Privacy Policy

 

This privacy statement refers to all Soliya programs and their associated online services, including but not limited to the Exchange Portal and the Soliya website. This statement explains to you the way in which this system uses personal data, and the way in which the privacy of this data is being protected.

 

What is the purpose of the data collection?

There are four main features of Soliya’s programming which involve the collection and processing of personal data. These are:

Program Evaluation – Assessing the impact of Soliya’s programming through pre- and post- program surveys, including quantitative and qualitative survey questions.

Program Setup and Implementation – Allows Soliya staff to organize all program participants into small groups of 8-12 participants and 1-2 facilitators or trainers and ensure program quality. 

Communication – Enables different parties to communicate with one another before, during, and after program participation, and enables Soliya to communicate with the entire community for continued engagement and to share organizational updates, as well as to respond to inquiries.

Online Community – Provides a space for current and former participants, facilitators, alumni, trainees, trainers, coaches, and professors to share information, start discussion threads, communicate with one another, and create a larger Soliya community.

Users will be asked to login to the Exchange Portal and authenticate themselves before being able to use some of these features.

The purposes of the data collection are:

Program Evaluation – data collected in the evaluation surveys provide feedback to Soliya on the impact and quality of our programming. Through your answers to quantitative and qualitative survey questions, we are able to assess whether our programs meet their goals, and measure the impact that we have on attitudes and opinions. 

Program Setup and Implementation – data collected for program setup purposes allow Soliya’s staff to create program groups. Schedule data provides the basis for meeting times for each group, and demographic data ensures that the groups of 8-12 participants are diverse and balanced. 

Communication – data collected for communication purposes allows the opening of communication channels that are needed before, during, or after program participation.  Specifically:

  • Enables facilitators to reach their co-facilitator if applicable, the student participants in their groups, and their facilitation coaches.

  • Enables facilitation coaches to reach the facilitators whom they are mentoring.

  • Enables participants to reach their groups’ facilitators.

  • Enables trainers to reach the trainees in their groups, and trainees to reach one another and their trainers.

  • Enables participating professors to reach other participating professors.

  • Enables Soliya staff members and tech support to reach participants, facilitators, coaches, and professors, as well as trainees and trainers, as well as alumni of both programs and all other past or future programs.

  • Enables Soliya staff members to send end-of-semester participation certificates and badges to student participants, facilitation trainees, facilitators, coaches, and trainers.

  • Enables Soliya staff members to send programmatic and organizational information and updates periodically to the full Soliya community for continued engagement, and to respond to inquiries.

Online Community – data collected for community purposes enables us to create participant profiles on the Soliya Exchange Portal, and allows all current and former members of the Soliya ecosystem to view basic demographic information about one another, write private messages to each other on the Exchange Portal, create blog posts seen by the rest of the community, and comment on each other’s blog posts. 

 

What personal data do we collect?

Program Evaluation – Identifying data is not collected for the purpose of program evaluation.  Data collected to allow for more refined analysis is gender, nationality, regional location and university.

Program Setup and Implementation – Required data collected: first name, last name, email address, phone number, date of birth, gender, nationality, university (if applicable), region of origin, access to high speed internet at home, and schedule availability for program durations. Facilitation trainees, facilitators, coaches and trainers are also required to provide their current residence, country of origin, languages spoken and skype account.  All participants conduct a technical diagnostic test that automatically collects essential cookies: your internet upload and download speed, your IP address, and your browser version.  Optional data that you can choose not to provide: alternate email, additional languages spoken, IM account, and when applicable graduation year, major, education, areas of expertise, and areas you’d like to learn more about.   

Soliya may record the audio-visual, textual, and graphical interactions in the Soliya Meeting Rooms for sub-programs funded by the US State Department. Such recordings may include activities in the main meeting rooms or break out rooms while programming is in progress.  These recordings are created in order to provide feedback and training to program leaders to ensure quality control, and for impact evaluation. If recordings are needed for further educational purposes including fundraising materials or marketing and promotional activities of Soliya, additional permissions from the recorded persons will be sought prior to such use.

Communication – Required data collected from program participants: username, email address, and phone number.  Optional data that you can choose not to provide: alternate email address, and IM account type and username.  Facilitators, trainers and trainees are required to provide their Skype usernames, CV, and cover letter. Data collected for the purposes of continued engagement: name and email address. 

Online Community – Required data collected: username, password, first name, last name, nationality, and university (when applicable). Optional data that you can choose not to provide: profile picture, IM account type and username, native language, other languages spoken, date of birth, and major.

 

Which technical means do we use for processing your data?

  • All data collected for Evaluation, Program Setup, Communication, and Online Community is processed using a MySQL database. Data and services are hosted on Amazon Web Services.

  • Data in transit is encrypted via SSL/TLS and data at rest is encrypted at AWS.

  • Management access and data transfers are done via SSH and SFTP.

  • Backups of data are taken on a monthly or ad hoc basis depending on the AWS instances.

  • The development environment is separated from production: access to the development environment does not grant access to the production environment or user data. The development environment is occasionally refreshed with copies of the production database. In such instances, all personal data and identifying information is removed before being moved to the development information.

 

Who has access to your information and to whom is it disclosed?

Program Evaluation – Data collected for program evaluation is anonymized and accessible by Soliya staff members as well as evaluation partners. Aggregated data by university, country, region, or for the entire program is available to the public.

Program Setup and Implementation – Data collected for the program setup is accessible to Soliya staff members and program tech support. 

Communication – Contact information is accessed by Soliya staff and tech support team.  Names and email addresses of participants are also available to facilitators, names and email addresses of facilitators are available to coaches, and names and email addresses of trainees are accessible by trainers. 

Online Community – Data collected for this purpose is accessible to all members of the Soliya community, past and present, who login to the Soliya Exchange Portal. Online profiles do not include any contact information.

For programs funded by the US State Department only, participant information, including name and contact information, is shared with the funder. In addition, Soliya is required to disclose personal information of U.S. citizens in response to lawful requests by U.S. public authorities, including to meet national security or law enforcement requirements.

Soliya does not share participant information with third parties for a purpose that is materially different from the original purposes without their consent.

Soliya assumes liability for the improper processing of user data by staff and third party agents acting on Soliya's behalf, unless the event giving rise to the damage is outside of the organization's control. 

 

How long do we keep your data?

Data is retained for a 2-year period after the user's last login, after which a request for consent to remain in Soliya’s records will be sent to all users. If users do not consent to their data remaining in Soliya's records, all their data will be immediately anonymized. 

You can at any moment request to have your account removed and any or all your personal data deleted.  If you wish to have your account removed and/or your personal data deleted, please email dataprotection@soliya.net

 

How can you access your personal data, verify its accuracy and, if necessary, correct it?

You can view and make modifications to your profile at any time by going to www.exchangeportal.net, logging in with your username and password, clicking on your username, and selecting ‘Edit’ from the black bar. You can also email dataprotection@soliya.net to request your personal data that is not visible on your profile, correct it, or ask for it to be deleted.  If a request to be forgotten is made, the user’s data will be deleted from Soliya’s implementation-related contact lists, global contact lists for newsletters, and Soliya’s servers where your information is hosted. 

 

What are the security measures taken to safeguard your information against possible misuse or unauthorized access?

Soliya uses IT industry standards to secure our technology stack, including all our users’ personal data.  Our data and services are hosted on Amazon Web Services. AWS is a leader in security compliance partner both globally and regionally, and all AWS services are GDPR ready. 

Data in transit is encrypted via SSL/TLS, and data at rest is encrypted at AWS. Management access and data transfers are done via SSH and SFTP.  Backups of data are taken on a daily or monthly basis depending on the AWS instances.  The development environment is separated from production.  Access to the development environment does not grant access to the production environment or user data.

Soliya’s security team performs quarterly risk assessments including security auditing, penetration testing, vulnerabilities assessment and account auditing.  Security recommendations are made to the developers and IT director. Security patches and software upgrades are done when any vulnerabilities are discovered, and do not wait for the security auditing period.

Firewalls and security groups are enabled on all of our instances, and secure management ports are enabled.

Remote access to Linux servers is done through ssh protocols using ssh-keys version 2 only, public keys are provided to team members and contracts based on needs and after a written approval. Remote access to Windows machines is done through OpenVPN client. Access to Soliya’s AWS account and services is provided to team members and contractors through IAM policies. The master account access is restricted to Soliya’s IT Director only. Soliya staff have manager access rights to the LMS, but the master account is restricted to the lead developer only.  Permissions requested by staff or contractors require written approval.

Soliya conducts a twice a year a review of all the privileged accounts in the technology stack. In coordination with HR and relevant departments, terminated users and/or staff accounts are disabled and privileges are revoked immediately upon departure.

All privileged accounts changes are monitored and logged, and alerts are sent to notify users in case of changes in their account or its associated data.

All contractors who require access to the technology stack must sign Soliya’s NDA.

 

Whom to contact if you have queries or complaints about data protection?

You should contact dataprotection@soliya.net.  

Soliya complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF)  as set forth by the U.S. Department of Commerce.  Soliya has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

In compliance with the EU-U.S. DPF, Soliya commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF.  EU individuals with inquiries or complaints regarding our Data Privacy policy should first contact Soliya at: dataprotection@soliya.net

Recourse: In case of conflict, complaints can be addressed to the European Data Protection Supervisor (EDPS) http://www.edps.europa.eu.  

Soliya can become subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). Soliya is obligated to arbitrate claims and follow the terms as set forth in Annex I of the DPF Principles, provided that an individual has invoked binding arbitration by delivering notice to Soliya and following the procedures and subject to conditions set forth in Annex I of Principles.

Soliya commits to cooperate with EU data protection authorities (DPAs) and comply with the advice given by such authorities with regard to data transferred from the EU. In addition, Soliya is subject to the investigatory and enforcement powers of the US Federal Trade Commission.