1. Purpose and Scope
The purpose of this policy is to define the conditions of privacy under which Highwire operates its general website and under which it uses, processes, and stores the data that it collects from enrolled partners who log into and use the Highwire vendor-prequalification application.
The scope of this policy applies to the public Highwire website (www.Highwire.com) as well as all Highwire networks and IT systems and all end user data that is provided by enrolled clients related to the use of the Highwire System. This policy is in full effect for the duration of an active client account.
The Highwire Privacy Policy is intended to clearly and thoroughly explain our policies around cookies, data collection, data use, data processing, data transfer, data retention and deletion, notifications of personal data breaches, and how you can contact Highwire to manage or delete your information/account.
2. Visitors vs. Users
The Highwire website is openly available and Visitors to the website are not required to input any personal information in order to navigate our pages and learn about our products. Highwire does, however, use cookies as a way to help us improve the visitor experience, as further described in Section 4 below. First-time visitors to the Highwire site are immediately informed of our use of cookies via a pop-up banner and there is also a link to this policy provided within the text of the pop-up banner and at the bottom of every page on our website.
Users of the Highwire system are defined within this policy as individuals who are enrolled in one or more of Highwire’s software products, including Highwire Safety, Highwire Financial, Highwire Tracker, and/or Highwire Inspect. This policy encompasses all the client end Users who use any aspect of the Highwire system, as well as Highwire employees.
Highwire Users and can be set up with 1 of 2 types of access to the Highwire web-based application – either Administrative or General. The only standard distinction between the two access levels is that Administrative Users are initially set up in the system by Highwire and are given the capability to create General Users so that they can internally manage the list of their employees who will be using the Highwire application based on their specific business needs.
When a General User is added by a Hiring Partner Administrator, the only identifiable data that is provided by the Administrator is the name, business email address, title, and telephone number of the General User. Once a Hiring Partner Administrator sets up a General User profile, an automatic email is sent from the Highwire system to the General User that provides a link to initiate the formal creation of a unique General User profile. During this set-up process, we use a CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), which is a challenge-response system test that is designed to differentiate humans from automated programs. A CAPTCHA differentiates between human and bot by requiring completion of a task that is easy for most humans to perform but is more difficult and time-consuming for current bots to complete. Further, during set-up, all users must create a password that adheres to the application’s strict password system that is described in detail in the Highwire Password Policy.
All end user accounts (Hiring Partners and Contracting Partners) are unique to each user and are never shared. Based on the unique username and password, a General User is only able to access the specific data that he/she enters. In addition, end users only have access to the specific modules of the Highwire application (e.g., Highwire Safety, Highwire Financial, Highwire Tracker, Highwire Inspect) that are defined by their client contract agreement.
3. Reference Documents
Specific regulations and frameworks that are relevant to this policy include, but are not limited to:
ISO/IEC 27001 Standard. Clauses A.9.1.1, A.9.1.2, A.9.2.1 – A.9.2.6, A.9.3.1, A.9.4.1, A.9.4.3.
General Data Protection Regulation (GDPR), 5/25/2018
EU-U.S. & Swiss-U.S. Privacy Shield Frameworks, US Department of Commerce/European Commission/Swiss Administration
California Consumer Privacy Act (CCPA), 1/1/2020
Lei Geral de Proteção de Dados (LGPD), 2/1/2020
The overarching policies that describe Highwire’s commitment to information safety is this Highwire Privacy Policy and the Highwire Information Security Policy. The purpose of the Highwire Information Policy is to provide a high-level understanding of the principles and practice of Highwire’s Information Security Management System (ISMS). While the Highwire Information Security Policy provides a general approach to information security, it is supplemented by very specific technical policies that define the measures we take to ensure the confidentiality and integrity of our data, including:
Highwire Acceptable Use Policy
Highwire Access Control Policy
Highwire Change Management & Secure Engineering/Development Policy
Highwire Clear Desk and Clear Screen Policy
Highwire Data Backup Policy
Highwire Document & Information Control Policy
Highwire Encryption Policy
Highwire Incident Management Policy
Highwire Internal & External Audit Policy
Highwire Logging Policy
Highwire Monitoring Policy
Highwire Password Policy
4. Cookie Policy
To make the Highwire website work properly, small data files called cookies are sometimes placed on a Visitor or User’s device. These cookies are stored in text files on a device so that the preferences of a Visitor or User (such as language, font size, login, and other display preferences) are “remembered” when the Highwire website is subsequently loaded in a browser. This common practice does not in any way minimize Highwire’s commitment to maintaining the highest standards for the security and protection of a customers’ information. Like most websites, Highwire uses cookies to help ensure a consistent and efficient experience for Visitors and Users, and to perform essential functions such as allowing enrolled users to register and remain logged in.
Highwire may also use Cookies to help analyze how Visitors and Users interact with and navigate through our sites so that we can make improvements. Cookie-related information is also used to remember and log the actions of enrolled Users. Cookies are not used for any purpose other than those described herein. Specifically, the Highwire website does not enable 3rd-party tracking mechanisms to collect data over time and across unaffiliated websites for use in interest-based advertising. In addition, Highwire flags all cookies with a special HttpOnly flag that tells the browser that this particular cookie should only be accessed by the browser. This HttpOnly flag ensures any attempt by an attacker to access the cookie with malicious JavaScript is strictly prohibited.
Visitors and Users can block any cookies from any website through their browser settings. Note that the procedures for changing settings and cookies differ from browser to browser. For more information about how to disable cookies for the top browsers, please refer to the instructions on their respective websites:
Internet Explorer (http://support.microsoft.com/gp/cookies/en)
Mozilla Firefox (http://support.mozilla.com/en-US/kb/Cookies)
Google Chrome (http://www.google.com/support/chrome/bin/answer.py?hl=en&answer=95647)
Safari (http://support.apple.com/kb/PH5042)
Opera (http://www.opera.com/browser/tutorials/security/privacy/)
In addition to changing a browsers’ settings to prevent cookies from being placed, an individual can also delete all cookies that are already stored on a device. If a Visitor or User chooses this option, they may have to manually adjust some preferences every time they visit the Highwire site and some services and functionalities may not work at all.
First-time visitors to the Highwire website are immediately informed of Highwire’s use of cookies via a pop-up banner.
5. Data Collection
For the purposes of data collection, it is important to distinguish between Hiring Partner Users and Contracting Partner Users.
Hiring Partner Data
Hiring Partner end user data includes, but is not limited to, full name, title, business email, and business phone number. Hiring Partner Users of the Highwire Inspect module may also opt to provide their business cell phone number in order to receive alerts regarding inspection findings. This personal end user data is required as part of an enrolled Hiring Partner’s interaction and use of the Highwire application to allow users to set up secure accounts and to receive messages and alerts from the system.
Contracting Partner Data
Contracting Partner end user data that is collected as part of enrollment in the Highwire Application that is categorized as Personal Data or Personally Identifiable Information (PII) includes user full name, title, business email, and business phone number. Contracting Partner Users of the Highwire Inspect module may also opt to provide their business cell phone number in order to receive alerts regarding inspection findings. This personal end user data is required as part of an enrolled client’s interaction and use of the Highwire application to allow users to set up secure accounts and to receive messages and alerts from the system.
Additional information that is input and/or uploaded by the Contracting Partner as part of their use of the Highwire software may include, but is not limited to, trades performed, scope of services, geographic service areas, labor composition, safety policies/procedures/metrics, certificates of insurance, and financial statements.
No detailed safety or financial information will be shared with a Hiring Partner unless/until a Contracting Partner explicitly designates that Hiring Partner as an Authorized Recipient within the Highwire application. However, limited public information (e.g., company or entity name, trade(s), scope of services, geographic service areas) is provided to all Hiring Partners in the Highwire application, which allows Hiring Partners to extend bid invitations to any Contracting Partner enrolled in the Highwire application.
6. Data Use
Highwire’s ISMS is ISO 27001 compliant and is managed internally by our Vice President of Engineering, who acts as our Chief Information Security Officer (CISO) as defined in ISO 27001 and as our Data Protection Officer as defined in Article 37 of the GDPR. As clients use our services and systems, the Vice President of Engineering sets clear parameters on how their data is used and the ways in which a user’s privacy is protected, including but not limited to:
For users of the Highwire System, Highwire processes data solely for the purposes defined in the Client Software License and Services Agreement and/or the Subcontractor Participation Agreement and utilizes Amazon Web Services for all of our cloud computing as described in Section 7 below;
Highwire guarantees the confidentiality of personal data that is processed as defined in the contract agreements and within this document;
Highwire does not share data with any third parties and does not use any third party advertising providers;
Highwire ensures that its employees are fully vetted and receive the appropriate personal data protection training as defined in the Highwire Administrative Manual and the Highwire Employee Handbook;
Highwire employees acknowledge and sign the non-disclosure requirements set forth in the Highwire Employee Handbook;
Any data transfer or download happens via the SSL protocol;
To access data, the user must login with a username/password as fully defined in the Highwire Password Policy;
During uploading of data, files are encrypted and stored as fully defined in the Highwire Encryption Policy, including the requirement that each encrypted file has its own key;
Stored backups and logs are encrypted as fully defined in the Highwire Data Backup Policy, including the requirement that Highwire does not use any temporary storage.
7. Data Processing
As noted above, Highwire uses Personal Data solely for the purposes defined in the Client Software License and Services Agreement and/or the Subcontractor Participation Agreement. In addition, Highwire contracts with Amazon Web Services, a leader in cloud technology, to create a logically isolated section of AWS where we can create a Virtual Private Cloud (VPC) for our system. While AWS falls outside the scope of Highwire’s ISMS, one of the reasons for choosing AWS was their own certification under ISO/IEC 27001:2013. Specifically, AWS was issued Certificate #2013-009 on 11/18/10, which was updated and re-issued on 5/23/23.
In addition, as part of our agreement with AWS, we are a party to their Data Processing Addendum (DPA). This is a critical component of our commitment to data security and privacy because Amazon’s DPA is fully compliant and meets all of the requirements of the General Data Protection Regulation (GDPR), the EU-US and SWISS-US Privacy Shield Frameworks, and the California Consumer Protection Act. Our DPA with AWS provides us with assurance on important data security requirements, including but not limited to:
AWS will process customer data only in accordance with customer instructions;
AWS has implemented and will maintain robust technical and organizational measures for the AWS network;
AWS will notify its customers of a security incident without undue delay after becoming aware of the security incident.
8. Data Transfers
Highwire does not share data with or transfer data to any third parties and does not use any third party advertising providers.
The Highwire Application is a SaaS based, web-hosted application. As noted in earlier sections, Highwire contracts with Amazon Web Services for cloud service. As part of that contract, AWS maintains two separate servers for Highwire for redundancy and business continuity. AWS maintains compliance with both the EU-US Privacy Shield Framework and the SWISS-US Privacy Shield Framework and both certifications are classified as “Active”.
9. Data Retention and Deletion
Highwire retains all end user data only for as long as we have an ongoing legitimate need to do so and are working under a Hiring Partner of Contracting Partner agreement. Specific user accounts and Personally Identifiable Information are deleted immediately upon account deletion (by a client Administrative User or by Highwire) or upon contract termination. Highwire tries to ensure that our services protect information from accidental or malicious deletion. Because of this, there may be slight delays between when a user deletes something and when copies are deleted from our active and back-up systems.
As noted above, for deletion of specific user accounts, a client Administrative User has the functionality to delete an account that they created from the Highwire system. In addition, upon termination of a client or subcontract agreement, the Vice President of Engineering will remove the access rights of associated end user accounts by disabling their logins, removing their profiles from the system, and verifying that access has been terminated.
As detailed in the Highwire Contracting Partner Participation Agreement, Highwire may de-identify and aggregate information submitted by Contracting Partners and that Highwire owns all aggregated information and may use it for any purpose and communicate it to any third party without obligation to a subcontractor. Aggregated information is anonymous information and is no longer Personal Data subject to data protection laws or regulations.
10. GDPR Requirements and Privacy Shield Statement
Implementing an ISO 27001 compliant Information Security Management System (ISMS) is not only best practice, but it is also integral to demonstrating data protection compliance to clients, subcontractors, and third parties. In addition, by implementing ISO 27001, Highwire has created a strong framework to ensure compliance with the European Union General Data Protection Regulation (GDPR).
To ensure GDPR compliance, Highwire complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the United States Department of Commerce regarding the collection, use, and retention of Personal Data transferred from The European Union and Switzerland to the United States. Highwire has certified to the US Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in the Highwire Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield Program, and to view our certification, please visit:
https://www.privacyshield.gov/.
As part of the Privacy Shield Framework and Principles, Highwire certifies the following:
Highwire’s self-certification is subject to the investigatory and enforcement authority of the Federal Trade Commission;
Highwire collects limited Personal Data as described previously in Section 5 and we use this information only for the purposes described previously in Section 6;
Individual users of the Highwire Application have the right to access their Personal Data and to review, correct, amend, delete, or limit the use and/or disclosure of their Personal Data. EU and Swiss users, like all users, can securely log in to the Highwire System at any time using their unique username and password to access and review their personal data. If any user of the Highwire application would like to amend, delete, or limit the use and/or disclosure of their personal data, they can contact Highwire at support@Highwire.com as described in more detail in Section 13;
Highwire does not share data with or transfer data to any third parties and does not use any third party advertising providers. However, Highwire acknowledges that any entity, including Highwire, that does share or transfer data to third parties would remain liable if that third party processes personal data in a manner inconsistent with the principles;
Highwire, in accordance with our legal obligations and subject to a lawful request, may transfer Personal Data to public authorities for law enforcement or national security purposes;
Highwire encourages EU and Swiss users, and all users, who have questions or complaints about how we process their Personal Data under Privacy Shield to contact us as described in Section 13. Highwire will work to resolve your issues as quickly as possible, but no later than 30 days upon receipt of a question or complaint;
If you have unresolved privacy or data use complaints that we have not addressed satisfactorily, please contact, free of charge, our US-based third party dispute resolution provider, American Arbitration Association, at https://go.adr.org/privacyshield.html;
If you are an EU or Swiss User and unable to resolve any complaints through any of the above methods, you may invoke binding arbitration in accordance with the Privacy Shield Framework at https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint.
11. California and Brazil Requirements
Highwire also maintains compliance with the California Consumer Privacy Act (CCPA) that went into effect on 1/1/20 and the Lei Geral de Protecão de Dados (LGPD) that went into effect in Brazil on 2/1/20. If the California Consumer Privacy Act (CCPA) or the LGPD applies to a user’s information, Section 13 of this policy describes the process available to a user to exercise his/her rights to receive information about Highwire data practices and/or to request deletion of his/her information/account.
Highwire does not share, sell, or transfer a user’s Personal Data. Highwire uses and processes Personal Data for business purposes only as defined in the Client Software License and Services Agreement, the Contracting Partner Participation Agreement, and this policy.
12. Notification of Changes to the Privacy Policy or Personal Data Breaches
Highwire reserves the right to revise the Highwire Privacy Policy at any time. If substantial changes are made to this privacy notice, Highwire will post notification of such changes on the “Highwire Blog” that is linked from our website at www.Highwire.com. In addition, all new versions of this policy will be immediately re-posted on the Highwire website, as accessed by the direct “Privacy Policy” link that is found at the bottom of every page on the Highwire website.
In addition, Highwire will notify clients immediately via email of any personal data breach (and never later than 72 hours after having become aware of it). This notification will include any necessary documentation to enable clients to notify this breach to the competent supervisory authority if required, including:
The nature and description of the breach including the number of users who are affected;
Analysis and root cause of the failure;
Immediate corrective action to address the breach and mitigate the adverse effects; and,
Other corrective actions proposed or taken to prevent any future breaches of the same nature and type.
13. Contacting Highwire
Highwire’s headquarters are located at 700 District Avenue, 7th Floor, Burlington, Massachusetts, 01803.
If users have any questions or complaints about Highwire’s services, employees, data practices, if they would like to request deletion of their information/account, or if they have any reports of fraud, they can contact the Vice President of Engineering or the Vice President of Compliance at the above address, by email at support@Highwire.com, or telephone at 866-817-2210. Direct links to Highwire’s email address are also available on our public website and after users log in to the Highwire system.
Highwire responds to written complaints by contacting the person who made the complaint to resolve any issue directly and quickly in accordance with the Service Level Agreement (SLA) outlined in the Highwire Hiring Partner or Contracting Partner agreement. In addition, in accordance with the principles of the EU-US and Swiss-US Privacy Shield Frameworks and as detailed in Section 10, Highwire will work with the appropriate independent resource authorities, including but not limited to, the United States Department of Commerce, the United States Federal Trade Commission, The EU Data Protection Authorities (DPAs), and the Swiss Federal Data Protection and Information Commissioner (FDPIC), as necessary to resolve any complaints to a user’s satisfaction and at no cost to the user.
14. Policy Compliance
a. Compliance Criteria
When evaluating the effectiveness and adequacy of this document, the following criteria must be considered:
Number of breaches of the system.
Number of account deletions.
Number of requests for data security information and resolution times.
Number of data security complaints and resolution times.
b. Compliance Measurement
The specific compliance criteria bulleted above are included as part of an ISMS Comprehensive Compliance Measurement Table that has been prepared by Highwire and is provided in the Highwire Information Security Policy, Appendix 1. The Vice President of Compliance will verify compliance with our overall Information Security Policy, and all other technical policies, by performing an annual review using the ISMS Comprehensive Compliance Measurement Table. The results of the review will be tracked, analyzed, and included as part of the ISMS Management Review meeting(s).
In addition to the formal annual review, compliance is also measured on a continual basis through various methods, including but not limited to, periodic walk-throughs, business tool reports, and feedback to the policy owner.
Training and awareness with this policy is conducted as part of Highwire’s overall employee training program as detailed in the Highwire Employee Handbook.
c. Exceptions
Any exception to the policy must be approved by the policy owner in advance.
d. Non-Compliance
An employee found to have willfully violated this policy may be subject to disciplinary action, up to and including termination of employment.
15. Review and Development
The author of this policy is considered the owner and has the responsibility for updating it whenever changes are dictated by the work. In addition, an annual review of this policy will be conducted by the Vice President of Engineering to ensure that it remains appropriate considering any relevant changes to the law, organizational policies, and/or contractual obligations.
As specified in the Highwire Administrative Manual, all changes to an ISMS document must be made using “Track changes,” making visible only the revisions to the previous version, either showing them in red text or strikeout. In addition, for reference, all previous versions of an ISMS document are stored on the personal user drive of the Highwire Vice President of Compliance. The versioning history for this document is defined in the table below: