TFP GROUP, INC.
TFP provides professional services to procure and manage federal, state and local workforce development grants and incentives from various funding agencies. In order to meet the reporting needs of the various funding agencies and secure funding for its clients, TFP must collect and manage client employee PI for purposes of meeting the reporting requirements of the agencies.
This Policy is intended for individuals in the United States. TFP does not collect any data for individuals living outside of the United States. All data collected is domestic data and is managed and stored domestically.
PI Collection, Use, and Sharing
PI generally means any information that identifies you as an individual, and any other information TFP associates with it. We use PI as permitted by law, to apply for funding and reimbursements from applicable government agencies and provide related required information to comply with the reporting requirements of funding agencies. We collect a few categories of information, from varying sources, including:
-Information about you provided by your employer which is our client.
-Information and other content you voluntarily provide us.
-Information you provide in communications with us, such as via email.
-Information that is passively collected.
-Information that does not identify you and is not associated with your personal information.
We may also de-identify information so that it no longer identifies you.
The type of PI that may be provided by a client to TFP during the course of business (“client employee PI”) includes employee first and last names, identification numbers (including SSNs), job-related information, payroll/wage information, and demographic information such as ethnicity, gender, age, and education. Other client employee PI such as credit card information, driver’s license numbers, bank account numbers, and employee medical information is NOT required by the various funding agencies and therefore will NOT be collected by TFP.
Client employee PI data is not shared with any third parties beyond the funding agencies, related entities as authorized by TFP’s client, and service providers (e.g., Amazon). TFP does not sell or rent this information to any third parties.
When your employer submits PI relating to you and other employees in connection with the services we provide, they represent that they have the authority to do so and to permit us to use the information in accordance with this Policy.
Cloud Service Provider Usage
TFP may contract with cloud service providers for purposes of hosting training related data, hosting its email, and managing client data and records as may be required based on the business and agency need. All client employee PI is encrypted while in transit to/from these cloud services providers or while client employee PI is stored at rest on their servers. These cloud service providers have been chosen due to their data centers being SSAE 16 and ISO 27001 accredited.
TFP consults with its cloud service providers so that its clients’ sensitive information and activities are protected to the same degree of security that TFP would intend to provide its own employees’ PI. Security and auditing is requested from TFP’s cloud service providers as applicable to TFP’s needs and concerns. Service level agreements are reviewed by TFP periodically for system restoration and reconstitution time.
TFP uses commercially reasonable physical, electronic, and administrative safeguards to protect our client employee PI from loss, misuse, unauthorized access, alteration, disclosure, and destruction. When clients upload sensitive information, technical measures and security controls are utilized to ensure that client employee PI is encrypted while in transit and while at rest using regular credential, password and authentication updating protocols including multi-factor authentication, at a minimum.
Wherever TFP collects client employee PI, that information is encrypted and must be transmitted to TFP in a secure way. This security can be verified by looking for a lock icon in the address bar and looking for “https” at the beginning of the address of the Secure Client Login page at the bottom of TFP’s main website at www.tfpgroup.com. Simple password protection on an email attachment is not a secure transfer method and therefore is not an allowable method for transferring PI.
Only TFP employees who need the information to perform a specific job are granted access to client employee PI. The computers/servers/databases in which TFP stores client employee PI are kept in a secure environment. Critical patches are installed immediately when software security vulnerabilities are identified. Also, TFP performs regular internal security reviews and provides security training to its employees no less often than on an annual basis.
TFP immediately destroys client employee PI after its business need or relevance has expired. Electronic PI is shredded by a software tool that will overwrite the files before deletion. Hard copy PI, if any, is destroyed via a licensed shredding company. End-of-lifecycle hard drives are first shredded and then physically destroyed on site (in the presence of a TFP employee) by a certified destruction company.
Unfortunately, no system or network can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the “Contacting Us” section below.
Breach and Breach Notification
If TFP becomes aware of a security breach which TFP believes has resulted in unauthorized access or otherwise misuse of client employee PI, TFP will promptly investigate the matter and notify the applicable agencies and others with a need to know of such breach. TFP’s investigation will be without delay to determine the scope of the breach and identify the client employees affected. If client employee PI have been compromised, TFP will be responsible for notifying key client contacts within 24 hours of the suspected breach.
This website, www.tfpgroup.com, contains links to other sites. Please be aware that TFP is not responsible for the content or privacy practices of such other sites. TFP encourages its users to be aware when they leave TFP’s site to read the privacy statements of any other site that collects PI.
Enforcement and Dispute Resolution
action against that employee that may include termination of employment.
California Disclosures and GDPR
To the extent applicable to its business transactions, TFP agrees to comply with the California Consumer Privacy Act of 2018 (“CCPA”), California Privacy Rights Act (“CPRA”), and their implementing regulations, as may be amended from time to time, in connection with its duties as a Service Provider as defined in the CCPA regulations. With respect to PI shared with or processed or collected by TFP, TFP certifies that it will not sell, use or disclose the PI for any purpose other than as required for the performance of its workforce development and consulting services to its clients.
California law permits our clients’ employees who are California residents to request certain information regarding our disclosure of certain categories of personal information to third parties, principally funding agencies. To make such a request, please contact us as set out in the “Contacting Us” section below.
TFP does not operate within nor provide services to organizations or individuals within the European Union as per the requirements of the General Data Protection Regulations (“GDPR”).
If you have any questions or concerns regarding TFP’s Policy, please contact TFP using the contact information below. TFP will reply to your questions or concerns as quickly as possible.
Attention: Information Security Officer
TFP Group, Inc., dba Training Funding Partners
5912 Bolsa Avenue, Suite 109
Huntington Beach, CA 92649
Please note that email communications are not always secure, so please do not include sensitive information in any emails to us.
Date Last Revised