Privacy & Data Protection

eXpress badging® takes privacy seriously and enforces administrative, technical, and physical safeguards to protect non-public information (NPI), personally identifiable information (PII), and sensitive customer data.

🔒  This article outlines our policies and practices to align with enterprise customer and regulatory requirements.


1) Data Handling & Privacy Policy

  • Yes — Customer data classified as NPI, PII, or sensitive financial information may be transmitted, processed, or stored only as required for ID badge production.

  • All use is governed by our Privacy Policy and Veonics Portal Terms of Use.

  • Scoped data is used solely for badge issuance and never shared, sold, or reused.


2) International Data Transfers

  • No — Personal data is not transmitted outside the United States by default.

  • Self-Certifications: eXpress badging® is not currently registered under the EU-U.S. Data Privacy Framework or Swiss equivalent, as we do not process EU or Swiss citizen data.


3) Privacy Governance

  • Yes — Privacy compliance is managed by the Compliance Lead (Executive role) in partnership with Department Heads.

  • Accountability is documented in our EOS Accountability Chart and reviewed quarterly.


4) Documented Privacy Policies


5) Privacy Risk Assessments

  • Yes — Privacy risks are assessed as part of our quarterly EOS reviews, vulnerability scans, and overall AWS instance and local server data control monitoring.


6) Privacy Awareness Training


7) Privacy Incident & Complaint Handling

  • Yes — Documented in our Incident Response & Breach Notification Process.

  • Complaints and issues are submitted via our Contact US webform, email, or phone.

  • Complaints and issues are logged in Jira/HubSpot and resolved under compliance oversight.


8) Data Classification & Retention


9) Privacy Incident Response Program


10) Third-Party Disclosures

  • No — Customer or user data is not disclosed to third parties

  • Only exceptions include:

    • If remote support is required by our third-party development team,  which is highly unlikely, we can enable this feature per authorized customer approval under an Enterprise SaaS subscription. This level of technical support is protected under our NDA with our contractors.

    • Or, under contracted printing projects, customer data is provided to our third-party card printing factory, and only done so with customer approval. All data is obliterated per our terms of aggreemtent oth our vendors.


11) PII Disclosures Outside the United States

  • No — Data is not disclosed to third parties outside the U.S.

12) Contractual Controls

  • Yes — When third parties are involved (e.g., printer manufacturers, dev partners), contracts restrict use of data to defined purposes.


13) Business Associate Contracts 

  • Yes — All users must agree to our Users License Agreement that covers privacy.

  • Data is used only for badge issuance, which is consistent with our Privacy Policy .

Documentation: Veonics Portal ULA


14) Privacy & Security Program


15) Data Accuracy & Purpose Limitation

  • Yes — Accuracy is maintained under customer direction. Customers own and provide all badgeholder data.

  • Yes — Data is used only for badge issuance, which is consistent with our Privacy Policy .


 16) Data Monitoring for Privacy Compliance

  • Yes — Customer employees are responsible for all data provided

  • Customers are responsible for their employees' work.

  • Customers are responsible for all data provided to eXpress badging

  • eXpress badging is not responsible for the content of the data provided, only ensuring that is secure.


17) Privacy Compliance Monitoring

  • Yes, first, to the degree of  least privileges assigned by the customer admin user, or to request new user creation, an authorized eXpress badging admin user, user privileges will never change. The customer's responsible for changing or requesting changes, if/when needed. This restricts privacy exposure.

  • Second, by managing who can import, export, and what data elements users have access to, or can view, will further reduce customer privacy risks. 
  • Customers can Enable SSO to manage this process automatically.
  • Defined in Security Roles & Responsibilities in the Veonics Ecosystem.


18) Documented Policies, Procedures, and Controls to limit access

Supporting Documentation Provided: Need-to-Know & Least-Privilege Access Policy

 


19) Privacy Violation Enforcement Mechanisms

  • Yes, acknowledgement is uncovered during quarterly evaluations and reviews.

  • Employees, contractors, and vendors  who violate privacy or confidentiality policies face corrective action, remediation, and depending on the severity, termination.

  • Documented in the Employee Handbook and reinforced during training.
  • Documented in Contractor onboarding agreements.

20) FCPA, Anti-Bribery, AML Compliance


📊 NIST CSF 2.0 Alignment

Function Privacy Practice
Identify (ID) Data classification & retention
Protect (PR) Policies, encryption, least privilege
Detect (DE) SOC monitoring, audits
Respond (RS) Incident reporting & breach response
Recover (RC) Data obliteration & certificate of destruction
Govern (GV) Compliance oversight & EOS reviews