In order to provide our Identity Verification Services, some user data beyond the scope of micro-expression analysis. One or more reference images of the expected learner’s face is required so that Emotics’ Identity Verification Service can compare their “true face” with images captured via webcam. These reference images must be stored on a server that is accessible to all launched instances of Emotics’ data aggregation servers. URLs of each reference image must be stored in the database used by instances of the Emotics’ API server.
Depending on service configuration, imagery captured by learner webcams that is determined to not match their reference images may or may not be uploaded to the API server for later review by the compliance management team.
If Emotics’ Identity Verification Services believes that the person in front of the webcam does not match the identity of the expected learner, neither the person being monitored nor the expected learner is immediately notified. Instead, the compliance management team is notified, via the Emotics Console, that there may be a problem. Failed identity verifications are presented within the context of all metadata collected for the session in question.
Depending on service configuration, Identity Verification Services may require that both reference images and webcam imagery be shared with external parties that provide certain analysis services. Emotics protects the information we share by imposing contractual privacy and security safeguards on the recipient of the information and ensuring that none of the imagery is stored by these external parties after analysis is complete.
Several types of information are collected during an e-learning session that is monitored by Emotics Attention:
In addition to the data collected client-side, with Emotics’ SDK, certain pieces of aggregated analysis are generated server-side and stored for later use:
Analytics data stored to support the compliance management team resides in a database. Depending on the terms of your service agreement with Emotics, this database may be fully-controlled by the customer organization or managed by Emotics. It may be hosted on-premises at a customer site or within a cloud-computing service.
Emotics has implemented measures designed to secure all personal information from accidental loss and unauthorized access, use, alteration, and disclosure. Our infrastructure is designed in layered-architecture and the security of each element builds upon those below it, from verifying that any cloud data centers we may use meet physical security and hardware standards, to the security protections of our software to the processes we use to support operational security.
As data moves between learners’ devices, Emotics services, and database, it is protected by security technology like HTTPS and Transport Layer Security. Personal information is stored in an encrypted state, providing security at rest as well as in transit.
Emotics Attention is designed to only collect data that is necessary to meet specific business requirements and it ensures that both individuals and organizations have the ability to access and control their own personal information according to applicable regulations, like GDPR and CCPA.
Data is collected from learner devices only with learner consent. During each session, learners are presented with options to contact the compliance management team to request access to or deletion of all personal information stored within the Emotics Attention system.
The Emotics Console makes it easy for the compliance management team to respond to GDPR-compliant employee requests in a timely manner.
Data storage policies for Emotics Attention can be configured according to the customer’s regulatory environment and business needs. With appropriate configuration, the system meets regulations defined by GDPR, as well as other data protection regulations, like CCPA. When analytics data have been anonymised, the compliance management team will have access to population-level trends in micro-expression analyses, but session details cannot be tied directly back to individual learner identities.
No data is collected from learner devices until the learners have agreed to terms of service. The agreement language is configured by the customer, with consultation from their legal team.
Details of the place and time that each learner agreed to these terms is recorded by the Emotics Attention service. Learners have the ability to revoke any permissions they have previously given during any subsequent session.
There are several options we can provide to a client:
Various deployment options may be used, depending on the service agreement between Emotics and the customer organization. On one hand, Emotics Attention may be provided as a cloud-hosted service, where Emotics manages infrastructure-level set-up. Alternatively, the service may be deployed on-premises, where the customer organization has full control of their technical infrastructure and no data leaves the company network.
The software runs on Node.js and can be deployed as a Docker container with dependencies installed via npm. Emotics Attention works best with a PostgreSQL database, though it can be modified to use other options.