Staying on Track with Terms of Service Agreements with ISO 27001

What is ISO 27001?

ISO 27001 an International Standard that’s part of the International Organization of Standardization which covers implementation of a management system for information security. Information security is immensely important in today’s world as everything we interact with is information. Whether it’s an email, a webpage, or a text message – security should be a priority. Whether that security is the protection of data included in the item, the recipient’s, or the sender’s it all should be safely managed. Implementing ISO 27001 in your business is based on your organization’s requirements, structure, size, and processes. Although two companies may implement ISO 27001, it may be implemented differently between the two.

And when it comes to definitions, what is a Terms of Service Agreement [ToS]? According to ContractsCounsel, a Terms of Service Agreement is:

"a legal agreement between a service provider and customers that outlines terms and conditions about the services or products being provided…Terms of service agreements typically outline the service being provided, how it works, what to expect as a customer, what your obligations are as a customer, how to properly use the service, and more."

Or, as most people would be familiar with, the large blocks of text that most people scroll through before clicking “Accept” to move onto the intended app or website. Typically, when news announces an influencer or celebrity being removed from a service, it is cited that they are removed due to “ToS violation[s]” which is doing something outside of the agreements within the agreed upon terms. So, what about the Privacy Policy?

“A privacy policy is a thorough explanation of how you plan to use any personal information that you collect through your mobile app or website.” [IronCladd]

These Privacy Policies are typically found as a link at the bottom of webpages or under account information/settings within apps. Privacy policies outlines how each individual’s information and data will be used by the service. Whether data will be stored, used, or sold will be outlined in this document and is vital to look into when handling private information for you business, clients, and employees.

To give an example of why it is important to look into ToS agreements and privacy policies, let us look into Zoom’s ToS from earlier in 2023. According to the Associated Press [AP],

“The terms state that service-generated data can be used for “machine learning or artificial intelligence (including the purposes of training and tuning algorithms and models.” Zoom’s blog post says the company considers such data “to be our data,” and experts confirm this language would allow the company to use this data for AI training without obtaining additional consent.”

Without reading the ToS, and possibly the Privacy Policy, companies and individuals would miss this key outline. Fortunately, due to people reading the ToS agreement and asking questions, the wider public was aware of what was outlined even though the ToS would typically be scrolled through. Since the recent ToS agreement update and blog post on August 11, 2023, Zoom states:

“We’ve updated our terms of service (in section 10) to further confirm that Zoom does not use any of your audio, video, chat, screen-sharing, attachments, or other communications like customer content (such as poll results, whiteboard, and reactions) to train Zoom’s or third-party artificial intelligence models.”

Having the vigilance or systems in place to review ToS agreements aids in catching any potential privacy or security concerns early. This is where ISO 27001 comes into play. For example, having a system in place for an individual to go through privacy policies and ToS agreements when updated through used services and highlight potential issues could help with mitigating risks. Whether the next step is contacting the service to talk through changes or looking into a new service provider, ISO 27001 can guide your business to the best option.

And if you are looking into implementing ISO 27001 into your business, now is the time as DQS Inc. is ANAB Accredited for ISO 27001:2022. We are happy to answer questions and begin your certification journey; use the link below to speak to our Sales team, or email sales.us@dqs.de. Looking for training for the next step in your journey? Visit our DQS Academy website for more information on upcoming training. Need more information before reaching out? Download our whitepaper about the ISO 27001:2022 Update.