SCC Data Protection Policy

1. Purpose

The SCC Data Protection Policy defines how the Specify Collections Consortium protects the confidentiality, integrity, and availability of member data stored, processed, or transmitted through SCC systems and services. This policy applies to all SCC staff, contractors, systems, and hosting environments.

2. Scope

This policy applies to:

  • All SCC staff and contractors

  • SCC-managed databases and assets

  • SCC-managed development, testing, and support systems

  • Member data transmitted through Specify support workflows

  • SCC-managed backups, logs, and administrative metadata

3. Data Ownership

Member institutions retain full ownership of all collection data, including specimen records, metadata, images, attachments, and annotations. SCC does not claim ownership of member data and does not use member data for analytics, research, or marketing. SCC accesses member data only with explicit permission given in the Hosting and Membership Service Level Agreements (SLAs) for troubleshooting or support.

4. Data Classification

SCC handles the following categories of data:

  • Member Collection Data: Scientific and administrative data stored in Specify

  • Operational Metadata: Configuration, structure, and usage metadata

  • Support Information: Logs, error reports, and technical details

  • Personal Information: Limited to names, emails, and institutional roles

Specify and the SCC do not support collection or storage of regulated data such as PHI, PCI, or sensitive PII, protected health information, payment card data, or other highly sensitive personal data.

5. Data Residency

Member data is stored only in the hosting region selected in Exhibit A of the Hosting SLA. Backups and asset snapshots remain in the same region unless the member provides written approval for temporary diagnostic access.

6. Data Encryption

All data is encrypted in transit using TLS 1.2 or higher. All data at rest in AWS RDS and S3 is encrypted using AES 256. Encryption keys are managed by AWS Key Management Service.

7. Data Isolation

SCC ensures logical isolation of member data in multi-tenant environments. Single tenant hosting is available for institutions that require dedicated infrastructure.

8. Data Access Controls

The SCC restricts access to member data to authorized staff and only for the minimum time and scope required. Access is monitored, reviewed, and revoked immediately when no longer needed. SCC staff do not access production data unless the member provides explicit written permission.

9. Backup and Retention

SCC maintains a multilayered backup strategy described in full in the Database and Asset Hosting Service Level Agreement: SCC Hosting SLA

Members are encouraged to download independent backups regularly.

10. Data Recovery

SCC restores the last valid backup within three business days during Central Time business hours. Restoration is subject to incident severity, system dependencies, and operational capacity.

11. End of Contract Data Handling

Upon membership termination:

  • The most recent database backup and asset snapshot are retained for three months

  • If the membership is terminated due to not being in good standing, retention extends to one year

  • Members may request earlier deletion

  • After the retention period, all data is permanently deleted

12. Data Deletion Requests

Members may request deletion of backups, snapshots, or specific datasets. SCC honors requests unless a legal hold applies.

13. Monitoring

SCC reviews access events, administrative actions, and system activity.

14. Compliance and Review

SCC staff reviews this policy annually and updates as SCC infrastructure, hosting practices, and member needs evolve.


Download this document as a pdf:
SCC Data Protection Policy.pdf (84.9 KB)