About this Document
Non-Personal Identification Information
We may collect non-personal identification information including your web browser name, the computer operating system and technical information about your means of connection to our Site, such as Internet service providers utilized and other similar information. Sub-Processors such as Google Analytics may also have access to non-personal information.
Personal Identification Information
You may decide to send us your personal information in a variety of ways, including, but not limited to, registering a user account on our sites, subscribing to the newsletter, and in connection with other activities, services, features or resources we make available on our sites. You may be asked for, as appropriate, name, email address, mailing address, phone number, credit card information. Disclosing this information is voluntarily. You can always refuse to supply personal identification information, but it may prevent you from engaging in certain activities.
Sensitive Personal Data
GDPR specifies a set of personal data categories which are “sensitive”, and which require special consideration by Data Controllers. Our websites and any related services do NOT knowingly collect or process any sensitive personal data.
Children's Personal Data
Our sites and any services available from this website are NOT directed to children under the age of 13. If you learn that a child under the age of 13 has provided us with their personal information without having parental consent, please contact us immediately so that we can take appropriate action.
Data Usage Policies
How we Use Customer Data
ARELLO may collect and use customer data for the following purposes:
- To contact you - information you provide allows us respond to your requests and support needs.
- To provide services to you - We use your information to deliver the services you subscribe to, such as our newsletter or email groups.
- To process orders - We use the information you provide when placing an order only to provide service to that order, including order status updates and physical item shipping.
- To send periodic emails - We may use the email address to send you information and status updates pertaining to your orders and subscription services.
Sharing Customer Data
We do not sell, loan, lease, trade, give away or in any other way make your personal information available to others, except as required by law.
Web Browser Cookies
Data Protection and Design by Default
Article 25 of GDPR requires that data processing activities (our sites) provide data protection by design and default. We have achieved this requirement by ensuring that all web applications have been designed in accordance with industry best practice, using trusted technologies, and have been subject to penetration testing to ensure that vulnerabilities are being properly managed, and configurations remain effective.
ARELLO utilizes an SSAE16, PCI, Open-IX and HIPAA-certified datacenter for our production web servers. We maintain PCI compliance in our software applications and enforce encrypted connections via TLS1.2 on all web pages.
Article 35 of GDPR requires that formal Data Protection Impact Assessments (“DPIA”) are undertaken by organization where there is a “high risk to the rights or freedoms of natural person”. ARELLO has assessed that there are no high risks to individuals who may use our websites.
Legal Basis for Personal Data Processing
Article 6 of GDPR requires that the lawfulness of data processing be advised. ARELLO uses “legitimate interests” as the basis for the secure processing and storage of its customer data in order to deliver our services. This includes the communication of information related to our solution or similar matters. We occasionally communicate with non-customers and will only do so based upon the “explicit consent” which we have been provided with by the data subject, either through a positive confirmation on a web form, or by their communication preferences shared from social media channels. We provide clear methods for data subjects to remove or vary their consent if they wish to do so.
Data Controller and Data Processor
ARELLO acts as both a Data Controller and Data Processor depending on which services you use.
- ARELLO acts as a Data Controller (as per GDPR Article 24) for the personal data relating to services provided by:
- The ARELLO organizational and members-only site at www.arello.org.
- The International Distance Education Certification Center (IDECC) and the Certified Distance Education Instructor (CDEI) program at www.idecc.org.
- ARELLO acts as a Data Controller for its own employee management purposes.
- ARELLO acts as a Data Processor (as per GDPR Article 28) in respect of the personal data which may be loaded into our web application by customers of our aggregate database platforms and Software-as-a-Service (SaaS) platforms:
- The ARELLO Licensee Verification Program at www.arello.com.
- The ARELLO Disciplinary Action Database at dadb.arello.org.
- The ARELLO Timeshare Registry at atr.arello.org.
- The Real Estate Educators Association (REEA) AMS at www.reea.org.
- My Honor Society (MHS) at www.myhonorsociety.com
- Alpha Chi Induction Management System (IMS) at ims.alphachihonor.org
SaaS customers are responsible for ensuring that they have an appropriate legal basis for processing personal data within an ARELLO web application and will fully indemnify ARELLO in the event of any claim of any sort being brought for not having a valid basis.
Data Subject Rights
Articles 16-21 of GDPR provide data subjects with several rights in relation to their personal data, including:
- Right of access by the data subject (Art.15)
- Right to rectification (Art.16,19)
- Right to erasure (Art.17,19)
- Right to restriction of processing (Art.18)
- Right to data portability (Art.20)
- Right to object to processing (Art.21)
Where ARELLO is acting as Data Controller, then it will receive, validate, record, progress and respond to any such data subject requests received.
Where ARELLO is acting as Data Processor, then it will advise the applicant of the customer’s details that should be used to make their request. As a responsible Data Processor, ARELLO will assist its customers with complying with valid requests.
Should a data subject decide to exercise their rights, they should contact ARELLO as below.
Declaration of Sub-Processors
ARELLO confirms its use of:
- Constant Contact, for the purposes of delivering subscription and marketing emails to customers.
- Google Analytics, for the purposes of analyzing website usage and improving our services.
- Microsoft Office365, for the purposes of delivering subscription emails to customers.
- Paypal, for the purposes of invoicing and receiving payments from customers.
- Simplelists, for the purposes of delivering email group (listserv) services.
- Sendgrid, for the purpose of delivering transactional email to customers.
- Survey Monkey, for the purposes of delivering surveys to customers.
- Zoom Web Conferencing, for the purpose of holding online meetings.
ARELLO confirms that:
- It has undertaken applicable due diligence and validation on each of the declared sub-processors to ensure that they are aware of and able to deliver their applicable requirements under the GDPR.
- It will not vary or replace any of the declared sub-processors without having first given advanced notice to all applicable customers.
Record Keeping & Breach Reporting
ARELLO confirms that it securely retains and manages data which records the use of our software solutions, including user credentials and IP addresses. Should a customer require assistance with information contained within our data processing records, please contact us.
We actively monitor our software solutions for unusual activities and issues, which includes indications of data breaches. ARELLO will promptly act to notify either the customer or appropriate authorities (as applicable to our role) in the event of a data breach being suspected (as per Article 33), and if acting as Data Controller will also inform affected data subjects (as per Article 34).
Removal of Personal Data
It remains the customer’s responsibility to remove all personal data prior to terminating their service provision with ARELLO. Should the customer not do this, then ARELLO will securely purge their data at the point when the resources are to be redeployed – but this does not take place instantly and customers are strongly recommended to (a) remove their own personal data beforehand, or (b) contact ARELLO Support if assistance is needed to do this.
All ARELLO staff receive periodic instruction in matters relating to information security and data protection. Those with specific roles relating to the management of risk assessments, data protection impact assessments, data subject rights and incident management receive more focused training.
Audits and Inspections
11650 Olio Road
Suite 1000 #360
Fishers, IN 46037
This document was last updated on May 23, 2018.