What Information Is Collected When Someone Uses Embodied Labs?

This document provides a general overview of the information that Embodied Labs requires for access to its Immersive Experiences Platform.

For additional information, please also visit our Privacy Policy and End User Agreement.


General Overview

  • Embodied Labs does not require or store any Personal Health Information (PHI)
  • Embodied Labs does not require Personally Identifiable Information (PII) for non-administrators (i.e., end-users)
  • For Embodied Labs administrators, customer administrators, and customer end-users, Embodied Labs requires authentication via a username (or phone number) and password. Customers administrations can elect that end-users access the platform based on an alternative authorization process (authorization-based access using an alternative identifier).
  • For end-users who are enabled via authorization-based access, we commonly evaluate access requests based on a regular expression (e.g., *@xyz.com for email-based authorization), and therefore don’t require information upfront; this can also be obfuscated by using generic-identifiers 

 

What is captured?

Our Immersive Experiences platform captures and stores three types of data:

  • Access data, e.g., who and when?
  • Experience data, e.g., which experiences and for how long? 
  • Data for product improvement (only), e.g., access platforms, errors, anonymized usage 

 

Data Security

  • Customer and user data is stored on AWS Relational Database Service (RDS)
    • RDS data is in a private subnet in a Virtual Private Cloud (VPC)
    • RDS data is behind an AWS Wide Application Firewall (WAF)
  • A subset of customer analytics data is securely stored on AWS Cloud Object Storage (S3) for reporting through AWS QuickSight
  • Google Forms survey data is securely stored on Google’s Cloud Infrastructure
  • Encryption
    • All data is encrypted at rest with the AES-256 encryption algorithm
    • All data is encrypted in transit using SSL/TLS encryption
  • Backup and Recovery
    • Data is backed up daily and each backup is retained for 7 days
    • Snapshots are taken before schema changes are deployed
  • Password Security
    • Customer Administrators, Embodied Labs Administrators, and optionally end-users (if customer elects) have accounts that are password protected
    • Alternatively, customers can configure regex-based authorization for end-users 
    • Passwords use the PBKDF2 algorithm with a SHA256 hash, a password-stretching mechanism recommended by NIST
    • Passwords are also secured under our general data security policies

 

What additional data is collected and where is it stored?

  • Login data, e.g., who, when
  • Experience Analytics, e.g., which experiences and for how long? 
  • User session logs are stored in the database
  • (Future) choice data from within experiences

 

Who has access?

  • Organization admins can view session statistics (when was a session completed by a user, which session, and how long did it last)  from any user with their organization
  • Site admins can view session statistics (when was a session completed by a user, which session, and how long did it last)  from any user with their specific site
  • Embodied Labs staff can view all session statistics for all users and customers
  • End-users cannot view any session logs