Data Ownership and Protection

No sensitive personal information (e.g., DOB, social security, credit card, home address, phone number, etc.) is stored in Green Arrow Labs systems. Personally identifiable information (PII) is limited to name, organization, and email address. While the software does not manage health or financial data, the infrastructure on which the data is hosted complies with HIPAA, FISMA, and similarly stringent regulatory requirements. Our data privacy policies were devised around these standards as well; specifically, that the minimum amount of information about a user is necessary to achieve the goal (authentication into the application).

Employees and contractors are required to sign and comply with confidentiality/NDA and data security policies as a condition of hire. We make secure document portals available to our clients for exchanging sensitive documents and data, and client data is maintained in a secured facility at all times.

Your identity will not be revealed or used for marketing purposes without your express written permission. Your written permission is also required for us to aggregate/anonymize data from your suppliers or test results for the purpose of producing industry benchmarks. The benchmarks are used in presenting charts and statistics on your dashboards (depending on the software and service level/edition to which you subscribe). Aggregated/anonymized data cannot be reverse engineered to somehow reveal its source. You will always continue to own your data and it will never be sold or used for any other commercial purpose.

> More information about data security and our Privacy Policy

General Data Protection Regulation (EU)

Green Arrow Labs is committed to maintaining the highest data protection standards, including compliance the European Union's General Data Protection Regulation 2016/679 ("GDPR") and the German Protection Law of 2018 (Bundesdatenschutzgesetz/BDSG). The European Commission determined that the U.S. Department of Commerce assured a reasonable level of data protection through the negotiated Safe Harbor Agreement. Through the Safe Harbor Agreement, Green Arrow Labs commits itself to comply with certain data protection principles by means of statements to the relevant U.S. authorities.

Green Arrow Labs complies with all seven first principles of the BDSG, namely:
1. Prohibition with reservation of permission: The collection, processing and use of personal data is strictly prohibited, unless it is permitted by the law or the person concerned gives consent (§ 4 I BDSG).
2. Principle of immediacy: The personal data has to be collected directly from the person concerned. An exception of this principle is a legal permission or a disproportionate effort (§ 4 III BDSG).
3. Priority to special laws: The BDSG supersedes any other federal law that relates to personal information and its publication (§ 1 III BDSG).
4. Principle of proportionality: The creation of standards restrict the fundamental rights of the affected person. Therefore, these laws and procedures must be appropriate and necessary. A balancing of interests must occur.
5. Principle of data avoidance and data economy: Through the use of data anonymization or pseudo-anonymization, every data processing system should achieve the goal to use no (or as little as possible) personally identifiable data.
6. Principle of transparency: If personal data is collected, the responsible entity must inform the affected person of its identity and the purposes of the collection, processing or use (§ 4 III BDSG).
7. Principle of earmarking: If data is permitted to be collected for a particular purpose, use of the data is restricted to this purpose. A new consent or law is required, if the data will be used for another purpose.

Trusted Organization and Sites/Applications

Link is a web-based application accessible through your computer browser and an HTTPS/SSL address. HTTPS ("S" is for "Secure") is an internet protocol that encrypts all communications between your browser and our website. The site further uses Secure Sockets Layer (SSL), which requires the browser to verify the presence of a security certificate before a connection is made. This SSL certificate is issued by a Certificate Authority — an independent third-party who has authenticated the identity of Green Arrow Labs and verified our domains/websites as "trusted."

Link uses a graph database to maintain the supply chain partner identities and their relationships to products, materials, and each other. The connections between these items follow the supply chain "tree" up to a single source — you — and the identity database prevents these connections from crossing. Two users in the same department for the same client, however, can see all the data shared by that department. Conversely, users in one department can be segregated from users (and their data) in another department. A supplier cannot see another supplier's data, but a brand can see data across all of its suppliers (but not other brands' suppliers). Even brands who happen to use the same supplier can't see the products/materials provided by that supplier to any other brand.

Aggregate Data

Your data is only used for aggregated data analysis with your express written permission, through your Software Subscription Agreement. To obtain aggregated data, the database is queried without any relation to the source (your organization or your supplier/partner organizations), and displayed as a chart and/or table of statistics for the data "pool". Here is an example of aggregated apparel/textile material failure rates: