The following document outlines what data is collected and stored via GovX ID and how the data is protected. For additional questions, please contact us directly.
What data does GovX ID collect?
GovX may collect the following personal data in order to perform the verification service. All data is collected directly from the end-user requesting verification.
- First name
- Last name
- Service member last name (for military spouses & dependents)
- Date of birth
- Phone number
- Last year of service (for veterans)
- Photos of specific documents that validate a user’s group affiliation
Any documents collected during the verification process are deleted from our servers after the request has been completed.
Why does GovX ID collect this data?
GovX collects the data specified above for the purposes of verifying a user’s group affiliation, including military, first responders and healthcare workers. A full list of eligible groups can be found here.
The verification happens when a user initially registers with GovX ID. If approved, a verification record is stored in that user’s account and can be accessed by logging into the GovX ID account in the future.
The GovX ID verification software is typically used to determine if a user qualifies for a protected discount offer.
Does GovX ID share any user data with 3rd parties?
No, GovX does not share any of the data collected during the verification process with 3rd parties.
Does GovX ID use any sub-processors during the verification process?
Yes, GovX processes images uploaded during the verification process using the Google Vision API.
As part of the verification process, GovX analyzes documents submitted by the end-user that validate their group affiliation. This includes, but is not limited to, DD214s, Veteran ID cards and department IDs.
Documents are submitted by the end-user in jpeg, png or pdf format. Images are parsed using the Google Vision API. The resulting JSON package is processed by the GovX verification service to determine eligibility. Once the verification request has been either approved or denied, the original file and JSON metadata are deleted from the GovX servers.
Google does not store images that are submitted to the Google Vision API. The image data is processed in memory and not persisted to disk. Full data disclosures for the Google Vision API can be found here: https://cloud.google.com/vision/docs/data-usage.
Where is the data stored?
GovX ID verification services and storage are hosted by GovX at the IO Data Center located at 615 N 48th St, Phoenix, AZ 85008. The development and pre-production servers are hosted by GovX located at 9191 Towne Centre Drive, Suite 210 San Diego, CA 92122.
While Google does not store image data, it does temporarily retain some metadata about the Vision API requests, such as the time the request was received and the size of the request. This data does not contain users’ PII. This image metadata is stored in a multi-tenant environment on Google-owned servers.
How is personal user data protected?
All personal data collected during the verification process is encrypted using SHA-256 encryption. The encryption includes both deterministic and random vectors to allow some data elements to be searchable for admin queries.
Each user is assigned a 128-bit unique identifier that is used to anonymize the user data. All references to the user within the application and database are done using the user identifier. For an application to access user data from the user identifier, an application must have access to the encryption key to read the data.
What security measures are in place to protect the GovX ID system and data?
GovX has a set of policies to ensure proper security measures are in place.
- Firewall, IDS, and encryption: A firewall policy, defining which services and connections will be permitted and denied, must be documented, reviewed, and approved at least once a year by the Change Control Committee. Intrusion Detection Systems (IDS) policy ensure that IDS must exist at network perimeters. All user personal identifiable information (PII) will be encrypted using 256bit encryption or higher.
- Patch management: All GovX computer systems are regularly patched with operating system and applications patches from the vendor or approved entity
- Malware prevention / Virus scanning: GovX information systems employ monitoring software programs for malicious code approved by the Information Security Department.
- User certification, identification and authentication: Each staff member accessing multi-user information systems must have a unique user account that consists of a user ID and a private password.
- Password protection: Passwords shall be at least eight (8) characters in length. Passwords shall use alpha and numeric characters and be case-sensitive. Furthermore, system administrators shall change their password at least every 90 days and may not be reused within a 365-day period.
- Physical and environmental security: All business-critical devices supporting the GovX telephone system, intranet, local area networks, and the wide-area network must be centralized in dedicated rooms with physical access controls, closed-circuit TV, environmental monitoring systems, and other security measures specified by the Information Security Department.
What process is in place to detect security breaches?
GovX has network intrusion detection systems in the data center that will alert staff to network intrusions. The intrusion detection systems are monitored 24/7 by staff at the Phoenix IO data center. The GovX firewall and virus malware systems also have an alerting system that notifies staff that a potential threat has been detected for investigation.
What training measures are in place for staff that has access to verification data?
Manual verifications and customer service questions are handled by a trained support team based in the United States. All support team members complete 120 hours of training, including privacy compliance. Training reinforces that no PII may be removed from or stored outside of the GovX verification system nor can PII be shared verbally with customers via phone or email. Quality control audits are performed weekly and monthly to ensure process accuracy and compliance.
What process is in place to manage the deletion of personal data?