1.5 Choice: You have the opportunity to choose whether your personal information is to be disclosed to a third party or used for a purpose other than the purpose for which it was originally collected or subsequently authorized by you.
2.1 Our Clients provide us with information relating to their group members, which may include their names, email addresses, roles and group joining date (“Participant Information”). Clients provide Participant Information directly to us. We then automatically send survey request emails on behalf of that Client to the email addresses that it has provided to us. We only use Participant Information for the purpose of communicating with you on behalf of that Client (e.g., to conduct an evaluation of group diversity of thought).
2.2 Our Clients are solely responsible for ensuring that their provision of Participant Information to us complies with all applicable privacy or data protection laws and agreements that they have entered into.
2.3 Our Clients have committed not to provide information about their Participants who are under the age of 16, and we do not knowingly collect personal information from persons under the age of 16. If you believe we have collected such information, please contact us and we will promptly delete it.
3.1 We will not share individual participant response information with a Client or other party. The Client will not usually be able to personally attribute to you any response you provide.
3.2 We may use group findings for our own analytical and commercial purposes (for example, industry benchmarking), but this data will be anonymized so that it does not identify you or your group personally.
3.3 We will securely store Participant Information and your responses for as long as permitted by applicable law. We have enacted safeguards to protect your information from unintended disclosure, but, because no data security program is perfect, we cannot eliminate all risk of unauthorized access of your personal information.
3.4 DOT Scorecard® complies with orders and subpoenas from courts and government agencies acting within the scope of their jurisdiction for information in our possession.
3.5 DOT Scorecard® also passively collects “Usage Information,” which includes the IP address or other device identifiers; the type of browser, device, and operating system a user employs; the URL that referred users to our website; how and when users interact with our website; and other similar information. In particular, we collect information about the manner in which our website is used and the devices on which the services are used and to collect data to improve the performance and features of our website. If we combine Usage Information with Personal Information, we will treat the combined data as Personal Information. The Usage Information we access, collect, and/or monitor can include location data, such as geographic information regarding the location of the accessing device. Location data may help us understand where our platforms are being used. Location data, however, is only displayed and shared in accordance with the privacy settings in each user’s device or browser software.
4.1 Browser or 'web' cookies are small text files that are sent by a website and stored on your computer's hard drive. Cookies are generally used to improve your experience of a website and to track site usage. Coligo Consulting may use this data to target advertising which might be of interest to you.
4.4 If you do not wish to receive cookies, you can set your browser so that your computer does not accept them although you may experience a loss of functionality as a result. We may also log IP addresses (the electronic addresses of computers connected to the internet) to analyse trends, administer the website, track user movements, and gather broad demographic information.
4.5 Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.orgor www.allaboutcookies.org.
Information about privacy issues in New Zealand and protecting your privacy, visit the New Zealand Privacy Commissioner’s website: www.privacy.org.nz
DOT Scorecard® is a online platform used to collect and analyse group diversity of thought. DOT Scorecard®'s development team is based in Auckland, New Zealand. This is a collection of topics that describe how we run DOT Scorecard® securely. They're intended as a high-level introduction to how we deal with security. More details are available on request: email@example.com.
You'll find more information on each of these points in the detailed chapters documents below.
DOT Scorecard®’s products are hosted with the world’s leading data centre provider, Amazon Web Services (AWS). Access to these datacenters is strictly controlled and monitored by 24x7 on-site security staff, biometric scanning and video surveillance. AWS maintains multiple certifications for its data centres, including ISO 27001 compliance, PCI Certification, and SOC reports. For more information about their certification and compliance, please visit the AWS Security website and the AWS Compliance website.
All services (databases, application servers, web servers, etc.) that make up the DOT Scorecard® system are highly-available. We use a combination of clustering (e.g. Elasticsearch), load-balancing (e.g. HTTP), and replication (e.g. MySQL) in order to ensure that there are no single points of failure in the system.
The entire configuration of all of our infrastructure is captured in version control, so we have a full record of every change made to the infrastructure. It also allows us to ensure all our servers have the same, appropriate configuration, and that they are all kept up to date with the latest changes (we have CI/CD pipelines for our infrastructure codebases too). We use a "cattle not pets" approach to infrastructure; any server can be completely replaced with another (or a new one) very easily. This allows us to rapidly provision new infrastructure when necessary; server instances can be built and torn down within minutes as needed to size the infrastructure appropriately and respond to customer needs. This makes our service more resilient to failures, and more reliable for the end user.
All of DOT Scorecard®'s production servers are up to date with the latest security patches from their upstream operating system vendors. Security patches are applied immediately, as they become available upstream; they are installed automatically and don't require human intervention to be applied. We also regularly install non-security update patches, but those are not applied immediately without supervision, and are instead tested before being rolled-out cluster-wide.
Our main way of administering our servers is via tools that operate over SSH. To keep such SSH connections secure:
DOT Scorecard® has an on-call engineer available during business hours. In the event of degraded performance or a similar issue, the on-call engineer will update DOT Scorecard®'s status page with details of the investigation and fix.
While our unattended patching system keeps our software packages up to date with security fixes, we also run Amazon Inspector regularly. This both checks for packages that have vulnerabilities (providing a double-check of our patching systems), and also checks for common misconfigurations. The rulesets we use with Amazon Inspector are:
We fix any issues these rulesets reveal with a severity higher than informational.
We make use of Amazon GuardDuty to detect abnormal or suspicious use of our systems that may indicate an intrusion by attackers. GuardDuty monitors network flows, administrative events and DNS lookups throughout our production systems. It identifies suspected attackers through integrated threat intelligence feeds and uses machine learning to detect anomalies.
If you are a DOT Scorecard® Client or a DOT Scorecard® Participant and want to access, update or delete your data with DOT Scorecard® contact: firstname.lastname@example.org.
You can learn more about New Zealand company compliance with GDPR here:
When you sign up for DOT Scorecard®, we can host your data in the following region: Sydney (Australia).
In order to to help with any problems you’re having, our customer service representatives have access to your account. Our staff are prohibited from using this access except where necessary, or where you’ve requested assistance.
As part of our security and compliance program we keep a centralized log of user activity within your account for auditing. Examples of events that are audit logged are as follows: log-on failed-attempts & successes, data accessed, scheduling and administrative configuration changes. This is immutable, time synced, and accessible on request by account admins.
Changes to the product are introduced by the DOT Scorecard® development team only (we don't allow third-party access to the codebase). The team uses continuous integration and delivery:
DOT Scorecard®'s TLS setup gets an overall score of A in the Qualys SSL Labs Test - we support forward secrecy, allow secure renegotiation, disallow downgrade attacks, have good protocol/preferred cypher suite settings etc.
DOT Scorecard® supports full encryption in transit. No non-encrypted data leaves our datacenter, except to a client explicitly requesting the HTTP version of a page (which can be disabled). All our monitoring and backend systems either send local traffic over the VPC, or they use transport-level encryption when communicating with the rest of the internet.
DOT Scorecard® encrypts customer data at rest in RDS.
We use AWS EC2 Security Groups extensively, with fine-grained groups and rules. For example, each individual network protocol/service (e.g. MySQL or Elasticsearch) is placed in a separate security group, and only other groups that need access to that resource are given access. (i.e. we follow the principle of least privilege carefully when configuring network access). We also ensure that no services are directly available to access, from outside the network, on any host. Instead, we do one of a few possible things:
Backups are stored in AWS S3 with full redundancy and versioning enabled.