INFORMATION SECURITY POLICY
Information Security Policy
Last Updated: January 31, 2023
Effective Date: January 31, 2023
This Security Statement is aimed at providing you with more information about our security infrastructure and practices.
Information Security Policy
Empathy Rocks, Inc. DBA as mpathic, maintains a written Information Security policy that defines employee's responsibilities and acceptable use of information system resources. The organization receives signed acknowledgment from users indicating that they have read, understand, and agree to abide by the rules of behavior, before providing authorized access to empathy rocks information systems. This policy is periodically reviewed and updated as necessary.
Our security policies cover a wide array of security-related topics ranging from general standards with which every employee must comply, such as account, data, and physical security, to more specialized security standards covering internal applications and information systems.
Empathy Rocks, Inc.'s data and information system assets are comprised of customer and end-user assets as well as corporate assets. These asset types are managed under our security policies and procedures. Empathy Rocks, Inc. authorized personnel who handle these assets are required to comply with the procedures and guidelines defined by Empathy Rocks, Inc.'s security policies.
Empathy Rocks, Inc. employees are required to conduct themselves in a manner consistent with the company's guidelines, including those regarding confidentiality, business ethics, appropriate usage, and professional standards. All newly hired employees are required to sign confidentiality agreements and to acknowledge the Empathy Rocks, Inc. code of conduct policy. The code outlines the company's expectation that every employee will conduct business lawfully, ethically, with integrity, and with respect for each other and the company's users, partners, and competitors. Processes and procedures are in place to address employees who are on-boarded and off-boarded from the company.
Physical and Environmental Security
Our information systems and infrastructure are hosted in world-class data centers managed by AWS and GCP that are geographically dispersed to provide high availability and redundancy to Empathy Rocks, Inc. and its customers. Since we are a remote company we do not have any physical locations.
Empathy Rocks, Inc. maintains a change management process to ensure that all changes made to the production environment are applied in a deliberate manner. Changes to information systems, network devices, and other system components, and physical and environment changes are monitored and controlled through a formal change control process. Changes are reviewed, approved, tested, and monitored post-implementation to ensure that the expected changes are operating as intended.
Supplier and Vendor Relationships
Empathy Rocks, Inc. likes to partner with suppliers and vendors that operate with the same or similar values around lawfulness, ethics, and integrity that Empathy Rocks, Inc. does. As part of its review process, we screen our suppliers and vendors and bind them to appropriate confidentiality and security obligations, especially if they manage customer data.
Empathy Rocks, Inc. has backup standards and guidelines, and associated procedures for performing backup and restoration of data in a scheduled and timely manner.
Our infrastructure servers reside in a VPC which restricts access to systems from external networks and between systems internally. By default, all access is denied and only explicitly allowed ports and protocols are allowed based on business need. Empathy Rocks, Inc. maintains separate development and production environments.
Empathy Rocks, Inc. utilizes automated tools to monitor our codebase for disclosed vulnerabilities. When vulnerabilities are identified they are assessed for risk and patched in priority order.
Empathy Rocks, Inc. strives to apply the latest security patches and updates to operating systems, applications, and network infrastructure to mitigate exposure to vulnerabilities. Our architecture is primarily serverless and relies on our cloud providers to manage operating system security.
Secure Network Connections
HTTPS encryption is configured for customer web application access. This helps to ensure that user data in transit is safe, secure, and available only to intended recipients. The level of encryption is negotiated to either SSL or TLS encryption and is dependent on what the web browser can support.
Role-based access controls are implemented for access to information systems. Processes and procedures are in place to address employees who are voluntarily or involuntarily terminated. Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis. Access control lists define the behavior of any user within our information systems, and security policies limit them to authorized behaviors.
Authentication and Authorization
We require that authorized users be provisioned with unique account IDs. Our password policy covers all applicable information systems, applications, and databases. Our password policies enforce the use of complex passwords, which are deployed to protect against unauthorized use of passwords. We leverage Auth0 for user management, authentication, and authorization.
Empathy Rocks, Inc. employees are granted a limited set of default permissions to access company resources, such as their email. Employees are granted access to certain additional resources based on their specific job function. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as defined by our security guidelines.
Software Development Lifecycle
We follow a defined methodology for developing secure software that is designed to increase the resiliency and trustworthiness of our products. Our products are deployed on an iterative, rapid-release development lifecycle. The Empathy Rocks, Inc. architecture teams review our development methodology regularly to incorporate evolving security awareness, industry practices, and to measure its effectiveness.
We apply a common set of personal data management principles to customer data that we may process, handle, and store. We protect personal data using appropriate physical, technical, and organizational security measures.
We give additional attention and care to sensitive personal data and respect local laws and customs, where applicable.
Empathy Rocks, Inc. maintains GDPR compliance for EU and UK customers. Our compliance page can be found at https://prighter.com/q/13068773930.
Empathy Rocks, Inc completed SOC 2 Type 1 compliance in summer of 2022, and will begin SOC 2 Type 2 starting March 31, 2023. A copy of our SOC 2 Type 1 report is available upon request.
Empathy Rocks, Inc. contracted Moss Adams in summer 2022 to execute an external penetration test of our public-facing infrastructure. The results of this test were 100% clean with no vulnerabilities found. For a detailed report, please speak to your Empathy Rocks, Inc. contact or email email@example.com. Empathy Rocks, Inc. will maintain an annual external testing event on public-facing infrastructure and will have additional testing performed with any major infrastructure/architectural changes.
Empathy Rocks, Inc. offers HIPAA compliant data analysis and storage via 3rd party off-site solutions. Please see additional documentation of our standard BAA and privacy policies. Through encrypted data transfers and storage, two-factor authentication, constant system monitoring, and planned external HIPAA audits, we meet stringent compliance regulations to protect privacy and confidentiality. Data security attestation reports are available upon request. Our HIPAA Privacy & Security Officers can be contacted at firstname.lastname@example.org.
This policy describes the types of information we may collect from you or that you may provide (i) when you visit the website www.empathy.rocks or www.mpathic.ai link (the “Site”), or (ii) from using our Empathy Rocks online and mobile software (collectively, the website and the Empathy Rocks software are our “Services”), and our practices for collecting, using, maintaining, protecting, and disclosing that information.
This policy applies to information we collect:
That you may provide when you access or use the Services.
In email, text, and other electronic messages between you and the Company.
Our Services are not directed to people under the age of 18, and we do not intentionally gather personal information from visitors who are under the age of 18, without their parental or guardian’s consent or in some cases, the child’s assent or consent if the legal age of consent for health services is younger than age 18 according to state law. If a parent or guardian becomes aware that his or her child has provided us with information without their consent, they should contact us at email@example.com. We will attempt to delete such information in accordance with the law.
Information We Collect About You and How We Collect It
We may collect the following information from you, for the following purposes:
When you use our Services, including a free trial, we may ask you for your name, address, telephone number, email address, or other contact details in order to respond to your request or inquiry or to verify your identity.
When you seek services from us in the course of contractual or customer relationships between you and/or your organization and us, we collect business contact information and other personal information in order to provide you with the services you have requested.
Computer and Internet Information
When you visit our Site or use our Services, we collect information about your computer and internet connection, including your IP address, operating system, browser type, cookies, and data about the pages you visit. This information may be collected automatically from your browser or your mobile device and is used to understand how you interact with the Services.
When you use our Services, we collect information about your use of and interaction with our Services in order to (a) serve you the content and functionality you request, and (b) to maintain the privacy and security of the Services. Location information collected includes your Internet Protocol (IP) address or unique device identifier.
Feedback / Support / Inquiries
If you provide us with feedback or contact us for support or to ask us questions, we will collect your name, email address, other contact information, and other information needed to respond to your feedback, provide the requested support, or to answer your question.
Financial and Payment Information
If you choose to purchase Services from us, you will need to give personal information and authorization for us to obtain information from various credit services. We may collect your bank account and other data necessary to process payments, including credit card numbers, security codes, expiration dates, and other related billing information. For example, you may need to provide the following information:
Credit card number
Home and business phone number
We do not store your payment information. By submitting your payment card information, you expressly consent to the sharing of your information with third-party payment processors and other third-party services (including but not limited to vendors who provide fraud detection services to us and other third parties).
We use various third-party vendors for risk analytics and compliance purposes, to track and analyze usage and volume statistical information of our Services and to process commercial transactions. We may use services provided and/or hosted by third parties, such as analytics services, to assist in providing our services and to help us understand how you use the Services. This information about your use of Services (including your IP address) may be transmitted to and stored at, our data warehouses or our vendors.
Pages of our Services may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the Company, for example, to count users who have visited those pages or opened an email and for other related website statistics (e.g., recording the popularity of certain website content and verifying system and server integrity).
Some content or applications, including advertisements, available with our Services are served by third parties, including advertisers, ad networks and servers, content providers, and application providers. We may also use the services of third parties for completing tasks related to the provision of our Services (e.g. processing of payments, execution of agreements). Where confidential information, such as information about our users, may be exchanged with third-party service providers, these providers are bound by confidentiality requirements at least as restrictive as those set forth herein. If you leave our Services to visit another website or use the services of a third party, you should review the privacy policies of each third party that you visit before using their sites or services.
These third parties may provide you with ways to choose not to have your information collected or used. For example, you can opt out of receiving targeted ads from members of the Network Advertising Initiative (NAI) on the NAI’s website.
We do not control these third parties’ tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly. For information about how you can opt out of receiving targeted advertising from many providers, see Choices About How We Use and Disclose Your Information.
We are not responsible, or liable to you or any third party, for the materials, goods, or services provided by any third parties.
How We Use Your Information
We use information that we collect about you or that you provide to us, including any personal information:
To present our Services and its contents to you.
To provide you with information, products, or services that you request from us.
To fulfill any other purpose for which you provide it.
To provide you with notices about your account and subscription, including expiration and renewal notices.
To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection.
To notify you about changes to our Services or any products or services we offer or provide through it.
To conduct research and analysis.
To validate the accuracy of existing products.
To develop new products and services.
In any other way we may describe when you provide the information.
For any other purpose with your consent.
Disclosure of Your Information
To our subsidiaries and affiliates.
To contractors, service providers, and other third parties we use to support our business and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them.
To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Empathy Rocks’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by Empathy Rocks about our Website users is among the assets transferred.
To fulfill the purpose for which you provide it.
For any other purpose disclosed by us when you provide the information.
With your consent.
We may also disclose your personal information:
To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
To enforce or apply our subscription agreements, and other agreements, including for billing and collection purposes.
If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of Empathy Rocks, our customers, or others (e.g., exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction).
Choices About How We Use and Disclose Your Information
We strive to provide you with choices regarding the personal information you provide to us. We have created mechanisms to provide you with the following control over your information:
California residents may have additional personal information rights and choices. Please see California Residents for more information.
If you are a California resident, California law may provide you with additional rights regarding our use of your personal information. To learn more about your California privacy rights, visit https://iapp.org/resources/article/california-consumer-privacy-act-of-2018/#1798.185.
California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our System that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request, please send an email to firstname.lastname@example.org.
Accessing and Correcting Your Information
If you sign up for an Empathy Rocks product you can review and change your personal information by visiting your account profile page.
Any data access is logged by user with time-stamping and IP information. User access is controlled with strong passwords. The server uses algorithms to identify and block any malicious users. Empathy Rocks conducts regular system security audits using outside security professionals. Further information can be found in Empathy Rocks’s Data Security Statement.
The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Services, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.
Information Received as Business Associate
Some of our US-based customers (such as healthcare providers) may be subject to laws and regulations governing the use and disclosure of the health information they create or receive, including the Health Insurance Portability and Accountability Act (HIPAA) and the regulations adopted thereunder. Empathy Rocks, Inc. will only use or disclose such information as permitted by the controlling business associate agreement (BAA) or as otherwise permitted by law. Empathy Rocks, Inc. limits access to “protected health information” in accordance with HIPAA. Empathy Rocks, Inc. workforce members are trained on the privacy and security requirements applicable to protected health information, and mpathic's “business associates” are required, pursuant to the terms of their agreements with us, to implement required safeguards.
Representation for data subjects in the UK
We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact.
Prighter gives you an easy way to exercise your privacy-related rights (e.g., requests to access or erase personal data). If you want to contact us via our representative Prighter or make use of your data subject rights, please visit the following website: https://prighter.com/q/13068773930.
Exercise your data subject rights under GDPR
We provide you with an easy way to submit to us a privacy related request like a request to access or erase your personal data. If you want to make us of your data subject rights, please visit our public privacy landing page: https://prighter.com/q/13068773930.