Privacy & Data Processing Policies
*(16/5/2022) Privacy Policies updated
(03/11/2020) Subprocessor Change Notification
- Data Processing Agreement The latest DPA which is effective for all contracts signed/renewed from 24 Nov 2021
Vulnerability Disclosure Policy
EFFECTIVE DATE: September 2020
We, KeyedIn Solutions Limited and on behalf of our US parent entity KeyedIn Solutions Inc. (referred to herein as we, us, ours), are committed to protecting and respecting your privacy You, are our customers who enter into agreements with us for the use of our products.
The personal information is uploaded to the Cloud Service by you in the course of your use of our products and may, for example, include personal employee data or customer data. You are the controller of this data and we simply process it (where we are required to do so) in the performance of our contract with you for example in the provision of the helpdesk function. We also store the data on your behalf on our secure servers.
Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
COLLECTION OF PERSONAL INFORMATION
Collection of personal information in the course of using the Platform
We collect and process personal information in the course of your use of our Cloud Service. You may upload personal information (about employees, customers etc.) when using our Cloud Service. This data is stored on our secure servers and from, time to time, may be processed by us in order to perform technical support obligations to you in line with our service agreement. We do not use the data uploaded to the Cloud Service for any purpose other than to provide the service.
We consider the following to be personal information: your name, identification number, phone number, job title and e-mail address. It may also include less obvious information such as location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person. Personal information is treated confidentially.
We have no direct relationship with the individuals whose personal data we process in this context and we simply act as a processor in respect of this data.
If you wish, you can disable the cookies from your browser and delete all cookies currently stored on your computer. Cookie settings can be found in your browser’s preferences. For information about cookies and their use please visit http://www.allaboutcookies.org/manage-cookies/index.html. Please note, however, that if you choose to disable the cookies the platform will not work.
We use session ID cookies and persistent cookies within the product for identity management as you navigate to different areas of the system. A session ID cookie expires when you close your browser. We also use persistent cookies to hold log on screen defaults such as the last used language for localization and the ‘keep me logged in’ facility. A persistent cookie remains on your hard drive for an extended period of time. You can remove persistent cookies by following directions provided in your Internet browser’s “help” file.
DATA ACCESS AND RETENTION
You may access, correct and update the personal information you have uploaded to the Cloud Service about your customers, employees etc. at any time by accessing the relevant areas of the platform.
We will retain personal data we process on your behalf for as long as needed to provide services to you and in line with your instructions as controller of this data. We will retain and use this personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
Individuals have a right to access personal data held about them. Should an individual whose data we store pursuant to our service agreement with you, approach us to seek access, correction, amendment, or deletion of inaccurate data, we will ask them to direct their query to you, the controller of such information. If you request that we erase data from our system or amend this data, we will respond to your request as soon as possible.
In the event of a data breach, we will notify you without undue delay after we become aware of the breach.
ENGAGING THIRD PARTY SERVICE PROVIDERS
In order to provide the Cloud Services we engage third parties who perform functions on our behalf, for example, we use a third party hosting service provider. We will inform you of any intended changes concerning the addition or replacement of sub-processors and give you an opportunity to object. We have comprehensive data processing agreements in place with all sub-processors we engage and where a sub-processor fails to fulfil its data protection obligations, we remain responsible to you for the performance of that other processor’s obligations.
DISCLOSURE OF PERSONAL INFORMATION ON BUSINESS SALE
If we sell our business, or it undergoes a business transition, your services agreement with us may be transferred as part of the process. As a result, the personal data that we store and process on your behalf may also be incidentally transferred. Where this is likely to occur, we will inform you in advance. You will have the option to opt-out or request for the deletion of Personal Information undergoing transition. Please see the terms on which we provide your service for further information.
DISCLOSURE FOR NATIONAL SECURITY OR LAW ENFORCEMENT
Under certain circumstances, we may be required to disclose personal information in response to valid requests by public authorities, including to meet national security or law enforcement requirements. In certain circumstances, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
The personal information that you control will never be accessed or processed by us for marketing purposes.
The security of your personal information is important to us. All information you provide us is stored on our secure servers and we encrypt the transmission of personal information using secure socket layer technology (SSL). Where you have created a user account or where we have given you (or you have chosen) a password which enables you to access certain parts of our Cloud Service, you are responsible for keeping this password confidential. We ask you not to share that password with anyone.
We follow generally accepted standards to protect the personal information submitted to us, both during transmission and once we receive it. However, no method of transmission over the Internet, or of electronic storage, is 100% secure; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. If you have any questions about security on our Cloud Service, you can contact email@example.com.
TRANSFER OF PERSONAL DATA OUTSIDE OF THE EEA AND SWITZERLAND
We are a multi-national business and personal data about individuals based in Europe and Switzerland along with your other data, will be stored in the geographic location agreed with you. Data may be processed by KeyedIn Solutions Inc. (see KEYEDIN SOLUTIONS INC REGISTRATION WITH EU-US PRIVACY SHIELD AND SWISS-US PRIVACY SHIELD below) and engineers in the United States and India in order to fulfil our contractual obligations to you, including our helpdesk service.
The European and Swiss data protection legislative frameworks prohibits transfers of personal data outside of the European Economic Area (EEA) or Switzerland without a mechanism in place assuring that the rights of individuals are adequately protected. Where data is transferred out of the EEA or Switzerland to third party processors, we ensure that these organisations provide sufficient guarantees to implement appropriate technical and organisational measures for the protection of personal data. Where necessary we require that any such third party processors execute the relevant Standard Contractual Clauses or adhere to any certification processes issued by the European Commission for transfer of personal data out of the EEA.
KEYEDIN SOLUTIONS INC REGISTRATION WITH EU-US PRIVACY SHIELD AND SWISS–US PRIVACY SHIELD
In light of the July 2020 ruling by the European Court of Justice invalidating the Privacy Shield as adequate protection against 3rd party access to data we have implemented Standard Contractual Clauses between KeyedIn Solutions Ltd and KeyedIn Solutions Inc.
However, KeyedIn Solutions Inc continues to participate in and has certified its compliance with the EU-U.S. Privacy Shield Framework. We are committed to subjecting all personal data received from European Union (EU) member countries, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List. [https://www.privacyshield.gov/list]
KeyedIn is responsible for the processing of personal data it receives and subsequent transfers to a third party acting as an agent on its behalf. KeyedIn complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Framework, KeyedIn is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
PRIVACY SHIELD COMPLAINTS PROCEDURE AND ARBITRATION
In compliance with the Privacy Shield principles, KeyedIn Solutions Inc. commits to resolve complaints about our collection or use of personal information. If you want to ask something or if you have concerns about the way in which personal data is handled please contact our Privacy Team at firstname.lastname@example.org. We will investigate and respond as quickly as possible.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
Where you have specific concerns about the way in which data has been handled or transferred out of the EEA or Switzerland, (and we are unable to resolve those concerns), you can also contact the data protection authority in the jurisdiction where the individual is based or resides. If you are in the United Kingdom, please contact the Information Commissioner’s Office on +44 303 123 1113. Where the issue specifically relates to Privacy Shield, please contact the Information Commissioner at email@example.com.
You may have the option to select binding arbitration for the resolution of your complaint under certain circumstances, provided you have taken the following steps: (1) raised your compliant directly with KeyedIn Solutions Inc. and provided us the opportunity to resolve the issue; (2) made use of the independent dispute resolution mechanism identified above; and (3) raised the issue through the relevant data protection authority and allowed the US Department of Commerce an opportunity to resolve the complaint at no cost to you. For more information on binding arbitration, see US Department of Commerce's Privacy Shield Framework Website: https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint.
CHANGES TO THIS POLICY
If you have questions about our privacy or legal policies, contact us by email at firstname.lastname@example.org or in the US via postal mail at: 5800 W 84th Street, Suite 400, Bloomington, MN 55437 OR in the UK at: Maple House, Woodland Park, Cleckheaton, BD19 6BW.
* (29/9/2020) Privacy Policies updated to reflect change of transfer mechanism due to European Court of Justice ruling on use of Privacy Shield