1. Purpose
The Data Privacy Statement (DPS), as required by European Union General Data Protection Regulation (GDPR), relates to data that identifies a person (in the EU). This Data Privacy Statement also serves as a reference document for US legislation 21 CFR Part 11; Electronic Records and Signatures and European Union (EU) Annex 11; Computerized Systems. Weever Apps Inc. achieved attestation of compliance to 21 CFR Part 11 and EU Annex 11 on September 12, 2019. A copy of the attestation letter from Computer System Validation is available on request.
Also see our web site privacy policy and company security page.
2. Referenced Policies
- 10007: Information Security
- 10008: Internal Audits for Weever Process
- 10010: Information Classification and Handling
- 10011: Risk Assessment Management Policy
- 10013: Data Backup
3. Policy
3.1 Company information
Weever Apps Inc.
120 Hughson St. S
Hamilton, Ontario L8N 2B2
3.2 Business description
Weever Apps Inc. is an enterprise software company that provides cloud-based solutions for customers in manufacturing and related services. Our focus is on process execution and digital form management.
3.3 What data does Weever Apps collect, for which people, and how is it used?
Weever Apps uses digital forms to collect process execution data in the course of manufacturing execution. Data collected is used to visualize active processes and provide both flat and aggregate reports on process/quality execution. Standard activity data collected for a given process may include recurring entry of product property measurements (e.g., product weight or composition) by line operators, task completion by line operators, safety checks, and both quality task completion and measurement activities by quality (QA) and other staff.
Weever Apps provides a form "builder" (tool) that allows our customers to collect any data they wish. Any data collected should comply with all rights and agreements in their locale. Weever Apps is not responsible for any forms built by our customers or any data collected using those forms or tools.
Personal data (PII) collection is limited to user accounts and manufacturing execution activity by customer staff (generally production line operators and quality assurance staff.
Data collected for a given person (user account) is limited to:
- Name (first, last)
- Email address
- Job role(s) (e.g., Operator, Quality)
- Work telephone number
Your user account information is never used for marketing, sales or other commercial purposes.
We may also collect information about the device you're using, including what type of device it is, what operating system you're using, device settings, unique device identifiers, crash reports and other technical data.
Whether we collect some or all of this information often depends on what type of device you're using and its settings. For example, different types of information are available depending on whether you're using a Mac or a PC, or an iPhone or an Android phone. To learn more about what information your device makes available to us, please also check the policies of your device manufacturer or software provider.
3.4 Which country(s) do these people represent?
Most customer data is limited to North America (US, Canada) and Europe.
3.5 What types of data do you collect and store?
Our products collects written data through digital forms. Software features allow for the user upload of digital photos, scanned paper documents (PDF's) and other various document and file types. Entered and uploaded data is stored in a secure database and content delivery network (CDN).
3.6 Management of collected data
Access to data stored by Weever Apps Inc. and management thereof is limited to:
- Weever Apps Inc. software users with valid, authenticated sessions and appropriate user access roles
- Authorized Weever Apps database and infrastructure administrators
- Authorized Weever Apps staff (e.g., developers)
- Authorized Weever Apps contractors for limited engagements
Weever Apps Inc.'s "Process" product does not support any "hard delete" functions, deletion of assets in the CDN, or any actions that may disrupt the "audit trail" as described in 21 CFR Part 11; Electronic Records and Signatures (security, audit trails, electronic signatures).
Contractor access:
As a rule, Weever Apps Inc. does not provide access to any production client-specific content or client-specific application data to third-party contractors, with the exception of:
- DevOps or security review support where such access may be unavoidable through reasonable means
- Contracting for the creation of Power BI data reports, of fixed scope and limited read only access
- Contracting for the creation, modification or conversion of client forms within Weever, predominantly for new app set up and explicitly limited in scope of access and authorization to those operational tasks
- Anonymous user statistics and logs, as provided for analysis purposes
Contractors are subject and must agree to the same policies, recurring checks, constraints and policy enforcement activities as Weever Apps Inc. employees with the single exception that contractors are not required to enroll in Weever Apps Inc. security awareness training.
3.7 Physical location of data
All server instances including databases are located in the United States (Northern Virginia).
3.8 How is the data stored?
Textual data is stored in a secure PostgreSQL database. Asset data (e.g., images, PDF's) are stored in a secure CDN repository managed by Weever Apps Inc.
3.9 Is Weever Apps a Data Controller (owns the data) or Data Processor (processes on behalf of the Data Controller)?
Weever Apps Inc. is a Data Controller. No third-party or otherwise contracted companies process customer data directly on our behalf.
3.10 Who has access to product data within and external to your company?
Weever Apps staff may have limited access to production data by using an administrator-level user login to the client's given application and server instance.
21 CFR Part 11 Compliant Products, "FDA Compliance" rules:
Standard authentication, access and authorization policies apply, there is no "god" user role and functions are limited by FDA-compliant user access (role) definitions.
All Products:
Specialized DevOps (IT) administrators may access or copy a production data, or a backup thereof, to ensure compliance with procedures within SOP 10013 Data Backup.
Contractors may be given limited access to complete specific tasks:
- DevOps or security review support where such access may be unavoidable through reasonable means
- Contracting for the creation of Power BI data reports, of fixed scope and limited read only access
- Contracting for the creation, modification or conversion of client forms within Weever, predominantly for new app set up and explicitly limited in scope of access and authorization to those operational tasks
Unless stated explicitly herein, no other vendors, persons or services external to Weever Apps may access customer data.
3.11 How is access to the data limited to your workforce?
All data is encrypted in transit. All data is protected by redundant layers of authentication and authorization protocols including:
User access practices common to all products:
- Access limited to authorized individuals using roles, privileges are assigned to role not individuals
- Active access management, escalation proposal and authorization by review-first
- Password composition requirements (min 8 characters, alphanumeric)
- Passwords are not displayed when entered
- Password encryption, upon entry, in storage
- Unique User ID's
- Logging of all user access activity
- Recurring review of plugins, packages and technical artifacts for security/functional risks
- (SOP 10011 Risk Assessment Management Policy for Weever Process)
User access practices specific to Weever Apps Inc. Process product:
- Application: Secure login/user system in compliance with 21 CFR Part 11
- No users with “God” role, no IT people with “God” role, system administrator role is limited
- Password change frequency (90 days)
- Password reuse frequency (1 year)
- Automatic log out of inactivity in application (1 hour)
- Auto lockout after too many failed login attempts (5) and notification to system security staff
- User access activity reports, full, dedicated report limited to one user role
- Last login displayed when logging in
- IP difference warning alerts (automatic, no refresh is required)
- Please note: Some user management policies listed here are customer configurable at your own risk
Server and service management
- Layers of authorization and authentication policies, infrastructure-data access requires multiple authenticated logins and verifications checks across 3+ layers
- No internet-available transfer of data (no internet-facing access to data sans application)
- Secondary, unique application to server credentials and authorization, secured with TLS
- Network isolation and systems firewall for distributed components
- Recurring review of plugins, packages and technical artifacts for security/functional risks
- Antivirus and service/data monitoring for unusual traffic, spikes, other 'indicator' events
- Recurring checks for data/incident breaches and "pwned" checks for emails et al.
Company policies and procedures
- Dedicated roles for IT infrastructure provision and access approval
- Recurring reviews of staff access, remove inactive users, and verify access policies (monthly) Recurring internal audits of policy implementation including security (SOP 10008: Internal Audits for Weever Process)
- Recurring internal audits of policy and procedure compliance (SOP 10008: Internal Audits for Weever Process)
- Recurring internal reviews and sign off on all procedures (SOP 10001: SOP Management and Document Identification for Weever Process)
- Training and recurring information security policy compliance and review (SOP 10007: Information Security, SOP 10010: Information Classification and Handling)
- Rapid response team reviews and procedures (e.g., in event of data breach)
- Many additional secondary processes including vendor reviews, access reviews, inactive account reviews and more
Additional other policies are recurring events are also in place to protect your data.
3.12 What does Weever Apps do with my personal data?
Your user account details are used for the purposes of user management and to produce activity histories for manufacturing process execution. Basic access activities like login, or profile updates may also be recorded in a User Access Activity Report for the purpose of security and IT management
Your personal information is limited to the users described.
Weever Apps does not use your information for marketing or any other purpose.
3.13 What is your policy on sharing data with other parties?
As a principle we do not share your data with any third parties including contractors and service/applications.
In the event a valid exception is required, individual contractor staff may be granted time-limited access on a per project basis.
3.14 Who do you share data with?
As a principle we do not share your data with any third party services unless absolutely necessary.
- Server operations contractors or services may effectively have access to some your data per normal infrastructure operations
- Data visualization contractors may have limited access to your data in order to complete specific, project-based reports
- Contractor staff must accept and comply with all Weever Apps Inc. security policies in full before any consideration of access
- Access is granted on a strict need-to-know basis following our Data classification and System Access Control policies
- All contractor staff access is subject to, and included in, normal recurring risk management activities including system access reviews, inactive account reviews, access escalation/de-escalation reviews, policy compliance checks and more
Analytics services:
- Technical data may be on browser and device usage may be shared with third-party analytics services
- A very restricted set of non-sensitive personally identifiable information (PII) may be shared with third party services (e.g., name, email) solely for the explicit objective of rendering services and facilitating data storage on behalf of our clientele. For example, we may share a user's email address for the purpose of tracking onboarding tour completion in a third party service. All services and vendors are monitored for GDPR and privacy compliance.
Other types of sharing:
- It is imperative to underline that Weever Apps Inc. categorically refrains from engaging in the sale of any PII or customer data under any circumstances.
Sensitive personally identifiable information (PII)
- Per our Terms of Service (TOS), Weever Apps Inc. unequivocally disallows the utilization of its platform for any endeavour encompassing the acquisition and retention of PII data from individuals who are not employees or contractors of our clientele.
- In other words, our platform is explicitly proscribed for the collection PII data that may fall under the purview of legislation such as HIPAA or PIPEDA. This stance underscores our commitment to ensuring strict compliance with applicable data protection regulations and safeguards.
3.15 How do you notify people that you have shared their data?
We do not share your site's non-technical data with any third parties unless there is an agreement to do so (e.g., for the purpose of a data visualization project between Weever and you, the customer).
3.16 How can I revoke consent for the use of my data? (Consent)
Weever Process product:
- Individual user account data and prior activities form part of the "audit trail" required for compliance to 21 CFR Part 11 and other best practices regarding software audit-ability. As such, individual user accounts are never deleted nor made invisible from administrative view.
- Staff who hold Weever Process accounts should contact a dedicated application administrator in their company to request an inactivation (to disabled status) of their user account.
- Additionally, after a configured period, any inactive account is disabled automatically.
- for site or customer-wide removal of data, please contact our data privacy contact.
Other products:
- Staff who hold user accounts should contact a dedicated application administrator in their company to request an inactivation (to disabled and not-visible status) of their user account.
- For site-wide removal of data, please contact our customer success team or the data privacy contact listed below.
3.17 Do you capture or store any non-adult data?
No. No user accounts exist for a person under 16 years of age.
3.18 How may I request changes to my data or my profile?
Individual users with a valid, active account may change their personal information in the "My Profile" section of our applications:
- Name (first, last)
- Email address
- Job role(s) (e.g., Operator, Quality)
- Work telephone number
- Phone
21 CFR Part 11 (Weever Process)
Due to audit trail compliance (see 3.16), these changes do not affect any prior historical records in the Weever Process product.
All Products
Individual users with a disabled/inactive account should contact their companies dedicated application administrator any request any changes via "User Management".
3.19 How can I review the data associated to my profile?
Individual users with a valid, active account may change their personal information in the "My Profile" section of Weever Apps Inc.'s products.
Individual users with a disabled/inactive account should contact their companies dedicated application administrator any request any profile information via "User Management".
3.20 How do you notify people of this data privacy statement and how to you notify them of updates?
Weever Process:
- Process customers are provided with a copy of this data privacy statement as part of their initial customer onboarding and training package.
- Any major changes to this data privacy statement require Weever Apps to notify all Process customers via email, including the new document and a short summary of changes made. Process customers are defined here as a dedicated application administrator for a given customer workplace (factory, or physical company location).
Other products:
- Weever Apps Inc. publishes our Data Privacy Statement as a web site privacy page (this page). This document is available for review on request after contacting our dedicated privacy contact, as listed on that page.
3.21 When do you delete my data because it is no longer needed?
Weever Process:
- Individual user account data and prior activities form part of the "audit trail" required for compliance to
- 21 CFR Part 11 and other best practices regarding software audit-ability. As such, individual user accounts are never deleted nor made invisible from administrative view in current, "live" instances of Process software deployment(s).
- Individual Process instances may be taken offline and "closed" due to changes in sales contracts with the relevant enterprise customer(s). In this instance, personal account data will be inaccessible to all parties through normal (application) channels.
- A data backup of the application instance(s) and their respective databases will be maintained in secure storage by Weever Apps Inc. for a period of minimum five years. In this context, access is limited to dedicated Weever Apps DevOps administrators and senior staff.
Other Weever products:
- Deletion of data varies by contract term. Please contact us to learn more.
3.22 How do you notify persons if there is a data breach/data stolen? (Breech Notification)
In the event of a data or network security breach, Weever Apps Emergency Response Team will first prevent further damage and then designate a response team member to contact customers and notify them of the:
- The breach incident
- The extent of data lost or possibly compromised, at detail
Notified customers include but are not limited to a dedicated application administrator for each workplace (factory, or major physical location) using Weever Apps software. The dedicated application administrators are then responsible to further inform and notify any user account holders of the incident and the details / potential exposure of their personal data.
3.23 How do you document the annual security review of this Data Privacy statement?
Weever Apps' QA Management conducts an annual review of this Data Privacy statement as part of our annual internal audit for all standard operating procedures (SOP's) and general compliance with company, client and government policies.
3.24 What do you do to protect your data?
All data is encrypted in transit.
All data is protected by redundant layers of authentication and authorization protocols including. Please see section 3.11 to review how our application design, server and service management, and company policies and procedures are organized to protect your data.
3.25 How do I contact Weever Apps with a data privacy concern?
Our designated Data Protection Officer and Article 27 representative is our CTO, Andrew J. Holden.
Please send any concerns, questions or complaints via email to:
- Andrew J. Holden
- office '/at/' weeverapps
or by regular mail:
Weever Apps Inc.
Attention: Privacy Officer
120 Hughson St. S
Hamilton, Ontario L8N 2B2
4. Policy information
Approved by:
- Steve McBride, CEO, Weever Apps Inc.
- Andrew J. Holden, CTO and Document Management, Weever Apps Inc.
Version History
- v1: 2019-08-01: Original
- v2: 2019-08-04: Updated approvers list
- v3: 2020-10-01: 24 Month review (unchanged)
- v4: 2021-08-01: Updated approvers list
- v5: 2021-11-04: Clarified contractor rules
- v6: 2022-02-16: Moved policy to web site
- v6: 2022-08-09: Annual review (no changes)
- v7: 2023-08-09: Clarified "Process" product name