Data Privacy Framework Standards
This Data Privacy Framework Statement (the “Statement”) sets forth the privacy principles followed by Cority Software (USA) Inc., a subsidiary of Cority Software Inc. (“Cority”) in connection with the transfer and protection of “Personal Information” received from the European Union (E.U.), United Kingdom (UK) and Switzerland.
About The Data Privacy Framework
The Data Privacy Framework (DPF) program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables eligible U.S.-based organizations to self-certify their compliance pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF. To participate in the DPF program, a U.S.-based organization is required to self-certify to the ITA via the Department’s DPF program website (i.e., this website) and publicly commit to comply with the DPF Principles. While the decision by an eligible U.S.-based organization to self-certify its compliance pursuant to and participate in the relevant part(s) of the DPF program is voluntary, effective compliance upon self-certification is compulsory. Once such an organization self-certifies to the ITA and publicly declares its commitment to adhere to the DPF Principles that commitment is enforceable under U.S. law. “Personal Information” means information that can directly or indirectly lead to the identification of a living person, such as an individual’s name, address, e-mail, telephone number, license number, medical identification number, photograph, or other identifying characteristic. The identification can occur by reference to one or more factors specific to the individual’s physical, physiological, mental, economic, cultural or social identity. Personal Information does not include information that has been anonymized, encoded or otherwise stripped of its identifiers, or information that is publicly available, unless combined with other non-public personal information.
This Statement governs Personal Information transferred from countries in the E.U., UK and Switzerland to the United States on behalf of Cority. It applies to Personal Information in electronic and off-line formats.
Cority will not share personally identifiable information with third parties unless stated at the time of collection and except as follows:
Cority may store customer data with third-party data centers or managed service platforms as part of Cority’s hosted software offering, but only with third parties that meet Cority’s information security standards, as evidenced by certifications for their information security management system (ISO 27001, SAS 70).
Cority or its customers may share information with affiliated entities for the purposes of providing software services.
When you view one of our websites or advertisements, we may store some information on your computer. This information will be in the form of a “Cookie” or similar file and will be used to determine ways to improve our websites, advertisements, products or services. For example, Cookies allow us to tailor a website to better match your interests and preferences.
Data Privacy Framework Principles
The following privacy principles apply to the transfer, collection, use or disclosure of Personal Information from the E.U., UK and Switzerland by Cority.
Cority informs individuals in the E.U., UK and Switzerland about the purposes for which it collects and uses their Personal Information, how to contact Cority, the types of third parties with which Cority shares their Personal Information, and the choice and means Cority offers for limiting the use and disclosure of their Personal Information.
Cority will not process Personal Information about E.U., UK or Swiss individuals for purposes other than those for which the information was originally obtained or subsequently authorized by the individual unless the individual affirmatively and explicitly consents (“opt-in”) to the processing, or unless an exception applies. Cority also provides E.U., UK and Swiss individuals with the opportunity to withdraw consent at any time (“opt-out”), in which case their Personal Information will not be further processed.
Consistent with the DPF supplemental principles, Cority may not be in a position to furnish notice in certain limited situations. Specifically, notice is not required where the processing of E.U., UK or Swiss Personal Information is necessary to respond to a government inquiry; is required by applicable laws, court orders or government regulations; or is necessary to protect Cority’s legal interests and providing notice would interfere with those interests.
Accountability for Onward Transfers
Cority complies with the DPF Principles for all onward transfers of personal data from the EU, UK and Switzerland, including the onward transfer liability provisions. Cority will only transfer Personal Information about E.U., UK and Swiss individuals to third-parties where the third-party (a) has provided satisfactory assurances to Cority that it will protect the information consistently with this Statement; or (b) is located in the E.U. or a country considered “adequate” for privacy by the EC, and therefore is required to comply with the E.U. data protection laws or substantially equivalent privacy laws depending upon where the Personal Information originated. Where Cority has knowledge that a third-party to whom it has provided E.U., UK or Swiss Personal Information is processing that information in a manner contrary to this Statement, Cority will take reasonable steps to prevent or stop the processing.
Cority takes reasonable precautions to protect E.U., UK and Swiss Personal Information in its possession from loss, misuse, unauthorized access, disclosure, alteration and destruction.
Data Integrity and Purpose Limitation
Cority seeks to ensure that any Personal Information held about E.U., UK and Swiss individuals is accurate, complete, current and otherwise reliable in relation to the purposes for which the information was obtained. Cority collects Personal Information that is adequate, relevant and not excessive for the purposes for which it is to be processed. E.U., UK and Swiss individuals have a responsibility to assist Cority in maintaining accurate, complete and current Personal Information about them.
Access and Correction
Upon written request to Cority, Cority will provide E.U., UK and Swiss individuals with reasonable access to their Personal Information. Cority will also take reasonable steps to allow E.U., UK and Swiss individuals to review their information for the purposes of correcting their information. There are certain limitations to the Access and Correction right, as set forth on the DPF website.
Recourse, Enforcement, and Liability
Cority has established internal mechanisms to verify its ongoing adherence to this Statement. Cority is also subject to the investigatory and enforcement powers of the US federal government, including the Federal Trade Commission (FTC). Cority also encourages individuals covered by this Statement to raise any concerns about our processing of their Personal Information by contacting the appropriate Cority officer at the address below or by contacting their local privacy officer or Legal Department. Cority will seek to resolve any concerns. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Cority commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.
Limitation On Scope Of Principles
Adherence to these Privacy Principles may be limited to the extent required to meet a legal, governmental, national security or public interest obligation.
Complaints, Dispute Resolution, Data Subject Requests, Arbitration and Limiting the Use and Disclosure of Personal Information
In compliance with DPF Principles, Cority Software Inc. commits to resolve complaints about our collection or use of your personal information, respond to requests made by individuals to access their personal data and limit the use and disclosure of personal data. To issue a complaint, make a request to access your personal information or otherwise limit the use and disclosure of your personal data, please contact Cority Software Inc.’s Chief Privacy Officer at:
1 800 276 9120 x 226
If a complaint cannot be resolved through the above channel, under certain conditions, you may invoke binding arbitration, provided that notice has been delivered to Cority and following the procedures and subject to conditions set forth in Data Privacy Framework Annex I. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Cority commits to cooperate and comply with, as applicable, the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.
Cority Software Inc.
c/o Cority Software Inc.
250 Bloor Street East
Canada M4W 1E5
Attn: Chief Privacy Officer
1 800 276 9120 x 226