Collection and Use of Personal Information
We will generally let you know at the time of collection how we intend to use your personal information. Usually, we collect personal information that we require to respond to your inquiries and for the provision of our services to you. We also process your personal information where we are required to do so by law, and for the exercise or defense of legal claims. From time to time, we may contact you to let you know that there is an action pending for which you need to log into the system. Some system notifications can be controlled by you, the end user.
When you become a member of VetsHQ.com, personal information collected from you may include your name, mailing address, email address, landline or mobile telephone number, email address, job history and qualifications, among other information, including information about your military service, medical and health information, and financial information that you choose to enter into the VetsHQ Claims Management System questionnaires.
When you use VetsHQ.com we also collect information about you or your computer when you browse to allow you to use the services available. We will use your personal information to help you to log into your account and into restricted areas of our web sites, and to permit future use of the websites. We may use your IP address to help diagnose problems with our server, or to administer our websites.
We may conduct analyses of user traffic to measure the use of our sites and to improve the content of VetsHQ.com and its services. These analyses will be performed through the use of IP addresses, session information, and other tracking technologies, which allow us to improve our websites and your user experience.
Avue utilizes Amazon Web Services, Inc., (AWS) cloud infrastructure, which has been designed and managed in alignment with U.S. Health Insurance Portability and Accountability Act (HIPAA) regulations, standards and best-practices. AWS enables Avue, which is subject to HIPAA to leverage the secure AWS environment to process, maintain, and store protected health information.
Amazon Web Services Inc., Security Information and Assurance Programs
- SOC 1/SSAE 16/ISAE 3402 (formerly SAS70): Amazon Web Services publishes a Service Organization Controls 1 (SOC 1), Type II report. The audit for this report is conducted in accordance with the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) and the International Standards for Assurance Engagements No. 3402 (ISAE 3402).
- SOC 2: In addition to the SOC 1 report, AWS publishes a Service Organization Controls 2 (SOC 2), Type II report. Similar to the SOC 1 in the evaluation of controls, the SOC 2 report is an attestation report that expands the evaluation of controls to the criteria set forth by the American Institute of Certified Public Accountants (AICPA) Trust Services Principles. These principles define leading practice controls relevant to security, availability, processing integrity, confidentiality, and privacy applicable to service organizations such as AWS. The AWS SOC 2 is an evaluation of the design and operating effectiveness of controls that meet the criteria for the security principle set forth in the AICPA’s Trust Services Principles criteria.
- SOC 3: AWS publishes a Service Organization Controls 3 (SOC 3) report. The SOC 3 report is a publically-available summary of the AWS SOC 2 report and provides the AICPA SysTrust Security Seal. The report includes the external auditor’s opinion of the operation of controls (based on the AICPA’s Security Trust Principles included in the SOC 2 report), the assertion from AWS management regarding the effectiveness of controls, and an overview of AWS Infrastructure and Services.
- PCI DSS Level 1: AWS is Level 1 compliant under the Payment Card Industry (PCI) Data Security Standard (DSS).
- ISO 27001: AWS is ISO 27001-certified under the International Organization for Standardization (ISO) 27001 standard. ISO 27001 is a widely-adopted global security standard that outlines the requirements for information security management systems. It provides a systematic approach to managing company and customer information that’s based on periodic risk assessments. In order to achieve the certification, a company must show it has a systematic and ongoing approach to managing information security risks that affect the confidentiality, integrity, and availability of company and customer information.
- FedRAMP(SM): AWS has achieved two Agency Authority to Operate (ATOs) under the Federal Risk and Authorization Management Program (FedRAMP) at the Moderate impact level. FedRAMP is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services up to the Moderate level.
- DIACAP and FISMA: AWS enables US government agencies to achieve and sustain compliance with the Federal Information Security Management Act (FISMA). The AWS infrastructure has been evaluated by independent assessors for a variety of government systems as part of their system owners’ approval process. Numerous Federal Civilian and Department of Defense (DoD) organizations have successfully achieved security authorizations for systems hosted on AWS in accordance with the Risk Management Framework (RMF) process defined in NIST 800-37 and DoD Information Assurance Certification and Accreditation Process (DIACAP).
- ITAR: The AWS GovCloud (US) region supports US International Traffic in Arms Regulations (ITAR) compliance. As a part of managing a comprehensive ITAR compliance program, companies subject to ITAR export regulations must control unintended exports by restricting access to protected data to US Persons and restricting physical location of that data to the US. AWS GovCloud (US) provides an environment physically located in the US and where access by AWS Personnel is limited to US Persons, thereby allowing qualified companies to transmit, process, and store protected articles and data subject to ITAR restrictions. The AWS GovCloud (US) environment has been audited by an independent third-party to validate the proper controls are in place to support customer export compliance programs for this requirement.
- FIPS 140-2: The Federal Information Processing Standard (FIPS) Publication 140-2 is a US government security standard that specifies the security requirements for cryptographic modules protecting sensitive information. To support customers with FIPS 140-2 requirements, the Amazon Virtual Private Cloud VPN endpoints and SSL terminations in AWS GovCloud (US) operate using FIPS 140-2 validated hardware.
VetsHQ’s Claims Management Services Center will help members identify what benefits they might qualify for — based on information the member, their family member or designated representatives provide — and gives free access to the information needed to prepare and file your claim for benefits with the U.S. Department of Veterans Affairs (VA). Based answers the member chooses to provide to a short questionnaire, VetsHQ will generate a tailored list of benefits for which the member may qualify. Should members decide to file a claim, VetsHQ will provide links to the necessary forms, which the member can fill out and submit, either electronically or by mail. Members are responsible for preparing and filing your own claims for benefits. VetsHQ.com and Avue make no representation of the VA’s final determinative outcome of a claim, the outcome of any claim on appeal, or the rate at which any claim may be processed.
Information that VetsHQ.com members provide in these questionnaires are used to identify a list of benefits that may be of interest to that individual member. Members should read all of the information about these benefits carefully and decide whether you wish to apply. Members are provided additional information through links about the type of benefit selected and who qualifies for it. If members believe they qualify for a benefit and decide to apply, a link to the necessary form is provided at the bottom of that screen. Links to forms will open up a blank PDF files for specific benefits, which members can fill out, or their family members or other veteran representatives can fill out on behalf of the veteran. VetsHQ.com members also have the option to auto-fill the form with the information previously provided in their questionnaire. If members wish to use the auto-fill function, it is the member’s responsibility to ensure that all information on the form is accurate. The member is responsible for preparing the claim to the U.S. Department of Veterans Affairs (VA) and for gathering any necessary supporting documentation. Members may choose to electronically file their claim for free by clicking the “File Now” button, or to print it out and mail to addresses provided for each benefit claim submission. Supporting documents may be required for some types of claims and that members must submit those documents to the VA.
Sharing Your Personal Information With Other Users Of VetsHQ.com
You may choose to share your personal information with other users of our website. You may also choose to allow others, including family members, caregivers, veterans representatives and advocates, and service officers at Veteran Service Organizations (VSOs) to access your information and your account to help you assess your eligibility for specific benefits or to assist with compiling information and answering interview-style questionnaires. You may choose to work with a VSO service officer to guide you through the VA claims process. Our network architecture permits you to make informed choices about whether you choose to share your information in this way. All such sharing of personal information is done at your own risk.
If you become a member of VetsHQ.com, then access and control over any the personal information that you post is readily available through the profile editing tools. VetsHQ.com members may modify or delete any of their profile information at any time by logging into their account. Information will be updated immediately. Individuals who wish to deactivate their VetsHQ account may do so by emailing VetsHQhelpdesk@vetshq.com. Users will receive confirmation once their account has been deactivated. Removed information may persist in backup copies for a reasonable period of time but will not be generally available to members of VetsHQ.com. Where you make use of the communication features of the service to share information with other individuals on VetsHQ.com, however, (e.g., posting a personal message to another user or on public areas of the website) you generally cannot remove such communications.
VetsHQ.com is not a site designed to attract minors. Accordingly, VetsHQ.com does not knowingly collect or solicit personal information from anyone under the age of 13 or knowingly allow such persons to become members. If you are under 13, please do not attempt to become a member for VetsHQ.com or send any information about yourself to us, including your name, address, telephone number, or email address. No one under age 13 may provide any personal information to or on VetsHQ.com. In the event that we learn that we have collected personal information from a child under age 13 we will delete that information as soon as possible. VetsHQ.com and Avue are not responsible for financial or payment information entered by minors as a means to access the features of VetsHQ.com
Security of Personal Information
We use administrative, technical and physical measures to safeguard personal information against loss, theft and unauthorized uses, access or modifications. Certain areas of VetsHQ.com may be password protected. As a user of our websites you can help to preserve your privacy by ensuring that you do not share your password with anyone else.
We take steps to regularly validate the personal information we hold to ensure that the information is accurate and, where necessary, up to date. Information that is no longer required for any valid business purpose, and that we are not required to keep pursuant to any applicable law, will be routinely destroyed by secure means.