Data Privacy Framework Statement

Data Privacy Framework Standards

This Data Privacy Framework Statement (the “Statement”) sets forth the privacy principles followed by Cority Software (USA) Inc., a subsidiary of Cority Software Inc. (“Cority”) in connection with the transfer and protection of “Personal Information” received from the European Union (E.U.), United Kingdom (UK) and Switzerland.

About The Data Privacy Framework

Cority complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Cority has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data transferred from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom in reliance on the UK Extension to the EU-U.S. DPF. Cority has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data transferred from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/

The Data Privacy Framework (DPF) program, which is administered by the International Trade Administration (ITA) within the U.S. Department of Commerce, enables eligible U.S.-based organizations to self-certify their compliance pursuant to the EU-U.S. DPF and, as applicable, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF. To participate in the DPF program, a U.S.-based organization is required to self-certify to the ITA via the Department’s DPF program website (i.e., this website) and publicly commit to comply with the DPF Principles. While the decision by an eligible U.S.-based organization to self-certify its compliance pursuant to and participate in the relevant part(s) of the DPF program is voluntary, effective compliance upon self-certification is compulsory. Once such an organization self-certifies to the ITA and publicly declares its commitment to adhere to the DPF Principles that commitment is enforceable under U.S. law. “Personal Information” means information that can directly or indirectly lead to the identification of a living person, such as an individual’s name, address, e-mail, telephone number, license number, medical identification number, photograph, or other identifying characteristic. The identification can occur by reference to one or more factors specific to the individual’s physical, physiological, mental, economic, cultural or social identity. Personal Information does not include information that has been anonymized, encoded or otherwise stripped of its identifiers, or information that is publicly available, unless combined with other non-public personal information.

Scope

This Statement governs Personal Information transferred from countries in the E.U., UK and Switzerland to the United States on behalf of Cority. It applies to Personal Information in electronic and off-line formats.

Third Parties

Cority will not share personally identifiable information with third parties unless stated at the time of collection and except as follows:

Cority may store customer data with third-party data centers or managed service platforms as part of Cority’s hosted software offering, but only with third parties that meet Cority’s information security standards, as evidenced by certifications for their information security management system (ISO 27001, SAS 70).

Cority or its customers may share information with affiliated entities for the purposes of providing software services. 

Cority’s corporate website contains links to other sites. Cority is not responsible for the privacy practices or the content of such third-party websites. Third party vendors, including Google, display Cority online advertisements on sites on the internet. These third-party vendors, including Google, use cookies to serve ads based on a user’s prior visits to Cority’s website. Users may opt out of Google’s use of cookies by visiting the Google advertising opt-out page. Also keep in mind that Cority’s website may make chat rooms, forums, message boards, and/or news groups available to its users. Please remember that any information that is disclosed in these areas becomes public information and you should exercise caution when deciding to disclose your personal information.

Use of Cookies

When you view one of our websites or advertisements, we may store some information on your computer. This information will be in the form of a “Cookie” or similar file and will be used to determine ways to improve our websites, advertisements, products or services. For example, Cookies allow us to tailor a website to better match your interests and preferences.

Data Privacy Framework  Principles

The following privacy principles apply to the transfer, collection, use or disclosure of Personal Information from the E.U., UK and Switzerland by Cority.

Notice

Cority informs individuals in the E.U., UK and Switzerland about the purposes for which it collects and uses their Personal Information, how to contact Cority, the types of third parties with which Cority shares their Personal Information, and the choice and means Cority offers for limiting the use and disclosure of their Personal Information.

Choice

Cority will not process Personal Information about E.U., UK or Swiss individuals for purposes other than those for which the information was originally obtained or subsequently authorized by the individual unless the individual affirmatively and explicitly consents (“opt-in”) to the processing, or unless an exception applies. Cority also provides E.U., UK and Swiss individuals with the opportunity to withdraw consent at any time (“opt-out”), in which case their Personal Information will not be further processed.

Consistent with the  DPF supplemental principles, Cority may not be in a position to furnish notice in certain limited situations. Specifically, notice is not required where the processing of E.U., UK or Swiss Personal Information is necessary to respond to a government inquiry; is required by applicable laws, court orders or government regulations; or is necessary to protect Cority’s legal interests and providing notice would interfere with those interests.

Accountability for Onward Transfers

Cority complies with the  DPF Principles for all onward transfers of personal data from the EU, UK and Switzerland, including the onward transfer liability provisions. Cority will only transfer Personal Information about E.U., UK and Swiss individuals to third-parties where the third-party (a) has provided satisfactory assurances to Cority that it will protect the information consistently with this Statement; or (b) is located in the E.U. or a country considered “adequate” for privacy by the EC, and therefore is required to comply with the E.U. data protection laws or substantially equivalent privacy laws depending upon where the Personal Information originated. Where Cority has knowledge that a third-party to whom it has provided E.U., UK or Swiss Personal Information is processing that information in a manner contrary to this Statement, Cority will take reasonable steps to prevent or stop the processing.

Security

Cority takes reasonable precautions to protect E.U., UK and Swiss Personal Information in its possession from loss, misuse, unauthorized access, disclosure, alteration and destruction.

Data Integrity and Purpose Limitation

 Cority seeks to ensure that any Personal Information held about E.U., UK and Swiss individuals is accurate, complete, current and otherwise reliable in relation to the purposes for which the information was obtained. Cority collects Personal Information that is adequate, relevant and not excessive for the purposes for which it is to be processed. E.U., UK and Swiss individuals have a responsibility to assist Cority in maintaining accurate, complete and current Personal Information about them.

Access and Correction

Upon written request to Cority, Cority will provide E.U., UK and Swiss individuals with reasonable access to their Personal Information. Cority will also take reasonable steps to allow E.U., UK and Swiss individuals to review their information for the purposes of correcting their information. There are certain limitations to the Access and Correction right, as set forth on the DPF website.

Recourse, Enforcement, and Liability

Cority has established internal mechanisms to verify its ongoing adherence to this Statement. Cority is also subject to the investigatory and enforcement powers of the US federal government, including the Federal Trade Commission (FTC). Cority also encourages individuals covered by this Statement to raise any concerns about our processing of their Personal Information by contacting the appropriate Cority officer at the address below or by contacting their local privacy officer or Legal Department. Cority will seek to resolve any concerns. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Cority commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF. 

Limitation On Scope Of Principles
Adherence to these Privacy Principles may be limited to the extent required to meet a legal, governmental, national security or public interest obligation.

Complaints, Dispute Resolution, Data Subject Requests, Arbitration and Limiting the Use and Disclosure of Personal Information

In compliance with DPF Principles, Cority Software Inc. commits to resolve complaints about our collection or use of your personal information, respond to requests made by individuals to access their personal data and limit the use and disclosure of personal data. To issue a complaint, make a request to access your personal information or otherwise limit the use and disclosure of your personal data, please contact Cority Software Inc.’s Chief Privacy Officer at:
cpo@cority.com
1 800 276 9120 x 226

If a complaint cannot be resolved through the above channel, under certain conditions, you may invoke binding arbitration, provided that notice has been delivered to Cority and following the procedures and subject to conditions set forth in Data Privacy Framework Annex I. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Cority commits to cooperate and comply with, as applicable, the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF. 

Contact Information:

Cority Software Inc.

c/o Cority Software Inc.
250 Bloor Street East
9th Floor
Toronto, Ontario
Canada M4W 1E5

Attn: Chief Privacy Officer
1 800 276 9120 x 226

cpo@cority.com