Technical and Organizational Measures
Last Updated: August 5, 2022
NICE employs safety, physical security, and computer system security policies and procedures for ElevateAI that are: (a) aligned with applicable prevailing industry standards and applicable laws; (b) designed to ensure the security and confidentiality of Content including consumer data; and (c) designed to protect against anticipated threats or hazards to the security or integrity of Content, including unauthorized intrusion, disclosure, misuse, alteration, destruction, or other compromise of such information.
All NICE employees are required to receive training on information security policies and risks on an annual basis. Additionally, NICE continues to provide its employees security training in order to develop products consistent with industry standard security considerations.
NICE conducts pre-employment background checks upon hire, to the extent permitted by applicable law, for those employees with access to Content.
4.1. NICE maintains policies and processes to control and secure access to ElevateAI and Content based upon the principle of least privilege through secure authentication, authorization mechanisms, and access control rules that take into account the risk associated with the particular information system and the type of information stored therein. These processes include multiple layers of access controls such as firewalls, tokens, security keys, and authentication.
4.2. NICE maintains safeguards to prevent unauthorized access to Content through fraud or error. User access management to ElevateAI includes processes around user registration, access provisioning, management of privileged access rights to information, information systems, and removal or adjustment of access rights.
4.3. Data centers have physical access control systems to permit only authorized personnel to have access to the secure areas. These physical controls include, but are not limited to, government issued identification with signature, access log recording with review, escorted access of authorized personnel, intrusion detection systems, access control devices, and closed circuit television cameras (“CCTV”).
4.4. Access logs are maintained on a centralized repository, to allow for security review and analysis by the security team. Such logs include but are not limited to failed and successful log-on attempts and log off attempts.
4.5. Data is segregated based on a private tier, and is not accessible without security control mechanisms made available to the subscriber of the service (e.g. using a secured web interface or through a secure Application Programming Interface (“API”)).
NICE continuously implements best practices and security technologies to protect its environment. NICE works with leading security vendors to deploy various tools to mitigate the threat of viruses, malware, and phishing.
NICE employs encryption to mitigate the risk of unauthorized disclosure or alteration of Content while in transit or at rest. Cryptographic keys shall be protected against unauthorized access, disclosure, modification, and data loss.
NICE endeavors to maintain continuity of its operations through business continuity, redundancy, appropriate staffing of incident response personnel, and timely recovery of critical NICE processes and systems. NICE tests its business continuity plans on an annual basis.
If NICE becomes aware of an actual or reasonably suspected Data Incident, NICE will immediately: (a) take all necessary measures to contain the Data Incident (as defined below) and ensure that the same or similar Data Incident does not recur; and (b) investigate the Data Incident and cooperate with You in responding to any disclosure obligation related with the Data Incident. “Data Incident” means any incident that has resulted in any unauthorized access to any Content in the possession or custody of NICE or any third party acting on behalf of NICE.
Content is retained in accordance with the NICE ElevateAI Privacy Notice or as set by You through the ElevateAI self-service tools. Additional services to assist in managing data retention may be made available from NICE, subject to additional terms and fees. Data other than Your Content (e.g., Your account information) is retained until the expiration or termination of Your ElevateAI account or following 24 months of account inactivity, whichever is earlier, after which it is disposed of in accordance with the appropriate Destruction Measures (as defined below). “Destruction Measures” means destruction of Content in a manner that prevents recovery or re-creation of Content, electronically or otherwise; and (b) effective removal from NICE equipment and media using disk sanitizing processes appropriate for the classification of information contained therein and storage media type.