This Data Privacy & Data Security Statement (the “Statement”), is provided by Intellum, Inc. (“Intellum”) to its Clients (each, a “Client”) and to users of Intellum’s Services affiliated with the Clients (“Users”). This Statement describes Intellum’s commitments with regard to data privacy and data security. Intellum may update this Statement from time to time. Updated versions will be published on Intellum’s website.
“Authorized Persons” means Intellum’s employees, agents, and contractors that have a need to know or otherwise access User Data to enable Intellum to provide the Services.
“Controller” means a controller as defined under the GDPR.
“Data Protection Laws” means all international, federal, national and state privacy and data protection laws and regulations to the extent applicable to Intellum and the Services.
“Data Breach” means any loss or unauthorized access, acquisition, theft, destruction, disclosure or use of User Data that occurs while such User Data is in the possession of or under the control of Intellum.
“GDPR” means the EU General Data Protection Regulation 2016/679.
“Personal Data” means information relating to an identified or identifiable natural person. An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Process” or “Processing” means any operation or set of operations that are performed upon User Data, whether or not by automatic means, such as collection, accessing, processing, use, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, transmittal, alignment or combination, blocking, erasure, destruction or otherwise used as set out in the applicable Data Protection Laws.
“Processor” means a processor as defined under the GDPR.
“Services” means Intellum’s services, solutions and products.
“Sub-Processor” shall mean an entity engaged by Intellum to assist it in Processing the User Data in fulfillment of its obligations with regard to the Services.
“Third Party” is any person or entity other than Intellum and Client and Client’s Users.
“User Data” means all data relating to a User that is (i) provided to Intellum by Client or User or (ii) otherwise obtained, accessed, developed, or produced by Intellum. User Data may include Personal Data.
2. Data Privacy.
2.1 Compliance with Laws. Intellum is committed to complying with its obligations under all Data Protection Laws. For purposes of the GDPR, Client is considered the Controller and Intellum is its Processor; if Client is considered a Processor for purposes of the GDPR, then Intellum is considered its Sub-Processor.
2.2 Distribution of User Data. Users should provide Intellum only with Personal Data that is requested by Intellum or that is otherwise necessary for Intellum to provide the Services. Intellum is not responsible for any other Personal Data. Client will not provide Intellum with Personal Data unless Client has obtained all required consents from Users.
2.3 Limitations on Use of Personal Data. Intellum shall not Process User Data other than for the purposes specified by Users. Intellum shall not Process User Data for the benefit of any Third Party. Intellum shall access only the User Data that it needs to perform the Services (i.e., no more than necessary). Intellum will not store User Data longer than necessary to achieve the permitted purposes specified by User.
2.4 Restrictions. Except with a User’s prior, written approval, on a case-by-case basis, Intellum will not: (a) use User Data other than as necessary for Intellum to provide the Services, (b) disclose, sell, assign, lease or otherwise provide User Data to Third Parties (other than to its affiliates or Sub-Processors) except to the extent required or permitted by Data Protection Laws, or (c) merge User Data with other data, modify or commercially exploit any User Data.
2.5 Sensitive Personal Data. Clients and Users are advised never to provide Intellum with Sensitive Personal Data. “Sensitive Personal Data” means (a) information that reveals a natural person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, (b) information or data concerning a natural person’s health or sex life or sexual orientation; or (c) genetic data or biometric data about a natural person.
3. Sub-Processors. Intellum may engage Sub-Processors in connection with the provision of the Services, provided, however, that Intellum may not provide a Sub-Processor with access to User Data unless the Sub-Processor has: (i) a business need to know / access the relevant User Data, as necessary for the purposes of the Services; (ii) signed a written obligation of confidentiality or are under professional obligations of confidentiality; and (iii) implemented technical, operational, physical, and organization safeguards to protect User Data against accidental or unlawful destruction or alteration and unauthorized disclosure or access.
4. Data Subject Rights; Cooperation. Intellum shall use commercially reasonable efforts to cooperate and assist with a User’s exercise of his/her rights under applicable Data Protection Laws with respect to Personal Data Processed by Intellum, including, without limitation, the right to be forgotten, the right to data portability, and the right to access data under the GDPR.
5. Return or Destruction of User Data. Upon the written request of a User, Intellum will return User Data to the User in a commonly readable format or securely delete User Data as soon as reasonably practicable. However, if Intellum is required by law to retain User Data or if User Data is stored in a manner such that it cannot readily be returned or destroyed without affecting other data, then Intellum will continue to protect such User Data in accordance with this Statement and limit any use to the purposes of such retention.
6. Data Security.
6.1 Security Program Requirements. Intellum will maintain a security program that contains administrative, technical, and physical safeguards appropriate to the complexity, nature, and scope of its activities. Intellum’s security program shall be designed to protect the security and confidentiality of User Data against unlawful or accidental access to, or unauthorized processing, disclosure, destruction, damage or loss of User Data. At a minimum, Intellum’s security program shall include: (a) limiting access of User Data to Authorized Persons; (b) implementing network, application, database, and platform security; (c) means for securing information transmission, storage, and disposal within Intellum’s possession or control; (d) means for encrypting User Data stored on media within Intellum’s possession or control by using modern acceptable cyphers and key lengths, including backup media; (e) means for encrypting User Data transmitted by Intellum over public or wireless networks by using modern acceptable cyphers and key lengths; and (f) means for keeping firewalls, routers, servers, personal computers, and all other resources current with appropriate security-specific system patches.
6.2 Regular Reviews. Intellum shall ensure that its security measures are regularly reviewed and revised to address evolving threats and vulnerabilities.
7. Data Breach Procedures.
7.1 Notification. Intellum shall notify Client and any affected User of any Data Breach as soon as practicable and without undue delay after becoming aware of it. Such notification shall at a minimum: (i) describe the nature of the Data Breach, the categories and numbers of Users concerned, and the categories and numbers of Personal Data records concerned; (ii) communicate the name and contact details of Intellum's data protection officer or other relevant contact from whom more information may be obtained; and (iii) describe the measures taken or proposed to be taken to address the Data Breach.
7.2 Remedial Actions. In the event of a Data Breach for which Intellum is responsible, Intellum will use commercially reasonable efforts to: (a) remedy the Data Breach condition, investigate, document, restore the Services, and undertake required response activities; (b) provide regular status reports to Client on Data Breach response activities; (c) assist Client with the coordination of media, law enforcement, or other Data Breach notifications; and (d) assist and cooperate with Client in its Data Breach response efforts.
8. Cross-Border Transfers.
8.1 Location. Intellum systems and Intellum’s Processing of User Data will occur within the following jurisdictions: United States of America and Ireland (the “Processing Jurisdictions”). Intellum will not transfer any User Data outside of the Processing Jurisdictions except as directed by or with the consent of Client and/or User.
8.2 Sub-Processors. Before providing User Data of a European citizen to Sub-Processors, Intellum will use commercially reasonable efforts to ensure that the Sub-Processors will either be certified under the EU-US Privacy Shield or that the Sub-Processors execute EU-prescribed Standard Contractual Clauses.