Certifications & Compliance Statements

SOC-logo-1

Springshare Maintains SOC 2 Type II Compliance

Affirming Springshare's Commitment to Data Security and Privacy

The SOC 2 information security audit is a recognized industry benchmark for customer data protection and operational standards. Springshare’s continued SOC 2 compliance, affirmed by an independent auditor, demonstrates the company’s commitment to its customers through its implementation of best-in-class privacy and security practices.

"At Springshare, everyone works together to stay security conscious and take action to align with best practices in data privacy," said Slaven Zivkovic, Springshare Founder and CEO. "Privacy and confidentiality are key principles of library service; as a library-centric platform, Springshare is deeply invested in upholding these values and protecting the data of our library clients and their patrons. Our SOC 2 recertification reaffirms this commitment."

The Springshare team collaborated with auditors over several months to confirm that the company met the necessary requirements for continued certification. Springshare's SOC 2 compliance sets the foundation for pursuing further data security certifications; the company is in the process of aligning its policies and workflows with regards to product development, data privacy, and cybersecurity to achieve StateRAMP compliance and, down the line, FedRAMP compliance. Springshare will continue to hold its internal security operations and controls to the highest standards, ensuring that clients can feel confident in their use of the full suite of Springshare products.

Security of client and patron data is vitally important at Springshare. For more information or to access Springshare's SOC 2 report, Springshare customers may reach out to the Springshare Support Team.

Springshare is fully compliant with GDPR as of May 25, 2018

GDPR Refresher

GDPR stands for the General Data Protection Regulation, a new European Union (“EU”) law that regulates the personal data of individuals in the EU. GDPR replaces the EU’s current prior law, EU Data Protection Directive, which had been in place since 1995.

GDPR defines personal data as any type of information that identifies or can be linked to an individual. In addition to the usual types of personal data (i.e. name, address, phone number), this definition can also include information such as an IP address or device identifier. The GDPR requires entities to handle personal data in specific ways and gives individuals new rights related to the processing of their personal data, among other obligations.

Ensuring GDPR Compliance

Springshare has always been very careful when handling our customers' data, and our privacy policy has been favorable to our users. Springshare never shares or resells our customers' private data with third parties. There have been a few occasions when librarians from our client institutions have approached us about using aggregate statistics data in their academic research, but for every one of these instances we obtained written permission from affected institutions about using anonymized data for research purposes.

Since 2017 we have been operating a dedicated EU data center which hosts applications and content for our European client institutions. We have four (4) worldwide data center clusters (United States, European Union, Australia, and Canada) and they are all independent of one another i.e. the data does not flow back-and-forth. This ensures Springshare's compliance with the GDPR safeguards for cross-border data transfer - the personal data of our EU clients is not transferred "cross-border" outside of EU.

Here are the specific steps and initiatives we've undertaken, which were completed by the May 25, 2018 deadline. These steps ensured Springshare's and your compliance with GDPR.

Collecting and Storing Personal Information for Registered Users

Registered Users/Account Holders are librarians (and some non-librarians) who have an account in any of Springshare tools - LibGuides, LibAnswers, LibCal, LibStaffer, etc. For these users to use Springshare tools and have an account we need their name, email, and sometimes their phone number too i.e. they need to share some personal information with us.

  • Our account management screens contain detailed explanations of what data we collect, why, and how to delete it. We will also link to the Springshare privacy policy from these screens.
  • When a user's account inside Springshare tools gets deleted, all personal information will be deleted as well. Note that the content the user created will not be removed by default (local admin decides on this) but it will be reassigned to other user(s) because, in most cases, the library/institution wants to preserve this content and assign it to another librarian for maintenance and upkeep. All content entered into Springshare tools is owned by the libraries/institutions themselves. Springshare does not own the data and the content on our platform, our clients do.
  • If an institution cancels the license/subscription to a given Springshare tool, all user accounts will be deleted and all content the institution created will be deleted as well.

Collecting and Storing Personal Information for Patrons/Visitors

When libraries/institutions license and use Springshare tools, they do it so their users (patrons) can access and use them. There are many millions of patrons who use Springshare tools but do not need to register or have an account in these tools. GDPR has implication for these users, too. IP addresses are considered personally-identifiable information according to GDPR and the IP addresses of website visitors are recorded in our logs. Also, every Springshare app uses browser cookies for its regular operation.

  • There is an optional "IP/cookie notification" feature (admins can enable/disable it in administrative settings). When enabled, any new visitor to Springshare tools public pages get a visual alert that cookies are used on the site and that their IP will be recorded in the weblogs for statistical purposes. This is similar to the notification seen on websites of many European newspapers (e.g. Le Monde, Guardian, etc.) The text of the notification is customizable by admins at each institution.
  • On any screen where patrons are expected to enter their personal information (e.g. name, email, phone number, etc.) in order to use the Springshare tool (e.g. LibChat, LibCal, LibAnswers) there is an optional on-screen notification (customizable for each institution) and explanation why the user is asked for this data and what happens with the data.
  • Some of our tools (e.g. LibAnswers and LibCal) already offer "privacy scrub" functionality where the admins can remove any personal data that users entered via forms. We have further improved this feature and extended it to all our tools, e.g. LibStaffer, etc. - anywhere where we knowingly collect user's info (name, email, phone #) for the purpose of regular operation of our tools.

Updates to the Springshare Privacy Policy

Springshare's privacy policy is described here - springshare.com/privacy. We have updated and reviewed it in order to fully comply with GDPR. We also link to this privacy policy from any relevant public and administrative screen in our apps.

Emails from Springshare to Our Users

Springshare staff does not email patrons (i.e. your institutions' users) for any reason. The only exception to this are two scenarios - a) automatically generated emails from inside apps during the normal course of operation of the app (e.g. booking a room reservation or asking a reference question and receiving an email confirmation), or b) when we receive email support requests from patrons and we respond to them. No changes were needed in this regard for GDPR compliance. Librarians who have accounts in Springshare apps receive several types of emails from Springshare:

  • Operational emails we send to clients during operational urgencies. These emails are only sent to administrators i.e. admin-level users. These fall under the "operational" emails in GDPR-speak.
  • Email Newsletters and notifications about new functionality and training webinars. You will only receive these email newsletters and new functionality/training webinars if you specifically opt-in to receive these emails. You (the registered user) can opt-in/opt-out at any time. Per GDPR-rules, everyone is opted-out by default until you explicitly opt-in.

Springshare Data Privacy Office & Contact for GDPR-Related Actions

We have a dedicated email inbox and dedicated staff who:

  • Receive and review all requests for removing specific data from Springshare's tools.
  • Upon review, act on these requests and ensure that data in question is removed in a timely manner.

Additional Steps and Actions Springshare is Undertaking

In addition to the actions described above, we have also undertaken a company-wide effort regarding Springshare's GDPR compliance efforts. Some of our activities included:

  • Educating our staff about GDPR and its requirements.
  • Ensuring existing procedures cover all the rights individuals have under GDPR, including deleting personal data.
  • Identifying our lawful basis for processing personal data, documenting it, and updating our privacy notice to explain it to individuals.
  • Reviewing and updating contracts with third parties to ensure our privacy obligations are up-to-date.
  • Ensuring the right procedures are in place to detect, report, and investigate a personal data breach.

It is important to note that these new privacy-protection-related features in our platform are available to *all* Springshare client institutions worldwide, not just our European clients. Every one of our client institutions, anywhere in the world, has access to these privacy-related features described above.

If you have any questions or concerns about Springshare's GDPR efforts, please do not hesitate to reach out to us at info@springshare.com.

GovRAMP Logo-Black

Springshare is proud to be a member of GovRAMP, a nonprofit organization dedicated to enhancing cybersecurity standards for state, local, and education (SLED) entities. Our participation underscores our commitment to providing secure cloud solutions that meet rigorous, independently verified standards based on the NIST 800-53 framework.

About GovRAMP

Founded at the beginning of 2020, GovRAMP was born from the clear need for a standardized approach to the cybersecurity standards required from service providers offering solutions to state and local governments. 

GovRAMP is a registered 501(c)(6) nonprofit membership organization comprised of service providers offering IaaS, PaaS, and/or SaaS solutions, third party assessment organizations, and government officials. Our members lead, manage, and work in various disciplines across the United States and are all committed to making the digital landscape a safer, more secure place.

For more details about GovRAMP and its mission, you can visit the official website at govramp.org.

Springshare is Committed to Access for Everyone!

Springshare is committed to ensuring our products are accessible and without barriers to ensure inclusivity for all. We use the World Wide Web Consortium’s Web Content Accessibility Guidelines (WCAG) 2.1 as our guide in the design and development of our products, with a goal of meeting Level AA standards.

Compliance Status

In order to provide transparency into the state of accessibility in the Springshare Suite of tools, we have made available our Voluntary Product Accessibility Template Reports (VPAT’s) in the Springshare Lounge. If you are not a member of the Lounge, we highly encourage you to become a member so you have access to resources like this and can chat with fellow Springshare users!

We continually add new features and improve our back-end code, and the task of ensuring accessibility is an ongoing process. During our development processes we follow WebAIM’s Principles of Accessible Design. We also evaluate our products to determine how well they comply with current regulations and standards, using browser developer tools and our in-house accessibility team.

When using our products for content creation, we also endeavor to give our users the tools needed to create accessible content in our platforms. We have a detailed step-by-step guide on how to help you and your colleagues meet accessibility standards when creating content.

Accessibility Feedback

Springshare is committed to ensuring our products are accessible and without barriers to ensure their inclusivity for all who want to use them. While we work on ensuring that our products are accessible to all persons, we are aware that issues around the accessibility of our software may occur from time to time and we welcome feedback on our efforts from our customers. If you have feedback regarding the accessibility of our products, please don't hesitate to contact our support team.

About this Policy

Springshare LLC ("Springshare", "we," "our," or "us") is a cloud-based software and services provider (LibGuides, LibAnswers, LibCal, LibInsight, LibStaffer, and other tools, collectively referred to as "Springshare Services" or "Springshare Services and websites") to libraries, educational institutions, non-profits, and corporations worldwide ( "Customers"). The Springshare Services and websites are used by library staff, faculty and teachers, Customers' employees, library patrons, students, and other individuals ("You").

This Privacy Policy describes how we collect, use, store, disclose and transfer the information (a) you provide when you interact with Springshare Services and websites, and (b) provided by your institution when they license our Services.

Please note that our Customers may also collect, use, and disclose data that they obtain in connection with licensing Springshare Services. This Policy covers only how Springshare handles your information. For information about how our Customers handle your information, please refer to the privacy policy of the library or institution with whom you are dealing directly.

By using the Springshare Services and websites, you agree to the terms of this Policy.

Data Controller or Data Processor

Springshare is the data processor with respect to personal data submitted to and stored on the Springshare Services for hosting and processing purposes as further described below under Springshare Services-Customer Data.

Types of Information We Collect About You

Information you or your Institution may provide

When you use Springshare Services or are in contact with Springshare via other means, we may collect information such as:

  • Contact details, for example your full name, institutional affiliations, phone number, email address, social media handle, and postal address
  • Information about educational and professional background
  • Login information used to access Springshare Services
  • Professional interests and communication preferences
  • Your status with Springshare (e.g., customer, prospect, vendor, partner, etc.)
  • The Springshare products you use
  • Comments and questions about Springshare or Springshare Services
  • Any other information you choose to provide while using Springshare Services

Information collected automatically

While using Springshare Services and websites, we may also automatically collect information that does not directly identify you. This information may include your IP address, your computer & device identifiers, your general geographic location, browser cookies, and information about the devices or software you use to access Springshare Services and websites. Such information is only collected to the extent that it is necessary for us to provide Springshare Services, to optimize your user experience, and/or to make improvements to the Springshare Services and websites. Springshare does not serve third party advertising and does not share the information collected automatically with any third parties.

You may opt out of use of your personal information as outlined below under Access, Correction, and Erasure.

How We Collect Information About You

We collect information about you in three main ways:

  • Information Directly Provided by You or Your Institution: When you register for services, sign up for alerts, request products or services, respond to surveys, fill out registration forms on Springshare Services and websites, register for or view webinars; create a profile, publicly post or share content, contact us, and/or otherwise interact with Springshare and Springshare Services. We may also receive and store information about you provided by your institution to the extent required to perform a contracted service.
  • Information Collected Automatically Using Technological Means: As described above under Information Collected Automatically, we collect certain information automatically using technological means. We use cookies to perform and provide Springshare Services as further described below under Our Use Cookies and Similar Technologies.
  • Information Collected Through Third Parties: We may receive information about you from customers and business partners for referral and reference purposes.

Our Use of Cookies and Similar Technologies

The use of browser cookies is required for successful use of Springshare Services. A cookie is a small text document that resides on your computer which usually includes certain information about the user. Springshare does not use cookies to serve advertising and we do not provide any cookie data to third parties. You can set your browser to not accept Springshare's cookies, but you may be unable to use most Springshare Services in this case.

How We Use Information About You

We may use information about you for a variety of purposes, as described below:

  • To perform and deliver Springshare Services. We use information you provide us or your institution (our Customer) provides to us to deliver Services, fulfill the terms of any agreement with our Customers, or to complete a transaction you initiate with us. To be clear, we do not access or use Customer Data (as defined below) processed through the Springshare Services except for the purposes set forth in our agreement with the Customers.
  • To market our products and services. We may inform you about our products, services or events and otherwise perform marketing activities. Further, we may use this information for analytics purposes.
  • To respond to your questions or comments, or to provide you with requested information regarding Springshare Services.
  • If you specifically signed up for it, to send you updates, newsletters, or marketing communications about topics that may interest you, including about our products and services.
  • To engage in analysis and research about Springshare Services and websites.
  • To support and improve our existing Services or create new Services.
  • For any of the "Legal Purposes" described below in the section entitled How We Share Information with Third Parties.

We may retain this information for as long as the customer account is active or as needed to provide the Springshare Services, to comply with our legal obligations, resolve disputes, and as needed to comply with or enforce our licenses and other agreements.

How We Share Your Information With Third Parties

We may share your information with third parties for a variety of purposes, as described below.

  • Affiliates. We may share your information with our corporate affiliates for any of the purposes described in this Policy.
  • Third-party service providers. We use third-party service providers to help us deliver and perform Springshare Services. These service providers may use information about you to assist us in achieving the purposes discussed in this Policy. For example, we use a vendor to manage our email newsletters and other communications.
  • Business partners. We may share your information with our business partners to fulfill your requests for services, complete a transaction that you initiate, or meet the terms of any agreement that you have with us or our business partners.
  • Third-party plugins. Springshare Services may integrate certain third-party plug-ins. Even if you do not click on these plug-ins, they may collect information about you, such as your IP address and the pages that you view. They also may set and/or access a cookie. These plugins are governed by the privacy policy of the third-party providing them.
  • Legal Purposes. We may disclose your information to cooperate with law enforcement, government or regulatory bodies, content protection organizations, or judicial processes as required by the applicable laws and regulations. We may also use or disclose information to enforce or protect the rights or safety of Springshare Services users, us, or others. We will provide notice to individuals prior to such disclosures, to the extent it is practicable to do so and allowed by law.
  • To facilitate the financing, securitization, insuring, merger, acquisition, sale, assignment, bankruptcy, or other disposal of all or part of our business or assets.

When we transfer your information to third party companies, we will ensure they maintain the same level of security as us.

Keep in mind that any information you disclose publicly – either in a public profile or through message boards or other public areas – may be collected and used by others, may be indexable by search engines, and might not be able to be erased from public view to the extent they have been copied to external sites. Please be careful when disclosing personal information in these public areas.

Security

Springshare takes the security of your information and the security of Springshare Services very seriously. We take commercially reasonable measures to protect against unauthorized access to, or unauthorized alteration, disclosure or destruction of, data that you share and that we collect and store. These security measures may include practices such as keeping your data on a secured server behind a firewall, internal reviews of our data collection practices and platforms, and industry-standard encryption technologies. However, no website or service is completely secure and we cannot guarantee the absolute security of your information.

If you have reason to believe that a third-party has gained unauthorized access to your information, please contact us immediately at privacy@springshare.com. If Springshare becomes aware of any data breach, we will notify affected individuals or, with respect to Springshare Services, affected institutions as soon as reasonably possible.

Your Rights and Choices

Communication Preferences and Opt-outs

If you have subscribed to one or more of our email newsletters or are receiving marketing emails from us and you don’t want them anymore, you can unsubscribe. Follow the instructions contained in the email message to opt-out of receiving future messages of that type. However, you cannot unsubscribe from some service related messages ("operational emails") so long as you maintain an account with Springshare Services.

Access, Correction, and Erasure

You may request to review, correct or delete the personal information that you have previously provided to us through the Springshare Services. For requests to access, correct or delete your personal information, please send your request along with any details you may have regarding the method by which the information was submitted to privacy@springshare.com. Requests to access, change, or delete your information will be addressed within a reasonable timeframe.

To help protect your privacy and security, we will take reasonable steps to verify your identity, such as requiring a username or userID, or password, or other types of verification before granting access to or removing your information. In cases where we are acting as a processor of personal data for our Customer, we may first refer your request to the Customer that submitted your personal data. We will assist our Customer as needed in responding to your request, as further described below under Springshare Services-Customer Data.

Please contact privacy@springshare.com for more information about exercising these rights.

Data Retention and Deletion

If you request to delete your personal information, we will endeavor to fulfill your request but some personal information may persist in backup copies for a certain period of time and may be retained as necessary for legitimate business purposes or to comply with our legal obligations. Springshare's policy is to keep backups of Springshare Services data for 35 days, after which the original customer data older than 35 days is permanently deleted from Springshare servers. Springshare may retain your information for a period of time consistent with the original purpose of collection, and for a reasonable time thereafter in accordance with applicable law. We also may retain your information during the period of time needed for Springshare to conduct audits, comply with our legal obligations, resolve disputes and enforce our agreements.

Cross-border transfers of personal information

Springshare Services are hosted in data centers located in several regions around the world. Every region operates independently of one another, and we use all reasonable efforts to host the Springshare Services and Customer Data in their respective home regions. Springshare Services are currently hosted in four (4) regions - United States, Canada, Australia, and European Union. If, during the course of conducting normal business of providing Springshare Services, we transfer your information to a recipient in a country outside your respective home region, we will ensure that at least one of the following applies: (i) the transfer will be to countries deemed to provide an adequate level of protection for personal data by your respective governing body (such as European Commission); (ii) we have used specific model contracts (for example, those approved by the European Commission) intended to give personal data the same protection it has in its home region; (iii) where we use providers based in the US, we may transfer information to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US; or (iv) any alternative transfer mechanism that lawfully supports the transfer under the GDPR or similar law in your home region.

Children

The Springshare Services and websites are intended for use by users aged 13 and older. We do not market to nor intentionally collect any personally identifiable information from children under thirteen (13) years of age. If you are under 13, please do not register for any of our Services or websites or provide us with any personally identifying information (such as your name, email address or phone number). If we become aware that a visitor under the age of 13 has submitted personal information without verifiable parental consent, we will remove his or her information from our Services. Please contact privacy@springshare.com if you are aware of any personal information supplied to one of Springshare Services or websites by a child under the age of thirteen (13).

Links to Other Services and Websites

Springshare Services and websites may contain links to information created and/or maintained on third-party websites. When users select a link to an outside website, they are leaving Springshare Services and are subject to the privacy and security policies of the owners of the third-party website. We are not responsible for, and we do not endorse or control, the policies or practices of any such website or services. In some cases, Springshare Services may contain an embedded content feed, video player, widget, or other application from a third party and those feeds, players, widgets, or other applications may appear to be part of the Springshare Service or website, even though they are provided or served by a third-party. If information is required for the performance of the service, the service provider is required to protect your information consistent with this privacy policy. For further information, please see the How We Share Information About You section of this policy. We encourage our users to be aware when they leave Springshare Service or website or use a third-party service embedded inside Springshare Service, and to read the privacy policies of these third party services.

Springshare Services – Customer Data

Springshare Customers submit data and information to the Springshare Services for hosting and processing purposes ("Customer Data"). Our customers are data controllers with respect to Customer Data and Springshare is a data processor. While Springshare customers decide what Customer Data to submit to the Springshare Services, depending on the particular service, the Customer Data submitted may contain personal information described in this Privacy Policy.

Springshare will not use or share any such Customer Data except as provided in its agreements with such Customers, or as may be required by law. In accordance with such agreements, Springshare may access, transfer and process Customer Data only for the purpose of providing Springshare Services, preventing or addressing service or technical problems or other purposes as set forth in such agreements or required by law.

Springshare acknowledges that you have the right to access, correct, amend and delete your personal information. If personal information pertaining to you as an individual has been submitted to us by a Springshare Customer and you wish to exercise any rights you may have to access, correct, amend, or delete such data, please inquire with the Springshare Customer directly. Because Springshare is subject to our agreements with Customers (as the data controller) with respect to your personal information stored on the Springshare Services, if you wish to make your directly to Springshare, please provide the name of the Springshare Customer who submitted your data to the Springshare Services. We will refer your request to that customer, and will support the Customer as needed in responding to your request within a reasonable time frame.

Compliance With Privacy Shield Framework(s)

Springshare complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. Springshare is committed to the principles of Privacy Shield and has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/

In cases of onward transfer to third parties of data of EU or Swiss individuals received ' pursuant to the EU-US Privacy Shield or Swiss-U.S. Privacy Shield, Springshare remains liable.

In compliance with the Privacy Shield Principles, Springshare commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should contact Springshare using the contact information listed at the bottom of this page.

Springshare LLC is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

Updates to Our Privacy Policy

From time to time, we may revise this Privacy Policy. If we make material revisions to the way we collect or use your information, we will provide you with notice of those changes by either: (1) notifying you directly, (2) announcing the change on the Springshare Services and websites. This page will always contain the most up to date version of our Privacy Policy. You can determine when this Privacy Policy was last revised by referring to the "Last Updated" section below. By continuing to use Springshare Services and websites after such updates, you affirm your agreement with the terms of the revised Privacy Policy. If you do not agree with changes please request that we delete your information as set out in the Your Rights and Choices section above.

Questions, Dispute Inquiries

For any questions or dispute inquiries on this Privacy Policy or our data practices, please ' contact us electronically at privacy@springshare.com or in writing to:
Springshare LLC
Attn: Data Privacy
801 Brickell Ave, Suite 900
Miami, FL 33131

If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed, you can also submit your complaint (free of charge) to Privacy Trust, an independent third party. Springshare has contracted with PrivacyTrust IRM to serve as an independent third party in resolving any privacy complaints from EU individuals.

Finally, as a last resort and in limited situations, EU individuals may seek redress from the Privacy Shield Panel, a binding arbitration mechanism. Despite the measures outlined in this Privacy Policy, Springshare cannot guarantee the security of any information that is disclosed online. To the extent permissible under law, Springshare shall not be liable for any direct, indirect, special, incidental, consequential or punitive damages relating to this Privacy Policy.