FiscalNote Security Policy

Please direct all inquiries, questions or comments with respect to this FiscalNote Privacy and Security Policy to FiscalNote at the email addresses below. FiscalNote will use commercially reasonable efforts to respond to your inquiries, questions or comments within five (5) business days of their receipt.

Privacy Email Address: privacy@FiscalNote.com
Security Email Address: security@FiscalNote.com

Should you reside in the European economic area, please contact us at EUprivacy@FiscalNote.com

Security

1. Physical Security
2. Dedicated Security Personnel
3. FiscalNote Network Security
4. Your Passwords and Account Security
5. SAML

Data Protection

1. Your Obligations
2. PII and Billing
3. FiscalNote Employee Data Access

Compliance

1. SOC 2, Type II certifications
2. Fair Processing Notice For European Public Officials FAQ
3. California Privacy Rights

Physical Security

FiscalNote Services are hosted in secure, SAS70 Type II certified facilities that are protected from physical attacks and from natural disasters. Such data centers are monitored on a 24×7 basis and entrance to the datacenters is controlled and restricted to a select group of authorized personnel. Multiple forms of authentication must be used in order to enter any such data center and the datacenters are guarded and protected 7 days a week, 24 hours a day.

Dedicated Security Personnel

FiscalNote has a dedicated IT Security team to ensure our organization is staying on top of all the latest security best practices and ahead of any potential issue that could impact our clients. They are responsible for protecting IT infrastructure, networks, and data and implementing security standards across all of our solutions. 

FiscalNote Network Security

FiscalNote’s network security systems and firewalls help to protect our customers’ data against sophisticated attacks. FiscalNote uses intrusion detection systems to protect and screen its services. Access to the FiscalNote network is tightly and comprehensively controlled and strictly audited by appropriate FiscalNote personnel.

Communication between a customer’s computer and FiscalNote’s servers is encrypted with TLS 1.2 and FiscalNote applications operate in a secure operating system that FiscalNote believes minimizes vulnerabilities.

Your Passwords and Account Security

You agree and understand that you are responsible for maintaining the confidentiality of passwords associated with any account you use to access the Services.

Accordingly, you agree that you will be solely responsible to FiscalNote for all activities that occur under your account.

If you become aware of any unauthorized use of your password or of your account, you agree to notify FiscalNote immediately

Security Assertion Markup Language (SAML)

FiscalNote offers Security Assertion Markup Language, or SAML, authentication. SAML is a protocol that allows us to use your company’s secure authentication when logging into our software platform. This system allows users to use single sign-on (SSO) in conjunction with GSuite or Active Directory, centralizes user account control, ensures another layer of security that prevents unauthorized log-ins, and lowers the risk of a breach or hack. 

Without the automatic, centralized user provisioning that comes with SAML, its much easier to forget to offboard a departing employee, who could then use previous log-in credentials to access sensitive information. 

Your Obligations

You have certain obligations imposed by applicable law or regulations or by the FiscalNote Terms of Service Agreement. You must, at all times, respect the terms and conditions of this FiscalNote Privacy and Security Policy, including but not limited to any intellectual property rights, which may belong to third parties. You must not disseminate, distribute and/or download any information which may be deemed to be injurious, offensive, violent or racist.

Any violation of these obligations and guidelines in the FiscalNote Terms of Service Agreement or in the FiscalNote Privacy and Security Policy may lead to the termination or suspension of your access to or license of the Services by FiscalNote, at its sole option.

It is your responsibility to protect the security of any of your login information. Emails, instant messaging, and other similar methods of communication may not be encrypted, and we urge you not to use these means or methodologies for the communication of any confidential information.

PII and Billing

Access to personal information and/or your data at FiscalNote is password-protected and PCI compliant. FiscalNote may use a credit card processing company with respect to the billing of Services fees and such third parties may use such personally identifiable information solely to provide such billing services. FiscalNote also audits its system, from time to time, for possible vulnerabilities.

FiscalNote Staff Data Access

FiscalNote’s employees have years of experience in managing and assessing security and data protection risk. Only FiscalNote staff with the highest level of clearance have access to our datacenter and the data contained therein. FiscalNote limits access to customer data to only a designated number of its staff with a legitimate need to access such data in order to provide technical, support, and other important services for FiscalNote’s customers.

FiscalNote, on a continuing basis, reviews its then-current security policies and develops new policies and/or procedures with respect to management, knowledge sharing, escalation procedures, and day-to-day operations. FiscalNote routinely and regularly audits its security policies and procedures and those same policies and procedures are regularly reviewed by FiscalNote executive management.

Any access to customer data is solely on an as-needed basis by authorized FiscalNote staff or by FiscalNote senior management employees in order to provide and perform maintenance and/or support services for our customers and in order to maintain or improve the quality of our Services.

SOC 2, Type II certifications

FiscalNote offers SOC 2, Type II audit, or Service Organization Control 2 engagement, and renews this on a yearly basis. SOC 2, Type II is an audit of a service organization’s overall security. A third party auditor performs tests of operating processes to validate that all necessary security controls are in place and operating effectively. SOC 2 is safer, more secure, and provides stricter safeguards for sensitive client information than SOC 1.  

Fair Processing Notice For European Public Officials FAQ

In order to provide its services, FiscalNote Inc. ("FiscalNote" or "We") collects and processes personal data of European public officials ("public officials" or "you") from publicly-available sources (e.g. the EU Parliament website, government websites, a public official's individual website etc.). It concerns both Members of the European Parliament (MEPs) and national legislators (i.e. French, German, Russian, Swiss, Ukrainian or UK legislators).

This information is used on our FiscalNote platform ("the platform") which can be used by our customers to gain understanding of legislation, regulations and their status, as well as the methods for contacting public officials.

It is our top concern to protect your privacy and to process your personal data in a fair and transparent manner. This Fair Processing Notice explains how and why we process your personal data, how we protect them and how long we keep them.

For more general information about why and how we process personal data when we perform our business activities, please read our Privacy Policy.

Please follow the links below for further information:

• Who will process your personal data?
• What is the purposes for processing your personal data? 
• What are the legal grounds for processing your personal data? 
• What are your rights with respect to the processing of your personal data? 
• Which categories of personal data will be processed?
  
• Who will have access to your personal data? 
• Will your personal data be transferred to countries outside the EEA? 
• Will we make use of automated decision-making? 
• How long will your personal data be retained? 
• Are your data safe and secure? 
• Who can you contact? 
• Changes to this Fair Processing Notice?
  

California Privacy Rights

The California Consumer Privacy Act (CCPA), effective January 1, 2020, gives California consumers enhanced rights with respect to their personal information that is collected by businesses. First, California consumers may opt-out of having their personal information sold to other persons or parties. Second, they have a right to know:

• What specific pieces of information a business has about the consumer;
• Categories of personal information it has collected about the consumer;
• Categories of sources from which the personal information is collected;
• Categories of personal information that the business sold or disclosed for a business purpose about the consumer;
• Categories of third parties to whom the personal information was sold or disclosed for a business purpose; and
• The business or commercial purpose for collecting or selling personal information.
• In addition, California consumers can request that the personal information a business has collected about them be deleted from the business’s systems and records.

FiscalNote may be considered a covered business under the CCPA as it collects and processes the personal information of California consumers. This Privacy Policy provides the required notices to California consumers. The CCPA also prohibits covered businesses from providing discriminatory treatment to California consumers if they exercise their rights under the Act. 

FiscalNote does not presently sell any personal information to third parties for any purpose.

To make a "request to know" or "request to delete" your personal information, send us an e-mail at privacy@FiscalNote.com (Please put either “Request to Know” or "Request to Delete" in the subject heading of your email.) You may also submit these requests via this online form.

We will honor these requests for US individuals whether or not you are a California consumer under the CCPA. 

We will confirm receipt of your request within 10 days along with a description of what steps we will take to verify and respond. We must provide the requested information or delete your personal information within 45 days of receipt of your request. If necessary we can take up to an additional 45 days, but we must let you know the additional time is needed. 

When contacting us, we may ask you to provide certain, limited personal information, such as your name, email address and/or account login ID and/or password, to verify your request and to match with our records and systems. This is also to protect against fraud. We will not retain this personal information or use it for any other purpose. Also please be advised that we need to search our records and systems only for the preceding 12 months. 

Residents of other states may also have similar rights to request information about or delete their personal information. To inquire about exercising these rights, please contact us at privacy@FiscalNote.com.

Pursuant to California’s "Shine The Light law" (California Civil Code § 1798.983), California residents are entitled, once a year and free of charge, to request the disclosure of certain categories of personal information to third parties for their own direct marketing purposes in the preceding calendar year, if any. Under the law, a business should either provide California customers certain information upon request or permit California customers to opt out of this type of sharing. You may request this information by contacting us at privacy@FiscalNote.com and indicate in the email subject line, "California Shine The Light Request." Please include your mailing address, state of residence and email address with your request.

Currently, our systems do not recognize browser-based "do-not-track" requests.