IOOGO Inc. – Commitment to Protecting Customer Data
Published as of January 1, 2020
I. Overview and Purpose:
The purpose of this Security Policy is to have certain policies in place to safeguard taxpayer or client data, and to ultimately protect against tax-related identity theft. In order to stay up to date and to keep this Security Policy responsive to the latest cybersecurity threats, we have designated our Chief Operating Officer to periodically review the standards contained herein. Our Chief Operating Officer will also evaluate the effectiveness of the safeguards in place for controlling risks to taxpayer data, and revise this policy as necessary.
II. Risk Identification and Assessment:
Although we are a small business, our clients entrust us with extremely sensitive information. The main risk to our business as tax preparers is the unintentional misuse of taxpayer data and identity fraud. When evaluating service providers, we ensure that any contract with said service provider will include a covenant requiring the service provider to maintain proper data safeguards and oversee any customer information that such service provider may come into contact with, in compliance with the Safeguards Rule.
III. Commitment to Continuing Compliance:
As mentioned in Section I, we will regularly evaluate and adjust this Security Policy and related safeguards, on a continuous basis and in regular intervals. Certain extraordinary events, such as material changes in our business or our operations, may be a cause of redrafting of the Security Policy to reflect any such change. We view our commitment to security as ongoing, and this Security Policy will be updated as such.
IV. Security and Privacy Standards for e-Filers
In accordance with the security and privacy standards laid out in IRS Publication 1345, IOOGO has in place the following standards and procedures (as of the date of publication of this Security Policy, January 1, 2020):
Extended Validation SSL Certificate;
External Vulnerability Scan;
Information Privacy and Safeguard Policies (this Security Policy);
Website Challenge-Response Test;
Public Domain Name Registration; and
Reporting of Security Incidents.
V. Workplace Safeguards and Standards:
In addition to our commitment to protect taxpayer data on the back end, we also have measures in place to ensure that our employees understanding how to properly handle sensitive client data. Specifically:
We will screen and perform background checks before hiring potential employees for a role that handles or has exposure to customer information.
New employees will be required to sign an agreement agreeing to abide by our confidentiality and security standards for handling customer information.
Customer information will be shared with employees on a need to know basis.
Employee-created passwords will be required to comply with IRS guidelines by having more than 8 characters, including a mix of upper- and lower-case letters, numbers, and certain symbols.
Employees that transmit customer information electronically will be required to adhere to stricter policies to ensure that these transmissions are not made in error.
Employees who handle customer information will be asked to label any sensitive information as such, and prohibited from removing certain customer data/materials from the workplace without permission from our Chief Operating Officer.
(b) Information Systems:
Sensitive customer information will be encrypted when uploaded.
Only certain employees will be able to access secured cloud servers that store customer information,
We will maintain certain secure backup records and archived data off-site, as required by law.
For payment systems, we will use SSL or Transport Layer Security 1.1 or 1.2, so that any credit card or other payment information is protected in transit.
Customers will be advised and cautioned against submitting any confidential or sensitive information in general, and especially not in response to a random pop-up or unsolicited email.
If required, customer’s information will be disposed of securely in compliance with the FTC’s Disposal Rule.
(c) Detecting and Managing System Failures:
We will monitor our website traffic for unusual activity, and keep up to date on the latest cybersecurity threats.
We will maintain up to date and appropriate programs to prevent unauthorized persons from accessing our records and our customer data. This includes making sure that our software has the latest security patch and our security software has the latest update (via automatic update, if available).
Because of our flexible working arrangements, we may have employees who work remotely. We will have strong and up to date firewalls to accommodate flexible working conditions (by allowing employees to connect to our network from home) while keeping customer data safe.
We will keep our employees apprised of any security risks or possible breaches, when appropriate.
Employee activity with respect to customer information will be logged and monitored, and randomly audited to ensure compliance with this Security Policy.
If any breach occurs, we will quickly notify the appropriate agencies, and abide by the FTC and IRS rules regarding breaches.
VI. General Terms:
(a) Information We Collect:
We collect “Non-Personal Information” and PII. Non-Personal Information includes information that cannot be used to personally identify you, such as anonymous usage data, general demographic information we may collect, referring/exit pages and URLs, platform types, preferences you submit and preferences that are generated based on the data you submit and number of clicks. We collect information related to your business for the purpose of carrying out the Services.
Information collected via technology. In an effort to improve the quality of the Services, we track information provided to us by your browser or by our software application when you view or use the Services, such as the website you came from (known as the “referring URL”), the type of browser you use, the device from which you connected to the Services, the time and date of access, and other information that does not personally identify you. We track this information using cookies, or small text files which include an anonymous unique identifier. Cookies are sent to a user’s browser from our servers and are stored on the user’s computer hard drive. Sending a cookie to a user’s browser enables us to collect Non-Personal Information about that user and keep a record of the user’s preferences when utilizing our Services, both on an individual and aggregate basis. We may use both persistent and session cookies; persistent cookies remain on your computer after you close your session and until you delete them, while session cookies expire when you close your browser.
(b) How We Use and Share Information:
(c) How We Protect Information
We implement security measures designed to protect your information from unauthorized access. Your account is protected by your account password and we urge you to take steps to keep your personal information safe by not disclosing your password and by logging out of your account after each use. We further protect your information from potential security breaches by implementing certain technological security measures including encryption, firewalls and secure socket layer technology. However, these measures do not guarantee that your information will not be accessed, disclosed, altered or destroyed by breach of such firewalls and secure server software. By using our Services, you acknowledge that you understand and agree to assume these risks.
(d) Your Rights Regarding the Use of Your PII
(e) Customer Data
“Customer Data” means all information processed or stored on the Service by you or on your behalf, as well as any information derived from such information. So, Customer Data includes, without limitation:
(i) information provided on the Service;
(ii) information provided to us by you regarding others or by other third parties; and
(iii) PII from such persons.
Unless we receive your prior written consent, we will not:
(i) access, process, or otherwise use Customer Data other than as necessary to facilitate the Services;
(ii) give any of our employees access to Customer Data except to the extent that such individual needs access to facilitate the Services; and
(iii) give any third party access to Customer Data.
Notwithstanding the foregoing, we may disclose Customer Data as required by applicable law or by proper legal or governmental authority. We will give you prompt notice of any such legal or governmental demand and reasonably cooperate with you in any effort to seek a protective order or otherwise to contest such required disclosure, at your expense.
You possess and retain all right, title, and interest in and to Customer Data, and our use and possession thereof is solely on your behalf.
(f) Links to Other Websites
VII. Additional Information for Users from California:
Since 2005, California Civil Code Section 1798.83 permits our customers who are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. We do not share our customer’s personal information with unaffiliated third parties for their own direct marketing purposes.
Since January 1, 2015, California Business and Professions Code Section 22581 permits you, if you are a California resident under the age of 18, to view, correct, or remove information provided by you or publicly posted by you, by accessing your Downpour account through or another product or service as applicable and editing/removing your personal information. You will need your password to access your personal account. You may also send us an email asking us to remove certain posted content using the address in the Contact Us section below. In the alternative, you may write to us using the address in the Contact Us section below.
We will be happy to review, update or remove information and/or content as appropriate. Residual copies of information and/or content that have been removed from your account and/or the Site may remain in our backup systems for approximately one month. We may still retain your information to resolve disputes, enforce our user agreement, or comply with legal requirements; in this case, your personal information will be blocked from use for any other purpose.
VIII. Additional Information for Users from the European Economic Area
We only process your personal information where we can rely on legal grounds to do so. We process your personal information for the performance of our Services, to provide or support of our products, or for any other feature you request or enable. This includes, for example, using your personal information to administer your account, provide contests or promotions in which you have enrolled; support purchases you make, support game functionality, provide global customer service, or provide a fair gaming experience by using anti-fraud technologies such as bans or blocks of accounts.
We may ask for your consent to collect or use your personal information for specific purposes. This includes, for example, providing newsletters, direct e-mails, and surveys about our Properties and certain other marketing features.
We rely on several legitimate interests in using and sharing your personal information. These interests include: to provide you with requested customer service or technical support, to debug and improve our current and future Services, in order to give you exclusive content, personalize your online experience with us and contact you in accordance with applicable marketing preferences, exploring ways to develop and grow our operations, ensuring the safety and security of our Services, and for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity.
We process your personal information for compliance with a legal obligation to which we are subject.
You may object to the processing of your personal information based on a legitimate interest on grounds relating to your particular situation. You may control the extent to which we market to you and you have the right to request that we stop sending you marketing messages at any time using the contract information listed above.
In certain circumstances, you can request that we transfer personal information that you have provided to us. You can send your request to us using the contact information listed above.
Where we rely on your consent in order to process your personal information, you have the right to withdraw such consent to further use of your personal information at any time.
IX. Disclosures to Users Outside the United States and the European Economic Area (EEA)
If you are a visitor to the Site or other online products and services from outside the U.S., the personal information you provide will be collected, processed and stored directly on, or transferred to, servers in the United States or other countries that may not have equivalent data protection laws to the country where you reside.
When we transfer your personal information outside the EEA we rely on appropriate or suitable safeguards recognized under applicable data protection laws. For example, when we transfer personal information collected in the EU to locations outside the EEA, we rely on transfer mechanism adopted by the European Commission to help establish adequate safeguards, like Standard Contractual Clauses or consent of the individual to transfer personal information from the EEA to non-EEA countries. By using our Services, you expressly consent to such collection, transfer, and processing. We may also need to transfer your personal information to provide the Services to you in accordance with our existing agreements to you.
X. EEA-Specific Rights
If you are located in the EU, upon request, we will provide you with information about whether we hold any of your personal information along with any details required to be provided to you under applicable law. In certain cases, you may also have a right to:
rectify any of your personal information that is inaccurate;
restrict or limit the ways in which we use your personal information;
object to the processing of your personal information;
request the deletion of your personal information, and
obtain a copy of your personal information in an easily accessible format.
To submit a request, please contact us as set forth in the Contact Us section below. We will respond to your request within a reasonable time.
Please note that, in certain cases, we may continue to process your personal information after you have withdrawn consent and requested that we delete your personal information, if we have a legal basis to do so. For example, we may retain certain information if we need to do so to comply with an independent legal obligation, or if it is necessary to do so to pursue our legitimate interest in keeping the Services secure.
If you have any complaints regarding our privacy practices, we ask that you reach out to [list email], as set forth in the Contact Us section below. You also have the right to submit a complaint with your national data protection authority (i.e., supervisory authority).
XI. Contact Us
Last updated: December 15, 2019