This Privacy Statement describes the processing activities performed by CivicPlus when providing its NextRequest product (“Product”) pursuant to an executed contract with our Customers. This is not a privacy policy regarding the collection, use, and processing of Personal Data when CivicPlus is acting as a data controller. For information regarding our privacy practices when we are acting as a data controller, please see our Privacy Policy.
Description of the Product: The NextRequest product assists governments of all sizes with simplifying their public records and FOIA request management process from start to finish. For more information, please see the NextRequest Records Software Product Page. If you have any questions about this Privacy Statement, please contact us at privacy@civicplus.com.
Processing Overview for the Product
Does the Product process Personal Data? Yes
Who’s Personal Data?
Our Customers’ Staff or Vendors: Yes
Our Customers’ End-Users: Yes
Other: Yes
Are there optional modules for the Product that process Personal Data that are turned on by default? No
Does the Product process Sensitive Data? Yes
Does the processing involve profiling of individuals based on personal characteristics? No
Is the processing done by Artificial Intelligence? Yes
Does the Product process Biometric Information? No
Does the Product process Personal Data using Monitoring Technologies? No
Does the processing include automated decision making that produces legal consequences or seriously impacts the people whose data the Product processes? No
Detailed Description of the Processing
Categories of Data Processed | Categories of Sensitive Data Processed | Categories of Data Subjects | Purpose of Processing | Categories of Data Recipients |
|---|---|---|---|---|
Identifiers; Geolocation Data; Internet or Electronic Activity; Business Records with PII | Communications Not Intended for CivicPlus | Customer Employees | Providing Goods or Services; Operational and Internal Business Purposes of Customer | Service Providers; Customer Staff |
Identifiers; Ad-Hoc Text; Business Records with PII | Communications Not Intended for CivicPlus; Arrest records, CJIS data; Potential other sensitive data depending on the nature of the request and contents of the requested documents | Customer End-Users | Providing Goods or Services; Operational and Internal Business Purposes of Customer; Performing Services on Behalf of the Business | Service Providers; Customer Staff; Third Parties as directed by Customer |
Identifiers; Ad-Hoc Text; Business Records with PII | Communications Not Intended for CivicPlus; Arrest records, CJIS data; Potential other sensitive data depending on the nature of the request and contents of the requested documents | Third Parties | Providing Goods or Services; Operational and Internal Business Purposes of Customer; Performing Services on Behalf of the Business | Service Providers; Customer Staff; Third Parties as directed by Customer |
Technical and Organizational Measures (TOMs)
CivicPlus maintains the following Technical and Organization Measures (TOMs) to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems for the Product. We will provide further information about the below TOMs defined below to facilitate Customer audits and to prove compliance with our processing obligations, upon request.
Measure | Status |
|---|---|
Physical Access Controls | Yes |
User Access Controls | Yes |
Anonymization or Pseudonymization (partially supported) | Yes |
Encryption in Transit | Yes |
Encryption at Rest | Yes |
Patching and Updating | Yes |
Backups Maintained and Tested | Yes |
Virus Protection on End Devices | Yes |
Application Firewalls | Yes |
Annual Data Protection Training | Yes |
Business Continuity Measures | Yes |
Disaster Recovery Measures | Yes |
Threat Detection and Monitoring | Yes |
Regular Testing & Evaluation of TOMs | Yes |
Audits and Other Certifications
CivicPlus has the following audits or certifications for this Product:
SOC2 Type 2
HIPAA Type 1 certifications
CJIS 3rd party attestation
GovRAMP Ready
Subprocessors
We utilize subprocessors to perform the processing activities set out in this Privacy Statement for the Product. If we engage a new subprocessor or replace an existing one, we will update this Privacy Notice. If you have an objection to a subprocessor, please contact us at privacy@civicplus.com.
Subprocessor | Description of Processing | Location |
|---|---|---|
Mandatory | ||
Amazon Web Services, Inc. | Hosting and Server Risk Scanning | USA |
Arpio | Disaster Recovery | USA |
Acusoft, Inc. d/b/a PrizmDoc | Document viewing and processing | USA (self-hosted by CivicPlus) |
Pendo.io | Analytics | USA |
AC PM, LLC d/b/a Postmark | Email delivery service | USA |
Solarwinds Worldwide, LLC d/b/a Papertrail | Log management | USA |
Functional Software, Inc. d/b/a Sentry | Performance tracking and error reporting | USA |
Stripe | Payment Processing | USA |
CyberSource | Payment Processing | USA |
Cloudflare, Inc. | Application security | USA |
Datadog, Inc. | Application monitoring | USA |
Optional | ||
None | ||