The following Privacy Statement and Terms of Use applies to the RSS Platform “software as a service” (SaaS) provided by University of California Risk and Safety Solutions (RSS).

Our Commitment to Privacy

RSS is committed to protecting the privacy and accuracy of your personally identifiable information to the extent possible, subject to UC policies, State law, and Federal law. Other than as stated below or required by laws that guarantee public access to certain types of information or in response to subpoenas or other legal instruments that require disclosure, personally identifiable information is not disclosed without your consent.

When you use the RSS Platform, you agree to these terms and conditions. Please refer to the contact information at the end of this statement if you have questions or concerns about this statement. Your use of the RSS Platform will be subject to the most recent RSS Platform Privacy Statement and Terms of Use. Since this statement may be updated from time to time, we urge you to visit this site regularly to review the current statement.

RSS is committed to maintaining the privacy of personal information and takes many precautions for the security of personal information. We are continually monitoring our systems and practices to enhance the security of sensitive information.

RSS is committed to maintaining the privacy of personal information and takes many precautions for the security of personal information. We are continually monitoring our systems and practices to enhance the security of sensitive information.

Definitions

Strictly Necessary Cookies

• A strictly necessary cookie is an essential type of cookie utilized by the website to ensure seamless functionality, without which the site's operations would be impossible.

Functional Cookies

• Functional cookies allow website owners to personalize the browsing experience of their end-users, providing additional functionality that can greatly enhance your site.

Analytics Cookies

• Analytics cookies or performance cookies are employed to monitor website visitors and user behavior, to enhance the website's performance and ultimately provide a seamless user experience.

Personally Identifiable Information (PII)

• The National Institute of Standards and Technology (NIST) defines PII as any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.

Information Collection

Personally Identifiable Information (PII) collected by the RSS Platform is communicated and agreed upon with your organization (company or educational institution) prior to onboarding. PII collection is normally limited to first name, last name, business email, business phone, department, affiliation type (e.g. staff, faculty, student), employee ID, login ID, or other unique identifiers generated by your organization. Please contact your information technology help desk for further details on the information provided to the RSS Platform. RSS provides no warranty on the accuracy of the information provided by your organization.

Some features within the RSS Platform allow for the submission of photos or documents. Please be informed of, and follow, your organization’s policies regarding the taking of photos and handling of documents with sensitive material. RSS is not responsible for violations of your organization’s policies regarding photos and documents uploaded to the RSS Platform.

Information Automatically Collected
Additional information is collected by the RSS Platform while you use it. This includes your internet domain, IP address, type of device, browser, operating system, date visited, time visited, pages visited, search terms used on our search engines, and information used to fill out forms and transaction data. A general geolocation may be derived from your IP address. However, derived geolocation information is not more specific than city, county, and/or region.

The RSS Platform includes mobile apps that leverage the capabilities of mobile devices to enhance certain solutions when the user enables them. Mobile sensor data may include but are not limited to information from the built-in camera, GPS, gyroscope, accelerometer, and near field communication (NFC) sensor. When these data sources and sensors are used in the mobile app, the user has the ability to enable or disable them for use in the RSS Platform. Mobile device data are only stored for the business purposes of the user.

Directory information may be provided to us by your organization via Lightweight Directory Access Protocol (LDAP). LDAP is a protocol that enables the accessing and maintaining of distributed directory information services over an Internet Protocol (IP) network. Directory information is also provided when you log into the RSS Platform. Please direct any questions or concerns regarding the release of directory information to your organization. For educational institutions, please see the FERPA section for more information relevant to directory information.

Information Use

Personally Identifiable Information (PII) is used to share business data with authorized users in your organization. In order to keep you informed of activities requiring your attention, we may use collected personal information for notifications within the RSS Platform or for user support communications.

The RSS Platform uses Strictly Necessary Cookies, Functional Cookies, and Analytics Cookies to deliver web content specific to your security session or profile settings or to keep track of online transactions. PII stored in cookies is limited to first name, last name, business email, login ID, and organization name. Cookies are only used by RSS to track activity within the RSS Platform.

The RSS Platform utilizes Pendo (pendo.io) for tracking usage information. RSS uses this service as an aid for troubleshooting problems and soliciting customer feedback. Information sent to Pendo is limited to log-in ID, first name, last name, business email address, URLs visited, browser version, and basic button clicks (e.g., “Submit” button). Pendo uses this information only to provide the above-mentioned services to RSS.

RSS leverages artificial intelligence/machine learning models to facilitate workflows within the RSS platform. Any data that are submitted to the RSS Platform may be used to train the machine learning models, which are aimed to enhance your care or experience. Possible uses of machine learning models include but are not limited to, outcome prediction, automatic classification, recommendation, image processing of uploaded photos, natural language processing, and anomaly detection. RSS will protect your privacy in the use of machine learning models. Data used for these models will be de-identified to protect your privacy. No Personally Identifiable Information (PII) in any form will be used to train the models. RSS Platform applications ensure the de-identification of any personally identifiable information (PII) during the data processing phase.

Disclosure of Collected Information

Except as noted in this statement or required by law, RSS will not disclose or share personally identifiable information without your consent.

RSS has partnered with leading cloud providers, such as AWS, Azure, and MongoDB Atlas, for application hosting. Our partnerships include contracts that prohibit these third-party providers from accessing your data, except in cases where RSS requires their assistance for specific support purposes. RSS requires third-party cloud providers maintain at least the same level of protection of your privacy in those instances.

Updating Personal Information

Questions regarding your options to review, correct, or delete previously provided personal information should be directed first to the maintainers of your organization’s information technology and then to RSS via service@RiskandSafetySolutions.com.

Security

Submitted sensitive information is protected both online and offline. The RSS Platform utilizes a secure architecture to ensure the confidentiality, integrity, and availability of our services. Web communication sessions are secured using HTTPS with transport layer security (TLS) encryption and strong ciphers. Data are encrypted at rest using strong encryption. The RSS Platform is hosted by cloud providers with rigorous physical, technical, and administrative safeguards. RSS monitors its environment to detect vulnerabilities and cyber threats. RSS has well-defined disaster recovery, business continuity, and incident response plans. Only authorized RSS personnel who need the information to perform specific job functions are granted access to user data.

Monitoring

The RSS Platform is monitored for cybersecurity threats and for protecting the privacy of users. Information that is monitored is limited to the details listed under Information Collection. RSS staff may only review user activity when authorized for user support or for security concerns. User activity may also be subject to audit by University of California staff or authorized third parties when managing or assisting with security incidents.

Phishing

Phishing is a cybercrime that involves the attempt to acquire personal information such as usernames, passwords, or other identifying information by masquerading as a trustworthy entity in an email. RSS does not request or solicit personal information via email. If you believe you have responded to a phishing attempt, contact your organization’s IT support and notify the RSS Service Desk at service@RiskandSafetySolutions.com or 530-638-DESK (3375) immediately.

Public Computers

Never leave your computer or mobile device unattended during a browser session in the RSS Platform. Protect your information by logging out and closing your browser when you are finished with each session.

Passwords

RSS staff do not have access to your password in any way.

If your organization has integrated its own single-sign-on (SSO) provider with the RSS Platform, your organization maintains control of your account and password. Multi-factor authentication is also managed by your organization.

Your organization may have opted to manage accounts within the RSS Platform. RSS uses secure Identity Management (IdM) solutions for managing these accounts. RSS staff follow secure procedures for managing IdM frameworks. Passwords are stored in the IdM solution using cryptographic hashing algorithms. Multi-factor authentication is available for these accounts upon request by your organization.

Accessibility Statement

We are committed to ensuring that the RSS Platform is accessible to everyone, including individuals with disabilities. Please review the RSS Accessibility Statement at https://riskandsafety.com/accessibility-statement.

FERPA

The Family and Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a federal law that protects the privacy of students’ education records. If you are using the RSS Platform as a student, faculty, or staff of an educational institution, please read this section.

Risk and Safety Solutions maintains reasonable administrative, physical, and technical standards to ensure that no unauthorized persons are able to gain access to any student information that may be considered confidential under FERPA. For example:

• Data in the RSS Platform is logically segregated by educational institution.
• Any release of directory information to RSS is coordinated with the appropriate school officials of your educational institution.
• Only users from your educational institution can access directory information from your educational institution.
• Only information relevant to the RSS Platform is provided from your educational institution to Risk and Safety Solutions. This includes first name, last name, school email address, business phone, employee ID, login ID, and training information relevant to the RSS Platform, such as safety training.

HIPAA

If you have any questions regarding support of Protected Health Information (PHI) and HIPAA compliance, please contact service@RiskandSafetySolutions.com, and we will route you to the appropriate representative.

Links to Other Sites

You may encounter links to other websites of organizations not directly affiliated with RSS. Please be aware that RSS is not responsible for the information practices of external organizations that are linked from our website. We recommend that you review the privacy statements of each external website that collects personal information.

Third-Party Software

RSS is not responsible for the security or privacy of any software on your device that you may use in conjunction with the RSS Platform. This includes speech-to-text, virtual assistants (e.g., Siri, Alexa, Cortana, or Google Assistant), photography, communications, or other productivity applications.

Policy Changes

Any revisions to this privacy policy will be posted at this URL. If we make material changes to this Privacy Statement and Terms of Use, we will post an announcement through the RSS Platform.

 

Questions or Concerns

---

Effective: July 10th, 2023