Capsim (“Capsim”, “we”, “us”, or “our”) believes in creating engaging, real-world experience that teaches and measures specific skills of students and employees. Capsim cares about the security and privacy of the personal data that is entrusted to us.
Capsim Management Simulations Inc.
2012 Corporate Lane, Suite 108, DPT 8022,
Naperville, Illinois 60563
Our EU representative under the GDPR is Kimura Limited d/b/a Apex Privacy - Main Street, Portarlington, Co. Laois, Ireland. In regards to the processing of your data, Capsim will act as its Controller.
For all data privacy matters, please contact our Data Protection Officer (DPO), at Privacy@Capsim.com.
“Financial Information” means Personal Information of a financial nature, such as your credit card number.
“Other Business Parties” means parties other than you that contract with Capsim either to provide products and services to Capsim in connection with products or services that Capsim provides to you or that engage Capsim to assist in its provision of products or services to you (e.g., your university or your employer). Other Business Parties may include your fellow students or employees.
“Personal Information” means information about you that Capsim collects about you that may be used, alone or in combination with other information, to identify you as a specific individual.
“Unrelated Parties” means persons or entities other than you, Capsim, or Other Business Parties.
Capsim collects information from you whenever you visit or use the website, some of which you provide voluntarily and some of which is collected automatically. In addition, Capsim may receive information about you from Other Business Parties. The information that you provide to Capsim includes your responses, decisions, and other actions as you participate in and complete simulations.
We collect the following data from you:
1. Student Key
2. Full name
6. Ship address (street, number, city, state, zip code, and country)
7. Phone number
8. Student ID
9. Usage data and IP address (Cookies)
Capsim’s Use of Your Personal Information
Capsim does not sell, rent, or lease your Personal Information to others. Capsim does not share your Personal Information with anyone other than Other Business Parties.
Capsim may collect, use, and disclose Personal Information for the following purposes:
1. to determine your eligibility for Capsim products and services
2. to provide you requested Capsim products and services
3. to respond to your inquiries and provide you customer support
4. to foster communication and collaboration among you, Capsim and Other Business Parties, including informing you about opportunities to participate in Capsim’s Challenges
5. to analyze how Capsim’s website, products and services are being accessed and used
6. to improve Capsim’s website performance and delivery and to improve Capsim’s products and services, including training and quality assurance
7. to prevent misuse of Capsim’s websites and apps by you or others
8. to record and analyze your academic performance, results, outcomes and preferences
9. to obtain and process payment for Capsim products and services
10. to maintain business records
Your Financial Information will be used to provide requested products and services, to analyze operational and business results, to analyze risk, and to conclude a transaction between you and either Capsim or an Other Business Party. It will not be sold, rented, or otherwise transferred to anyone for any other purpose. Capsim uses the services of a third-party service provider to process credit card payments. Therefore, Capsim itself will not have access to you credit card information. In addition, the third-party service provider has agreed that it only uses your [personally identifiable] credit card information to process your payments.
If you are using Capsim products or services in your capacity as a student of an Other Business Party that is subject to the U.S. federal Family Educational Rights and Privacy Act (FERPA) (“Covered Educational Institution”), to the extent that your Personal Information is an “education record” under FERPA, it will be subject to FERPA. If you want to assert your rights under FERPA, you should contact your Covered Educational Institution.
Capsim’s Disclosure of Your Personal Data
1. Service Providers
We share Personal Data with certain of our service providers subject to contract terms that limit their use of Personal Data. We have service providers that provide services on our behalf, such as identity verification services, website hosting, data analysis, marketing service, information technology, and related infrastructure, customer service, email delivery, and auditing services. These service providers may need to access Personal Data to perform their services. We authorize such service providers to use or disclose the Personal Data only to perform services on our behalf or comply with legal requirements. We require such service providers to contractually commit to protect the security and confidentiality of Personal Data they process on our behalf. Our service providers are predominantly located in the European Union and the United States of America.
2. Corporate transactions
3. Compliance and harm prevention:
We share Personal Data as we believe necessary: (i) to comply with applicable law; (ii) to enforce our contractual rights; (iii) to protect the Services, rights, privacy, safety, and property of Capsim, you, or others; and (iv) to respond to a request from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your country of residence.
You may have choices regarding our collection, use, and disclosure of your Personal Data.
1. The right to request confirmation of whether Capsim processes Personal Data relating to you, and if so, to request a copy of that Personal Data;
2. The right to request that Capsim rectifies or updates your Personal Data that is inaccurate, incomplete, or outdated;
3. The right to request that Capsim erase your Personal Data in certain circumstances provided by law;
4. The right to request that Capsim restrict the use of your Personal Data in certain circumstances, such as while Capsim considers another request that you have submitted (including a request that we make an update to your Personal Data);
5. The right to request that we export your Personal Data that we hold to another company, where technically feasible;
6. Where the processing of your Personal Data is based on your previously given consent, you have the right to withdraw your consent at any time; and/or
7. In some cases, you may also have the right to object to the processing of your Personal Data.
To exercise your data protection rights please contact our DPO at Privacy@Capsim.com.
We will comply with your request to the extent required by applicable law. We will not be able to respond to a request if we no longer hold your Personal Data. If you feel that you have not received a satisfactory response from us, you may have the right under applicable laws to consult with the data protection authority in your country.
For your protection, we may need to verify your identity before responding to your request, such as verifying that the email address from which you send the request matches the email address that we have on file. If we no longer need to process Personal Data about you in order to provide our Services or our Sites, we will not maintain, acquire or process additional information in order to identify you for the purpose of responding to your request.
Capsim takes commercially reasonable steps to secure your Personal Information to protect against its loss, misuse, and alteration. Unfortunately, no data transmission over the internet can be guaranteed to be completely secure. As a result, Capsim cannot guarantee you against the loss, misuse, or alteration of your Personal Information, and you provide information to Capsim at your own risk.
All data is stored on servers that are located in the US. Production servers and data are hosted in Amazon Web Services (AWS) Cloud. Capsim products are web application platforms, therefore all the data is separated logically, rather than physically. Retained data can be deleted upon client’s request. At the 7-year mark, data will be either deleted or archived. All stored passwords and email addresses are encrypted. Please note that user passwords are not provided during LTI integration.
Authorization of data is done via SSL protocol with validated private keys and secrets. Data is accessed by authorized personnel only: Capsim Employees and Third-Party certified secure AWS contractors have all signed Privacy and Non-Disclosure Agreements.
The personal information which is accessed is First Name, Last Name, Student ID, Student Email. This information is stored for the convenience of the Professor and Students for teamwork and grading. Upon request, this information can be made anonymous by using randomly generated placeholder info. Students can only see their own personal information and grading data. Professors can see data for all students and courses which they are teaching.
All stored personal information is used only for the purpose of the client/user. Capsim does not sell, rent, or lease any personal information.
Amazon Web Services (AWS) Cloud
As mentioned, all production servers and data are hosted in Amazon Web Services (AWS) Cloud. The IT infrastructure that AWS provides is in alignment with security best practices and IT security standards, including:
• SOC 1/SSAE 16/ISAE 3402 (formerly SAS 70)
• SOC 2
• SOC 3
• FISMA, DIACAP, and FedRAMP
• DOD CSM Levels 1-5
• PCI DSS Level 1
• ISO 9001 / ISO 27001 / ISO 27017 / ISO 27018
• FIPS 140-2
• MTCS Level 3
As well as several industry-specific standards, including:
• Criminal Justice Information Services (CJIS)
• Cloud Security Alliance (CSA)
• Family Educational Rights and Privacy Act (FERPA)
•Health Insurance Portability and Accountability Act (HIPAA)
• Motion Picture Association of America (MPAA)
AWS Physical Security
All physical access to AWS facilities is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means.
Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors are required to present identification and are signed in and continually escorted by authorized staff.
All physical access to data centers by AWS employees is logged and audited routinely.
Secure Development Standards
When developing any software through our agile methodology, the project is divided into iterations. Our secure design standards are applied to each iteration which will be implemented as part of the product requirements. Our secure design strategy focuses on three main areas for every iteration. Confidentiality - data is protected from unauthorized individuals/systems. Integrity - data remains complete and uncorrupted. Availability - data is accessible only by authorized users without interference. Additionally, we incorporate server-side session checks prior to allowing access to software updates to verify the authenticity of the user. Finally, we also verify security guards that are in place combined with automated testing and version control prior to any release.
Our servers are being continuously monitored for uptime with immediate escalation to the authorized system administrators for any downtime. In the event that a security incident is suspected to have resulted in a breach of personal information, notification of the affected entities will occur within 48 hours of the breach. Upon discovering a possible security breach, system administrators focus on investigating and containing the breach as well as addressing appropriate gaps to prevent the incident from reoccurring. Client will be continuously updated on the status of the investigation, containment, and follow-up actions.
Server Status and uptime notification can be seen live here: https://status.capsim.com/
Internet Technologies Used
Cookies, web beacons, and other relevant internet technologies are used on the website. They reside in your computer and browser and can be removed. If you desire to remove such technologies you may do so, but this may render the website unusable by you.
Capsim’s website may contain links to other websites. Some of them may collect your Personal Information and may apply their own policies on how your Personal Information is used. Please read all applicable policies of all websites you visit. Capsim is not responsible for the privacy practices of anyone else’s website(s).
International Data Transfers
Capsim products and offering connect you to the world. Personal Data may be stored and processed in any country where we do business, or our service providers do business. We may transfer your Personal Data to countries other than your own country, including to the United States. These countries may have data protection rules that are different from your country. When transferring data accross borders, we take measure to comply with applicable data protections law related to such transfer. Official (such as law enforcement or security authorities in those countries may be entitled to access your Personal Data.
We comply with laws on the transfer of personal data between countries to help ensure your data is protected, wherever it may be.
Capsim’s international transfer of personal data collected in the European Economic Area, the United Kingdom, and Switzerland is governed by Standard Contractual Clauses.
Keeping your data secure also depends on you ensuring that your account’s security is maintained by using sufficiently complicated passwords and storing them safely with the addition of antivirus software and firewalls. You should ensure that you have sufficient security on your own systems, to keep any data you download or store on your own computer safe from unauthorized view.
If you have any questions, please contact Capsim’s Data Protection Officer at Privacy@Capsim.com
Last revised: September 13th, 2021