Customer Information and Services Data
Services Data is data that resides on Grub Labs, customer or third-party systems to which Grub Labs is provided access to perform services (including Cloud environments as well as test, development and production environments that may be accessed to perform Grub Labs consulting and support services). Grub Labs treats services data according to the terms of this policy, and treats services data as confidential in accordance with the terms of your order for services.
In contrast, having contracted with Grub Labs for Cloud or other services, the customer provides Grub Labs access to its production, development or test environment, which may include personal information about its employees, customers, partners or suppliers (collectively “end users”).
How Grub Labs Collects and Uses Services Data
Below are the conditions under which Grub Labs may access, collect and/or use services data.
To Provide Services and to Fix Issues. Services data may be accessed and used to perform services under your order for support, consulting, Cloud or other services and to confirm your compliance with the terms of your order. This may include testing and applying new product or system versions, patches, updates and upgrades; monitoring and testing system use and performance; and resolving bugs and other issues you have reported to Grub Labs. Any copies of services data created for these purposes are only maintained for time periods relevant to those purposes.
As a Result of Legal Requirements. Grub Labs may be required to retain or provide access to services data to comply with legally mandated reporting, disclosure or other legal process requirements.
Grub Labs does not use services data except as stated above or in your order. Grub Labs may process services data, but does not control your collection or use practices for services data. If you provide any services data to Grub Labs, you are responsible for providing any notices and/or obtaining any consents necessary for Grub Labs to access, use, retain and transfer services data as specified in this policy and your order.
Grub Labs’ access to services data is based on job role/responsibility. Services data residing in Grub Labs-hosted systems is controlled via an access control list (ACL) mechanism, as well as the use of an account management framework. You control access to services data by your end users; end users should direct any requests related to their personal information to you.
Security and Breach Notification
Grub Labs is committed to the security of your services data, and has in place physical, administrative and technical measures designed to prevent unauthorized access to that information. Grub Labs security policies cover the management of security for both its internal operations as well as the services. These policies, which are aligned with the ISO/IEC 27001:2005 standard, govern all areas of security applicable to services and apply to all Grub Labs employees. Grub Labs’ Support, Consulting and Cloud lines of business have developed detailed statements of security practices that apply to many of their service offerings, which are available for review at your request.
Grub Labs’ security policies and procedures are reviewed and overseen by Grub Labs Global Information Security (GIS). GIS is responsible for security oversight, compliance and enforcement, and for conducting information security assessments and leading the development of information security policy and strategy.
Grub Labs is also committed to reducing risks of human error, theft, fraud, and misuse of Grub Labs facilities. Grub Labs’ efforts include making personnel aware of security policies and training employees to implement security policies. Grub Labs employees are required to maintain the confidentiality of services data. Employees’ obligations include written confidentiality agreements, regular training on information protection, and compliance with company policies concerning protection of confidential information.
Grub Labs promptly evaluates and responds to incidents that create suspicions of unauthorized handling of services data. Grub Labs GIS and Legal are informed of such incidents and, depending on the nature of the activity, define escalation paths and response teams to address the incidents. If Grub Labs determines that your services data has been misappropriated (including by a Grub Labs employee) or otherwise wrongly acquired by a third party, Grub Labs will promptly report such misappropriation or acquisition to you.
Grub Labs has appointed a Chief Privacy Officer. If you believe your services data has been used in a way that is not consistent with this policy, or if you have further questions related to this policy, please contact the Chief Privacy Officer by email email@example.com.
Last Updated: October 2013