Privacy and Security

Protecting private information is our priority. This documentation provides details about ESCO Institute’s privacy and security policies. As approved the ESCO Institute board March 23, 2022. The statements of privacy and security applies to ESCO Institute and governs data collection and usage. These policies unless otherwise noted shall cover areas such as data collection, data handling, access control, privacy, hardware, software, cloud solutions. References to ESCO Institute shall extend to all its affiliates. By utilizing the ESCO Institute website, grading services, eLearning, and other ecommerce services, you consent to the data practices described in this statement.


Collection of Personal Data

To provide you with products and services offered on our site, ESCO Institute may collect personally identifiable information, such as your: First and Last Name, Mailing Address, E-mail Address, Phone Number, Email Address, Social Security number, or another approved unique identifier. If you use and/or purchase ESCO Institute products and services, we collect billing and credit card information. The information is used for identification purposes and/or to complete the purchase transaction. ESCO Institute does not collect any personal information about you unless you voluntarily provide it to us. However, you may be required to provide certain personal information when you elect to use certain products or services on this site. This may include: (a) registering for an account on our site, (b) taking an examination, (c) signing up for special offers from selected third parties; (d) submitting your credit card or other payment information when ordering and purchasing products and services on our Site. ESCO Institute will use for your information for, but not limited to, communicating with you in relation to services and/or products you have requested from us. ESCO Institute may also gather additional information in the future.


Use of your Personal Information

ESCO Institute collects and uses your personal information to deliver the services you have requested. ESCO Institute may also use your personal information to inform you of other products or services available from ESCO Institute and its affiliates.


Tracking User Behavior

ESCO Institute may keep track of the websites and pages our users visit within ESCO Institute, to determine what ESCO Institute services are the most popular. This data is used to deliver customized content and advertising within ESCO Institute to customers whose behavior indicates they are interested in a particular product or service.


Automatically Collected Information

Information about your computer hardware and software may be automatically collected by ESCO Institute. This information can include: your IP address, browser type, domain names, access times and referring website address. This information is used for the operation of the service, to maintain quality of the service, and to provide general statistics regarding the use of the ESCO Institute website.


Use of Cookies

The ESCO Institute website may use “cookies” to help you personalize your online experience. A cookie is a text file that is placed on your hard disk by a web page server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you and can only be read by a web servicer in the domain that issued the cookie to you. You have the ability to accept or decline cookies. Most Web browsers automatically accept cookies, but you can usually modify your browser settings to decline cookies if you prefer. If you choose to decline cookies, you may not be able to fully experience the features of the ESCO Institute services and/or websites you visit.


Links

The ESCO Institute website contains links to other sites. Please be aware that ESCO Institute is not responsible for the content or privacy practices of such other sites. ESCO Institute encourages our users to be aware when they leave our site and to read the privacy statement of any other site that collects personally identifiable information.


Security of your Personal information

ESCO Institute secures your personal information from unauthorized access, use, or disclosure. ESCO Institute uses the following method/s for this purpose: SSL Protocol. ESCO Institute strives to take appropriate security measures to protect against unauthorized access or alteration of your personal information. Unfortunately, no data transmission over the Internet or any wireless network can be guaranteed 100% secure. As a result, while ESCO Institute strives to protect your personal information, you acknowledge that: (a) there are security and privacy limitations inherent to the Internet which are beyond our control; and (b) security, integrity, and privacy of any and all information and data exchanged between you and us through this Site cannot be guaranteed.


Children Under Thirteen

ESCO Institute does not knowingly collect personally identifiable information from children under the age of thirteen. If you are under the age of thirteen, you must ask your parent or guardian for permission to use this website.


Email Communication

From time to time, ESCO Institute may contact you via email for the purpose of providing regulatory updates, announcements, promotional offers, alerts, confirmations, surveys, and/or other general communication. If you would like to stop receiving marketing or promotional communications via email from ESCO Institute, you may opt out of such communications by following the unsubscribe instructions in the email.


External Data Storage Sites

ESCO Institute may store your data on servers provided by third party hosting vendors with whom we have contracted.


Changes to this Statement

ESCO Institute reserves the right to change this Privacy Policy from time to time. ESCO Institute will notify you about significant changes in the way we treat personal information by sending a notice to the primary email address specified in your account, by placing a prominent notice on our site, and/or by updating any privacy information on this page. Your continued use of the site and/or services available through this site after such modifications will constitute your (a) acknowledgement of the modified Privacy Policy and (b) agreement to abide and be bound by that Policy.


Identity Based Access

The ESCO Institute uses stringent identity management and access control to restrict access to data and systems. Data access is restricted to employees who have an active role in supporting customers. Database and system resources are assigned based on the principle of least privilege. Employees are assigned access to the resources required to perform their specific jobs. Employees assigned roles that can impact customer information, have privacy and security requirements embedded in their roles and responsibilities. Data access permissions are established, enforcing a complexity of passwords, periodic rotation of passwords, and suspension upon end of employment.


Threat Protection

Incident response is an important element in data security. ESCO Institute employs an advanced threat protection process to facilitate coordinated incident response. Endpoints are monitored 24X7 to predict, detect, monitor, assess, and mitigate potential threats. Upon discovery of a security incident, ESCO Institute uses its incident response process, to track exactly what happened, learn what data was accessed, who accessed it, and when. In the event of such occurrence, the Information Technology Team will suspend said resource until the situation is resolved.


Data Breach Response

The ESCO Institute requires any threat of data leakage identified by either artificial intelligence, or ESCO Institute employee must be reported immediately to the Information Technology Team. The team will investigate all reported thefts, data breaches, and exposures to confirm if a theft, breach, or exposure has occurred.

If theft, data breach or exposure containing ESCO Institute protected data is identified, the Information Technology Team will begin the process of removing access to that resource. As provided by ESCO Institute cyber insurance, the insurer will provide access to forensic investigators and experts that will determine how the breach or exposure occurred, the number of individuals impacted, and analyze the breach or exposure to determine the root cause. Any impacted individuals will be notified in writing.


Data Retention

ESCO Institute is required by the United States Environmental Protection Agency to maintain all records for three years. To better serve our clientele, we have a policy of retaining data in perpetuity.


Physical Security

The ESCO Institute stores data in an encrypted database, located in a datacenter that is designed, built, and managed based on a defense in depth strategy that includes rigorous physical security to protect services and data from natural disasters and unauthorized access.


Encrytion

ESCO Institute uses technological safeguards, including algorithms for encrypting to enhance the security and support of data. Data in transit uses industry-standard encrypted transport protocols between user devices and the ESCO Institute database as well as within the datacenters themselves. ESCO Institute applies best practice for encryption standards from industry bodies and working groups including OWASP and NIST. All API communication use HTTPS (TLS 1.2), and our database at rest uses AES-256 encryption. The ESCO Institute database resides on a dedicated server.


Acceptable Use

ESCO Institute requires new employees to undergo information security training. Through training and susceptibility analysis, our goal is to educate every employee and give them the tools to detect and respond to social engineering and phishing attempts.


Security Awareness Training

ESCO Institute employees are required to go through security awareness training. This process educates each employee, monitors their use, and provides continued susceptibility analysis. Security awareness training provides employees the tools needed to detect and respond to social engineering and phishing attempts if needed.


Secure Software and Applications

A provision of employment with the ESCO Institute is an agreement that commits employees to the confidentiality of all data. Internal tools contain data protection notices to remind employees and data handlers of their responsibility for any sensitive data that the tool may contain. Installation of software, updates, and patches are restricted to members of the Information Technology Team.


Remote Access

ESCO Institute requires any employees working remotely, whether at home, or during travel, to connect through our virtual private network. Connection to the ESCO Institute VPN requires multifactor authentication, using technological solutions approved by the Information Technology Team.


Access Control

ESCO Institute continually monitors employee workstations for activity. All employees must logout when away from their workstation. To ensure this policy is adhered to, inactive stations will automatically be logged out.


Email

ESCO Institute provides email accounts to employees for the sole purpose of supporting our customers. All emails must be in line with proper business practices and relevant the employees specific job duties. The ESCO Institute email addresses or system may not be used for creating, distributing, or accessing any offensive or illegal material, including but not limited to material with offensive comments about gender, race, age, sexual orientation, or religious beliefs. Any offensive material received in email must be reported to Human Resources without undue delay. Email received to ESCO Institute email addresses may not be automatically forwarded to email addresses not owned or operated by the ESCO Institute or its affiliates. Emails must not contain any sensitive or confidential information. The ESCO Institute may monitor and record any and all email messages received or sent by email addresses or systems owned or operated by the ESCO Institute. ESCO Institute does not necessarily monitor all email activity but retains the right to do so. As stipulated in our employee security awareness training, employees may not click on attachments, or links, on unsolicited emails, or from unknown sources. Any suspicious emails should be sent to the Information Technology Team for review.


Changes to Cyber Security

Due to the continual changes in cyber security threats, the reserves the right to revise these security policies at any time.


Contact Information

ESCO Institute welcomes your questions or comments regarding these privacy and security policies. If you have any questions, contact ESCO Institute by phone at 1-800-726-9696 or by email at customerservice@escogroup.org.