- Information We Collect and Receive
Together may collect and receive Customer Data, and also other information and data (“Other Information”, and together with Customer Data, “Information”) in a variety of ways:
- Customer Data. Customers or individuals granted access to the platform by a Customer (“Authorized Users”) routinely submit Customer Data to Together when using the Services.
- Other Information. Together also collects, generates and/or receives Other Information:
- Account Information. To create or update an account, you or your Customer (e.g., your employer) supply Together with an email address, and/or similar account details. In addition, Customers that purchase a paid version of the Services provide Together (or its payment processors) with billing details such as credit card information, banking information and/or a billing address.
- Usage Information.
- Services Metadata. When an Authorized User interacts with the Services, metadata is generated that provides additional context about the way Authorized Users work. For example, Together logs the people, features, content and links Authorized Users interact with, and what Third Party Services they use (if any).
- Log data. As with most websites and technology services delivered over the Internet, our servers automatically collect information when you access or use our Website or Services, and record it in log files. This log data may include the Internet Protocol (IP) address, the address of the web page visited before using the Website or Services, browser type and settings, the date and time the Services were used, information about browser configuration and plugins, language preferences and cookie data.
- Device information. Together collects information about devices accessing the Services, including type of device, what operating system is used, device settings, application IDs, unique device identifiers and crash data. Whether we collect some or all of this Other Information often depends on the type of device used and its settings.
- Location information. We receive information from you, your Customer and other third-parties that helps us approximate your location. We may, for example, use a business address submitted by your employer, or an IP address received from your browser or device to determine approximate location. Together may also collect location information from devices in accordance with the consent process provided by your device.
- Contact Information. In accordance with the consent process provided by your device, any contact information that an Authorized User chooses to import (such as an address book from a device) is collected when using the Services.
- Third Party Data. Together may receive data about organizations, industries, Website visitors, marketing campaigns and other matters related to our business from parent corporation(s), affiliates and subsidiaries, our partners or others that we use to make our own information better or more useful. This data may be combined with Other Information we collect and might include aggregate level data, such as which IP addresses correspond to postal codes or countries. Or it might be more specific: for example, how well an online marketing or email campaign performed.
- Additional Information Provided to Together. We receive Other Information when submitted to our Website or if you participate in a focus group, contest, activity or event, apply for a job, request support, interact with our social media accounts or otherwise communicate with Together.
Generally, you are not under a statutory or contractual obligation to provide any Information to Together. However, certain Information is collected automatically and, if some Information, such as platform setup details, is not provided as we require, we may be unable to provide the Services.
- How We Use Information
Customer Data will be used by Together in accordance with Customer’s instructions, including any applicable terms in the Customer Agreement and Customer’s use of Services functionality, and as required by applicable law. Customer may, for example, use the Services to grant and remove access to the platform, assign roles and configure settings, access, modify, export, share and remove Customer Data and otherwise apply its policies to the Services.
Together uses Other Information in furtherance of our legitimate interests in operating our Services, Website and business. More specifically, Together uses Other Information:
- To provide, update, maintain and protect our Services, Website and business. This includes use of Other Information to support delivery of the Services under a Customer Agreement, prevent or address service errors, security or technical issues, analyze and monitor usage, trends and other activities or at an Authorized User’s request.
- As required by applicable law, legal process or regulation.
- To communicate with you by responding to your requests, comments and questions. If you contact us, we may use your Other Information to respond.
- To develop and provide additional features. Together tries to make the Services as useful as possible for Authorized Users. For example, we may improve search functionality by using Other Information to help determine and rank the relevance of content to an Authorized User, to make Services suggestions based on historical use and predictive models, identify organizational trends and insights, to customize a Services experience or to create new productivity features and products.
- To send emails and other communications. We may send you service, technical and other administrative emails, messages and other types of communications. We may also contact you to inform you about changes in our Services, our Services offerings, and important Services-related notices, such as security and fraud notices. These communications are considered part of the Services and you may not opt out of them. In addition, we sometimes send emails about new product features, promotional communications or other news about Together. These are marketing messages so you can control whether you receive them.
- For billing, account management and other administrative matters. Together may need to contact you for invoicing, account management and similar reasons and we use account data to administer accounts and keep track of billing and payments.
- To respond to Customer requests for information relating to their Authorized Users’ usage of the Services.
- To investigate and help prevent security issues and abuse.
- Data Retention
- How We Share and Disclose Information
This section describes how Together may share and disclose Information. Customers determine their own policies and practices for their sharing and disclosure of Information, and Together does not control how they or any other third parties choose to share or disclose Information.
- Customer’s Instructions. Together will solely share and disclose Customer Data in accordance with a Customer’s instructions, including any applicable terms in the Customer Agreement and Customer’s use of Services functionality, and in compliance with applicable law and legal process.
- Displaying the Services. When an Authorized User submits Other Information, it may be displayed to other Authorized Users of the same Customer.
- Customer Access. Owners, administrators, Authorized Users and other Customer representatives and personnel may be able to access, modify or restrict access to Other Information. This may include, for example, your employer exporting logs of platform activity, or accessing or modifying your profile details, or otherwise accessing Other Information related to your use of the Services.
- Third Party Service Providers and Partners. We may engage third party companies or individuals as service providers or business partners to process Other Information and support our business. These third parties may, for example, provide virtual computing and storage services.
- During a Change to Together’s Business. If Together engages in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of Together’s assets or stock, financing, public offering of securities, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities (e.g. due diligence), some or all Other Information may be shared or transferred, subject to standard confidentiality arrangements.
- Aggregated or De-identified Data. We may disclose or use aggregated or de-identified Other Information for any purpose. For example, we may share aggregated or de-identified Other Information with prospects or partners for business or research purposes, such as telling a prospective Together customer the average amount of time spent on the platform.
- To Comply with Laws. If we receive a request for information, we may disclose Other Information if we reasonably believe disclosure is in accordance with or required by any applicable law, regulation or legal process.
- To enforce our rights, prevent fraud, and for safety. To protect and defend the rights, property or safety of Together or third parties, including enforcing contracts or policies, or in connection with investigating and preventing fraud or security issues.
- With Consent. Together may share Other Information with third parties when we have consent to do so.
Together complies with the EU GDPR framework as set forth by the European Union regarding the collection, use, and retention of personal data from European Union member countries. Together has certified that it adheres to the requirements of notice, choice, onward transfer, security, data integrity, access and enforcement.
Together takes security of data very seriously. Together works hard to protect Other Information you provide from loss, misuse, and unauthorized access or disclosure. These steps take into account the sensitivity of the Other Information we collect, process and store, and the current state of technology. Given the nature of communications and information processing technology, Together cannot guarantee that Information, during transmission through the Internet or while stored on our systems or otherwise in our care, will be absolutely safe from intrusion by others.
- Age Limitations
To the extent prohibited by applicable law, Together does not allow use of our Services and Website by anyone younger than 16 years old. If you learn that anyone younger than 16 has unlawfully provided us with personal data, please contact us and we will takes steps to delete such information.
- Your Rights
You may have the right to request access to Information, as well as to seek to update, delete or correct this Information. If you cannot use the settings and tools to do so, contact Customer for additional access and assistance.
- Contacting Together
Delegation of security features
In most places we leverage existing security solutions by industry-leading 3rd party providers, such as Google Cloud platform. This removes the majority of exploitable vulnerabilities in cloud-based web apps of similar nature to our product. We refer you to their documentation in those instances below, but we provide an overview of where and how those solutions are implemented.
Database Admin Access and Credentials
Our database is provisioned by the Google Cloud Platform, in particular, the Firebase suite of products. Read / write access to the data is restricted to administrative service accounts with private key credentials (x509).
Only our own back-end servers perform read / write via these admin service accounts, and no other services or 3rd parties are privy to these credentials. We ensure these keys are never exposed through:
- In general, we avoid creating static copies/downloads of private keys and rely on Google’s run-time environment to automatically manage admin credentials in cloud server deployments
- Exclusion from code repositories and version management systems (Github, Git)
Role-based management of our app ensures that only our development team (and not, for example, sales) has access to these keys to download or use.
Client authentication and Firewall
We ensure that only our web-browser app can successfully perform REST requests to our server API. This is done through both client authentication, as well as a firewall on our server.
In client authentication, we mint and sign JWTs (JSON Web Tokens) for a limited duration session. Clients must provide this authentication token on all HTTPS requests to our servers, and must refresh them regularly. The signing and verification of tokens is entirely handled by a Google Firebase Authentication server. (https://firebase.google.com/products/auth/).
Development versions of our app are subject to a Google-provisioned Firewall to prevent requests from outside our development team. (https://cloud.google.com/appengine/docs/standard/python/creating-firewalls).
We do not store any employee passwords, as authentication happens through federated providers (Microsoft, Google) through SSO (see Client Roles below).
Federated Provider Access Tokens
In performing 3rd party calendar and HRIS integration, we obtain access/refresh tokens or API keys with the right to read customer’s HRIS data or calendars organization-wide. These tokens/keys are stored securely (encrypted) in a secondary database. In order to make requests to Google Calendar, Outlook Calendar or HRIS vendor APIs with these tokens, we decrypt these credentials at runtime.
Tokens or keys must always be accompanied by a secondary credential, typically client secret or username/password respectively. We ensure that the tokens/keys and their respective secondary credential are stored in separate environments, accessed by different admin service accounts.
Client access and roles
Users login to our web app with their organization Outlook or Gmail credentials. If you have single-sign-on (SSO) enabled, this will work with these credentials automatically.
Only a customer’s program administrators have rights to access the program administrator portal, which contains information regarding mentor/mentee pairings, feedback given by employees, and other information sensitive across employees in the organization. All other employees only have access to pages and features in the web app for managing their own mentorship experience.
In the case of employees leaving or joining a customer’s organization, we rely on two factors to expire or grant access to the platform and their account:
- They must be able to provide their identity through Outlook or Gmail login, thus their email and password must be valid
- They must be deemed an active employee in the organizational data provided by the customer
Data breach procedures
While we take industry standard measures to protect our customer’s data, we do plan for the unlikely event of a data breach. In general, our protocol is encompassed in the following steps:
- Shut down all access to databases, including administrative/servers
- Review audit logs of events leading up to and immediately following the discovery of the breach to understand the cause
- Communicate to our employees what happened, and how they should respond to any inquiries
- Immediate notification and activation of a designated response team, including legal counsel, to determine whether law enforcement and/or other regulatory agencies need to be involved.
- Identification of the cause of the breach and implementation of whatever steps are necessary to fix the problem
- Notifying our customers within 48 hours once a reasonable understanding of the extent of the breach has been established. We will consult counsel from lawyers who review provincial/state laws, compliance regulations, and other mandates affecting the content of notifications to end-users.