SERVICES AND PLATFORM CUSTOMER PRIVACY POLICY

This Essentium Services and Platform Customer Privacy Policy (“Services Privacy Policy”) is organized into three sections:

l. Services Personal Information Data Processing Terms

Describes the privacy and security practices that Essentium, Inc. and its affiliates (“Essentium”) employ when handling Services Personal Information (Customer Data on Essentium’s products), as defined below for the provision of Technical Support, Consulting, Cloud or other services (the “Services”) provided to Essentium customers (“You” or “Your”) during the term of Your order for Services.

Personal Information might be personal information that is provided by You, resides on Essentium’s platform, customer or third-party systems and environments, and is processed by Essentium on Your behalf in order to perform the Services. Services Personal Information may include, depending on the Services: information concerning family, lifestyle and social circumstances; employment details; financial details; online identifiers such as mobile device IDs and IP addresses, and first party online behavior and interest data. Services Personal Information may relate to Your representatives and end users, such as Your employees, job applicants, contractors, collaborators, partners, suppliers, customers and clients.

ll. Systems and Platforms Operations Data Processing Terms

Describes the privacy and security practices that apply to personal information that may be incidentally contained in Systems and Platform Operation Data that is generated by the interaction of end users of our Services and Platform(s) (“Users”) with the Essentium systems and platforms network connections used to examine, inspect, safeguard and deliver Services to our customer base.

Systems and Platforms Operations Data may include log files, event files, and other trace and diagnostic files, as well as statistical and aggregated information that relates to the use and operation of our Services, and the systems, platforms and networks these Services run on.

III. Communications and Notifications to Customers and Users

Applies to both Services Personal Information and personal information contained in Systems and Platforms Operations Data, describes how Essentium handles legally required disclosure requests, and informs You and Users how to communicate with Essentium’s Global Data Protection Officer or file a complaint.

The definitions of Services Personal Information and Systems and Platforms Operations Data do not include Your or User contact and related information collected from the use of Essentium websites, or Your or User interactions with us during the contracting process.

Essentium’s handling of this information is subject to the terms of the General Essentium Privacy Policy.

Essentium treats all Services Personal Information in accordance with the terms of Sections I and III of this Policy and Your order for Services.

In the event of any conflict between the terms of this Services and Platform Privacy Policy and any privacy terms incorporated into Your order for Services, including an Essentium Data Processing Agreement, the relevant privacy terms of Your order for Services shall take precedence.

l. SERVICES PERSONAL INFORMATION DATA PROCESSING TERMS

1.  Performance of the Services:

Essentium may process Services Personal Information for the processing activities necessary to perform the Services, including for testing and applying new product or system versions, patches, updates and upgrades, and resolving bugs and other issues You have reported to Essentium.

2. Customer Instructions

You are the controller of the Services Personal Information processed by Essentium to perform the Services. Essentium will process your Services Personal Information as specified in Your Services order and Your documented additional written instructions to the extent necessary for Essentium to (i) comply with its processor obligations under applicable data protection law or (ii) assist You to comply with Your controller obligations under applicable data protection law relevant to Your use of the Services. Essentium will promptly inform You if, in our reasonable opinion, Your instruction infringes applicable data protection law. Additional fees may apply.

3. Rights of Individuals

You control access to Your Services Personal Information by Your end users, and Your end users should direct any requests related to their Services Personal Information to You. To the extent such access is not available to You, Essentium will provide reasonable assistance with requests from individuals to access, delete or erase, restrict, rectify, receive and transmit, block access to or object to processing of Services Personal Information on Essentium systems & platforms.

4. Security and Confidentiality

Essentium has implemented and will maintain technical and organizational measures designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Services Personal Information. These measures, which are generally aligned with the ISO/IEC 27001:2013 standard, govern all areas of security applicable to the Services, including physical access, system access, data access, transmission, input, security oversight, and enforcement.

Essentium employees are required to maintain the confidentiality of personal information. Employees’ obligations include written confidentiality agreements, regular training on information protection, and compliance with company policies concerning protection of confidential information. Specific security measures that apply to the Services are set out in Essentium’s security practices for these Services, including regarding data retention and deletion.

5. Incident Management and Data Breach Notification

Essentium promptly evaluates and responds to incidents that create suspicion of or indicate unauthorized access to or handling of Services Personal Information.

If Essentium becomes aware and determines that an incident involving Services Personal Information qualifies as a breach of security leading to the misappropriation or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Services Personal Information transmitted, stored or otherwise processed on Essentium systems that compromises the security, confidentiality or integrity of such Services Personal Information, Essentium will report such breach to You without undue delay.

As information regarding the breach is collected or otherwise reasonably becomes available to Essentium and to the extent permitted by law, Essentium will provide You with additional relevant information concerning the breach reasonably known or available to Essentium.

6. Subprocessors

To the extent Essentium engages third-party subprocessors to have access to Services Personal Information in order to assist in the provision of Services, such subprocessors shall be subject to the same level of data protection and security as Essentium under the terms of Your order for Services. Essentium is responsible for its subprocessors’ compliance with the terms of Your order for Services.

7. Cross-Border Data Transfers

Essentium may transfer, access and store Services Personal Data globally as necessary to perform the Services.

To the extent such global access involves a transfer of Services Personal Information originating from the European Economic Area and the United Kingdom (“EEA”) and/or Switzerland to Essentium affiliates or third-party subprocessors located in countries outside the EEA or Switzerland that have not received a binding adequacy decision by the European Commission or by a competent national EEA data protection authority, such transfers are subject to binding and appropriate transfer mechanisms that provide an adequate level of protection in compliance with applicable data protection law, such as EU Model Clauses.

8. Dispute Resolution 

Essentium complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and the retention of personal information transferred from the European Union to the United States. Essentium has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit: https://www.privacyshield.gov/.

In compliance with the Privacy Shield Principles, Essentium commits to resolve complaints about our collection or use of your personal information. EU individuals with inquirIes or complaints regarding our Privacy Shield policy should first contact Essentium at Privacy@Essentium.com.

Within the scope of this privacy notice, if a privacy complaint or dispute cannot be resolved through Essentium, Inc.’s internal processes, Essentium, Inc. has agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure. Subject to the terms of the VeraSafe Privacy Shield Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe under the Privacy Shield Dispute Resolution Procedure, please submit the required information to VeraSafe here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute.

Essentium commits to cooperate with EU data protection authorities (DPAs) and comply with the advice given by such authorities with regard to human resources data transferred from the EU in the context of the employment relationship. 

9. Audit Rights

To the extent provided in your order for Services, You may at Your sole expense audit Essentium’s compliance with the terms of this Services Privacy Policy by sending Essentium a written request, including a detailed audit plan, at eight six weeks in advance of the proposed audit date. You and Essentium will work cooperatively to agree on a final audit plan.

The audit shall be conducted no more than once during a twelve-month period, during regular business hours, subject to Essentium’s on-site policies and regulations, and may not unreasonably interfere with business activities. If You would like to use a third party to conduct the audit, the third-party auditor shall be mutually agreed to by the parties and the third-party auditor must execute a written confidentiality agreement acceptable to Essentium. Upon completion of the audit, You will provide Essentium with a copy of the audit report, which is classified as confidential information under the terms of Your agreement with Essentium.

Essentium will contribute to such audits by providing You with the information and assistance reasonably necessary to conduct the audit, including any relevant records of processing activities applicable to the Services. You agree to accept the findings presented in the third-party audit report in lieu of requesting an audit of the same controls covered by the report. Additional audit terms may be included in Your order for Services.

10. Deletion or Return of Services Personal Information

Except as otherwise specified in an order for services or required by law, upon termination of services or at your request, Essentium will delete Your production customer data located on Essentium computers in a manner designed to ensure that they cannot reasonably be accessed or read, unless there is a legal obligation imposed on Essentium preventing it from deleting all or part of the data. You may consult with your Essentium services contact for additional information on data deletion prior to service completion.

ll. SYSTEMS AND PLATFORMS OPERATIONS DATA PROCESSING TERMS

1.  Responsibility and Purposes for Processing Personal Information

Essentium, Inc. and its affiliated entities are responsible for processing personal information that may be incidentally contained in Systems Operations Data in accordance with Sections II and III of this Policy.

We may collect or generate Systems Operations Data for the following purposes:

  • to help keep our Services secure, including for security monitoring and identity management;
  • to investigate and prevent potential fraud or illegal activities involving our systems and networks, including to prevent cyber-attacks and to detect bots;
  • to administer our back-up disaster recovery plans and policies;
  • to confirm compliance with licensing and other terms of use (license compliance monitoring);
  • for research and development purposes, including to analyze, develop, improve and optimize our Services;
  • to comply with applicable laws and regulations and to operate our business, including to comply with legally mandated reporting, disclosure or other legal process requests, for mergers and acquisitions, finance and accounting, archiving and insurance purposes, legal and business consulting and in the context of dispute resolution.

For personal information contained in Systems & Platforms Operations Data collected in the EU, our legal basis for processing such information is our legitimate interest in performing, maintaining and securing our products and services and operating our business in an efficient and appropriate manner. Personal information may also be processed based on our legal obligations or legitimate interest to comply with such legal obligations.

2.  Sharing Personal Information

Personal information contained in Systems and Platforms Operations Data may be shared throughout Essentium’s global organization. We may also share such personal information with the following third parties:

  • third-party service providers (for example IT service providers, lawyers and auditors) in order for those service providers to perform business functions on behalf of Essentium;
  • relevant third parties in the event of a reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings);
  • as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to government requests, including public and government authorities outside your country of residence, for national security and/or law enforcement purposes.

When third parties are given access to personal information contained in Systems & Platforms Operations Data, we will take the appropriate contractual, technical and organizational measures to ensure, for example, that personal information is only processed to the extent that such processing is necessary, consistent with this Privacy Policy and in accordance with applicable law.

3.  Cross-Border Data Transfers

If personal information contained in Systems & Platforms Operations Data is transferred to an Essentium recipient in a country that does not provide an adequate level of protection for personal information, Essentium will take measures designed to adequately protect information about Users, such as ensuring that such transfers are subject to the terms of the EU Model Clauses.

4.  Security

Essentium has implemented appropriate technical, physical and organizational measures in accordance with the Essentium, Inc. Security Practices designed to protect personal information against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorized disclosure or access as well as all other forms of unlawful processing (including but not limited to unnecessary collection) or further processing.

5.  User Choices

To the extent provided under applicable laws, Users may request to access, correct, update or delete personal information contained in Systems and Platforms Operations Data in certain cases, or otherwise exercise their choices with regard to their personal information by contacting: Privacy@Essentium.com.

III. COMMUNICATIONS AND NOTIFICATIONS TO CUSTOMERS AND USERS

1.  Legal Requirements

Essentium may be required to provide access to Services Personal Information and to personal information contained in Systems & Platforms Operations Data as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect Your or a User’s safety or the safety of others, investigate fraud, or respond to government requests, including public and government authorities outside Your or a User’s country of residence, for national security and/or law enforcement purposes.

Essentium will promptly inform You of requests to provide access to Services Personal Information, unless otherwise required by law.

2.  Global Data Protection Officer

Essentium has appointed a Data Protection Officer. If You or a User believe that personal information has been used in a way that is not consistent with this Privacy Policy, or if You or a User have further questions, comments or suggestions related to Essentium’s handling of Services Personal Information or personal information contained in Systems Operations Data, please contact the Data Protection Officer by contacting: Privacy@Essentium.com.

Written inquiries to the Data Protection Officer may be addressed to:

Essentium, Inc.

19025 N. Heatherwilde Boulevard

Suite 100

Pflugerville, TX 78660, United States of America

3. Dispute Resolution or Filing a Complaint

If You or a User have any complaints regarding our compliance with our privacy and security practices, please contact us first. We will investigate and attempt to resolve any complaints and disputes regarding our privacy practices.

Users that have an unresolved privacy or data use concern that we have not addressed satisfactorily, can contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

Under certain conditions, specified on the Privacy Shield website, Users may invoke binding arbitration when other dispute resolution procedures have been exhausted. Users also have the right to file a complaint with a competent data protection authority if they are a resident of a European Union member state.

4.  Changes to This Services Privacy Policy

This Privacy Policy was last updated on July 5, 2019. However, the Services and Platforms Privacy Policy can change over time, for example to comply with legal requirements or to meet changing business needs. The most up-to-date version can be found on this webpage. In cases of material changes, we will also inform You in another appropriate way (for example via a pop-up notice or statement of changes on our website) prior to the changes becoming effective.

Notice

Where Essentium collects Personal Information directly from our clients’ customers in the EEA and Switzerland, it will inform those individuals about the purposes for which it collects and uses Personal Information about them; the types or identity of third parties acting as controllers to which Essentium discloses that information, the purposes for which it does so; and the choices and means, Essentium offers individuals for limiting the use and disclosure of their Personal Information, and about the right of individuals to access their personal data. Notice will be provided in clear and conspicuous language when individuals are first asked to provide Personal Information to Essentium, or as soon as practicable thereafter, and in any event before Essentium uses the information for a purpose other than that for which it was originally collected or discloses it for the first time to a third party.

Notice

As stated in our Privacy Policy, Your personal information is kept strictly confidential and will not be shared or sold to third parties except as necessary to deliver our services. In the event that Essentium will need to share information outside of our normal services, we will offer individuals the opportunity to choose (opt-out) whether their Personal Information is (a) to be disclosed to a third party acting as a controller, or (b) to be used for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive personal information, Essentium will give individuals the opportunity to affirmatively and explicitly consent (opt-in) to the disclosure of their Sensitive Personal Information to (a) a third party acting as a controller or (b) the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. Essentium will provide individuals reasonable (especially clear and conspicuous, readily available) mechanisms to exercise their choices.

Essentium is subject to the investigatory and enforcement powers of the Federal Trade Commision (FTC).

Onward Transfer Liability

In cases of onward transfer to third parties of Your personal data, Essentium is potentially liable. In particular, Essentium remains responsible and liable if third-party agents that it engages to process the personal data on its behalf do so in a manner inconsistent with its principles, unless Essentium proves that it is not responsible for the event giving rise to the damage.

X