Data obliteration & certificate of destruction
Govern (GV)	Compliance oversight & EOS reviews