- Information Collection
- Notice and Consenta. When Personal Information is collected, we inform users at the point of collection the purpose for the collection. Mosio will not transfer personal information to third parties without consent. We request various types of Personal Data from you, and can only receive such data if you provide it willingly and consent to its provision to us, when opening an account on this Website or procuring any product, service or content through this Website. Any use or transmittal of your data will only be completed once you are made completely aware of its use and transmittal, and then only with your consent. If you wish to know of any specific use of your data that may be undertaken by the Owner, please email us at support((at))mosio((.))comb. Data transfer abroad is based on consent, in that we shall only transfer your data outside your home jurisdiction for the purpose of providing access to this Website and any products or services offered to you through this Website. Such data transfer will be to third parties who maintain confidentiality requirements and data protection capabilities sufficient to protect and secure your data, if this is at all required. By registering an account with us, you hereby agree to allow your data to be transferred outside your home jurisdiction for the reasons described in this paragraph, and subject to the terms described herein.c. In most cases we provide users with the opportunity to “opt in” prior to receiving direct marketing, email newsletter or market research information. This means we will require affirmative action by users to indicate consent before we use information for purposes other than the purpose for which it was submitted. At the very minimum, we always give the opportunity to “opt out” of receiving such materials. This means we assume consent has been given to collect and use information in accordance with this Privacy Statement unless affirmative action has been taken against consent, for instance by clicking or checking the appropriate option or box at the point of collection.d. If you want to specifically know how and to whom your data may be transferred to, please get in touch with us at support((at))mosio((.))com.
NOTE – HIPAA and PHI: The requirements of the CCPA do not apply to “medical information” subject to the California Confidentiality of Medical Information Act (CMIA) or to “protected health information” (PHI) collected by covered entities and business associates under the HIPAA Privacy, Security and Breach Notification Rules. All data collected by the Mosio platform (PHI or non-PHI) receives the same safeguards for security, privacy and breach notification applied to our clients covered under HIPAA rules and stipulated by a client BAA.
- Cookies and Other Tracking Technologies
a. Some Mosio websites and HTML-formatted email newsletters may use web beacons in conjunction with cookies to understand user behavior. A web beacon is an electronic image, called a single-pixel (1×1) or clear GIF. Web beacons can recognize certain types of information on a visitor’s computer, such as a visitor’s cookie number, time and date of a page view, and a description of the page where the web beacon is placed. Some Web beacons may be unusable if users elect to reject their associated cookies. Mosio may also use customized links or other similar technologies to track email links clicked. We may associate that information with Personal Information in order to provide more focused email communications or purchase information. Each email communication includes an unsubscribe link ending the delivery of that type of communication.
b. If users prefer not to receive cookies while browsing our website or via HTML-formatted emails, they can set their browser to warn them before accepting cookies and refuse the cookie when their browser alerts them to its presence. Users can also refuse all cookies by turning them off in browsers, although users may not be able to take full advantage of Mosio’s website after having done so. In particular, users may be required to accept cookies in order to complete certain actions on our website. Users do not need to have cookies turned on, however, to use/navigate through many parts of our website, except access to certain of Mosio’s web pages may require a login and password.
6. How Information Collected Is Used
Mosio uses information for several general purposes: to fulfil user requests for certain products and services, to personalize the experience on our Website, to keep users up to date on the latest product announcements, software updates, special offers or other information we think they would like to hear about, to optimize and provide Services requested, and to better understand user needs and provide better service.
- Information Sharing and Disclosure
a. Because Mosio is a global company, personal information may be shared with other Mosio offices, subsidiaries or technology partners around the world for the purposes of completing mobile messaging transactions. All such entities are governed by this Privacy Statement or are bound by appropriate confidentiality and data transfer agreements.b. Personal information is never shared outside Mosio without permission, except under conditions explained below. Inside Mosio, data is stored in security-controlled, HIPAA-compliant servers with limited access. Information may be stored and processed in the United States or any other country where Mosio, its subsidiaries, affiliates or agents are located.c. Mosio may send personal information to other companies or people under any of the following circumstances:
- (i) When we have consent to share the information;
- (ii) If sharing information is necessary to provide a product or requested service (If information is shared with third parties we only provide the information they need to deliver the service. Also, such companies are prohibited from using information for any other purpose);
- Data Security
- Children and Privacy
Our websites do not target and are not intended to attract children under the age of 13. Mosio does not knowingly solicit personal information from children under the age of 13 or send them requests for personal information.
- Third Party Sites
a. Mosio’s website contains links to other sites. Mosio does not share personal information with those websites and is not responsible for their privacy practices. We encourage users to learn about the privacy policies of those companies.
b. Our website may contain links to websites operated by other companies. Some of these third-party sites may be co-branded with a Mosio logo, even though they are not operated or maintained by Mosio. Although we choose our business partners carefully, Mosio is not responsible for the privacy practices of web sites operated by third parties that are linked to our site. Once users have left our website, they should check the applicable privacy statement of the third-party website to determine how they will handle any information they collect.
- Clinical Research and Healthcare Clients: HIPAA and Participant Privacy
While the mobile text messaging channel is not HIPAA compliant in certain scenarios, Mosio makes continuous efforts to maintain the privacy and data security of sensitive client and patient information, including:
a. Informed Consent: Covered Entities and Business Associates who use the platform should warn the participant that the risk of unauthorized disclosure exists (encouraging the participant to properly secure their device is also good practice) and the participant´s consent should be obtained to communicate by text. Both the warning and the consent must be documented.
b. Unique Users and Identification:Each user identity is assigned a unique name and/or number for identification, logging and tracking.
c. Encryption and Authentication: The Mosio system uses cryptographic module types that are FIPS 140-2 validated for Data at Rest, Transmission, Remote Access, Authentication, and Digital Signatures/Hash, and would describe an alternative implementation if applicable. All accounts require a unique username and password with specific password security rules including expiration. SSO integration with client systems is available by client request.
d. Automatic Logging Out: The Mosio system will log out users after a short time of inactivity (configurable by the account administrator). While the system enables account administrator to choose “Keep Users Signed In” to allow users to stay logged in, it allows for remote locking out by our support staff should the need arise.
e. Transmission Security: TLS cryptographic module types are used for protecting data in transit. Our data hosting providers are located in the USA, Production and Backup systems are in geo-diverse locations for added protection and redundancy.
f) Only Developers employed by Mosio have direct access to the Mosio platform code base and databases.
g) Multiple Organizations: ePHI is not accessible by Mosio partners or subcontractors unless otherwise authorized for the sole purpose of efficient communication transmissions.
h) Response and Reporting Procedures: The company maintains a step-by-step reporting procedure to identify, document, respond, and prevent security incidents.
i) Contingency Plans: ePHI and other sensitive data are backed up in a geo-diverse location from our Production systems using AWS HIPAA Eligible Services. Mosio tests Business Continuity and Disaster Recovery Plans at least once per year.
j) Privacy and Security Officers: Mosio has a Compliance Officer on staff to handle all privacy and security related questions.
k) Risk Management Evaluations: Annual privacy and security training, activity logging, risk management procedures for code implementation, data and account management are reviewed once a year by Mosio’s chief officers to ensure maximum risk reduction. Mosio’s change control process is governed by our SDLC and includes a risk assessment for any change to the system and all changes are code reviewed and tested in an engineering environment before release to Production systems.
Contact us at support((at))mosio((.))com, for our detailed Privacy and Data Security Management statement and if you need assistance in responding to requests from IRBs or patient privacy officers at your organization, we’re happy to be of assistance.
- Rights under other Privacy Laws
To the extent that you have rights under any current or future privacy laws, you may contact us at (insert address) to exercise any applicable rights you may have under such laws. To the extent that such laws apply to you and to us, we will respect your rights in accordance with such laws.