eXpress badging® takes privacy seriously and enforces administrative, technical, and physical safeguards to protect non-public information (NPI), personally identifiable information (PII), and sensitive customer data.
🔒 This article outlines our policies and practices to align with enterprise customer and regulatory requirements.
1) Data Handling & Privacy Policy
-
Yes — Customer data classified as NPI, PII, or sensitive financial information may be transmitted, processed, or stored only as required for ID badge production.
-
All use is governed by our Privacy Policy and Veonics Portal Terms of Use.
-
Scoped data is used solely for badge issuance and never shared, sold, or reused.
2) International Data Transfers
-
No — Personal data is not transmitted outside the United States by default.
-
Self-Certifications: eXpress badging® is not currently registered under the EU-U.S. Data Privacy Framework or Swiss equivalent, as we do not process EU or Swiss citizen data.
3) Privacy Governance
-
Yes — Privacy compliance is managed by the Compliance Lead (Executive role) in partnership with Department Heads.
-
Accountability is documented in our EOS Accountability Chart and reviewed quarterly.
4) Documented Privacy Policies
-
Yes — We maintain written procedures for protecting confidential information:
5) Privacy Risk Assessments
-
Yes — Privacy risks are assessed as part of our quarterly EOS reviews, vulnerability scans, and overall AWS instance and local server data control monitoring.
6) Privacy Awareness Training
-
Yes — Employees receive:
-
New Hire Training on cybersecurity and privacy.
-
Annual Refresher Training (2 hours).
-
Quarterly Cybersecurity Lunch & Learns.
-
-
Documentation:
7) Privacy Incident & Complaint Handling
-
Yes — Documented in our Incident Response & Breach Notification Process.
-
Complaints and issues are submitted via our Contact US webform, email, or phone.
-
Complaints and issues are logged in Jira/HubSpot and resolved under compliance oversight.
8) Data Classification & Retention
-
Yes — Data is classified as high-risk PII or low-risk project data.
-
Retention limits:
-
Data is obliterated 30 days after project completion or non-renewal.
-
Customers control retention within their Portal subscription.
-
-
Documentation: Identification Badge Data Classification & Retention Standards
9) Privacy Incident Response Program
-
Yes — Documented in Incident Response & Breach Notification Process.
10) Third-Party Disclosures
-
No — Customer or user data is not disclosed to third parties
-
Only exceptions include:
-
If remote support is required by our third-party development team, which is highly unlikely, we can enable this feature per authorized customer approval under an Enterprise SaaS subscription. This level of technical support is protected under our NDA with our contractors.
-
Or, under contracted printing projects, customer data is provided to our third-party card printing factory, and only done so with customer approval. All data is obliterated per our terms of aggreemtent oth our vendors.
-
11) PII Disclosures Outside the United States
- No — Data is not disclosed to third parties outside the U.S.
12) Contractual Controls
-
Yes — When third parties are involved (e.g., printer manufacturers, dev partners), contracts restrict use of data to defined purposes.
13) Business Associate Contracts
-
Yes — All users must agree to our Users License Agreement that covers privacy.
- Data is used only for badge issuance, which is consistent with our Privacy Policy .
Documentation: Veonics Portal ULA
14) Privacy & Security Program
-
Yes — Administrative, technical, and physical safeguards are documented in:
15) Data Accuracy & Purpose Limitation
-
Yes — Accuracy is maintained under customer direction. Customers own and provide all badgeholder data.
-
Yes — Data is used only for badge issuance, which is consistent with our Privacy Policy .
16) Data Monitoring for Privacy Compliance
-
Yes — Customer employees are responsible for all data provided
-
Customers are responsible for their employees' work.
-
Customers are responsible for all data provided to eXpress badging
-
eXpress badging is not responsible for the content of the data provided, only ensuring that is secure.
17) Privacy Compliance Monitoring
-
Yes, first, to the degree of least privileges assigned by the customer admin user, or to request new user creation, an authorized eXpress badging admin user, user privileges will never change. The customer's responsible for changing or requesting changes, if/when needed. This restricts privacy exposure.
- Second, by managing who can import, export, and what data elements users have access to, or can view, will further reduce customer privacy risks.
- Customers can Enable SSO to manage this process automatically.
-
Defined in Security Roles & Responsibilities in the Veonics Ecosystem.
18) Documented Policies, Procedures, and Controls to limit access
- Yes. eXpress badging® enforces least-privilege, role-based access control (RBAC) and organizational segmentation in the Veonics® Portal, with unique user IDs, manager approval for access, quarterly reviews, rapid de-provisioning, and full audit logging. Controls are documented here:
-
🔐 Access Control & Remote Access Policy — unique IDs, MFA, session timeouts, RBAC, remote-access limits:
-
👥 Security Roles & Responsibilities in the Veonics Ecosystem — who can access what, by role:
-
🛡️ Endpoint Protection Policy — device controls that reinforce least privilege:
-
🚨 Incident & Breach Response — escalation/account lock, notifications:
Supporting Documentation Provided: Need-to-Know & Least-Privilege Access Policy
19) Privacy Violation Enforcement Mechanisms
-
Yes, acknowledgement is uncovered during quarterly evaluations and reviews.
-
Employees, contractors, and vendors who violate privacy or confidentiality policies face corrective action, remediation, and depending on the severity, termination.
- Documented in the Employee Handbook and reinforced during training.
- Documented in Contractor onboarding agreements.
20) FCPA, Anti-Bribery, AML Compliance
-
Yes — eXpress badging® complies with FCPA, Anti-Bribery, and Anti-Money Laundering requirements.
-
Training is incorporated into employee onboarding and annual refreshers.
- Documented in FCPA, Anti-Bribery & Anti-Money Laundering (AML) Compliance
📊 NIST CSF 2.0 Alignment
Function | Privacy Practice |
---|---|
Identify (ID) | Data classification & retention |
Protect (PR) | Policies, encryption, least privilege |
Detect (DE) | SOC monitoring, audits |
Respond (RS) | Incident reporting & breach response |
Recover (RC) | Data obliteration & certificate of destruction |
Govern (GV) | Compliance oversight & EOS reviews |