Cloudreach, Inc (“Cloudreach”) complies with the EU‑U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework set forth by the United States Department of Commerce with respect to the collection, use and retention of Personal Data transferred from the European Economic Area (“EEA”) and Switzerland to the United States as further described in the Scope section below. Cloudreach has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view Cloudreach’s certification, please visit https://www.privacyshield.gov/.

Scope. Cloudreach commits to comply with the Privacy Shield Principles with respect to the Personal Data that we receive from our Customers and prospective Customers in the EEA and Switzerland in connection with software-enabled cloud services supporting Customers’ use of certain public cloud platforms, including professional services and cloud operations managed services. In this policy, these services are collectively referred to as the “Services.”

 

Definitions. For the purposes of this policy:

 

“Customer” means any entity that purchases the Services.

“Customer Data” means any and all data which is provided by or on behalf of Customer to Cloudreach or which is otherwise processed by Cloudreach as a result of or in connection with the provision of the Services.

“Personal Data” means any information, including Sensitive Data, that is (i) about an identified or identifiable individual and (ii) received by Cloudreach in the U.S. from the EEA or Switzerland in connection with the Services.

“Sensitive Data” means Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, the commission or alleged commission of any offense, any proceedings for any offense committed or alleged to have been committed by the individual or the disposal of such proceedings, or the sentence of any court in such proceedings.

 

Types of Personal Data processed. Cloudreach processes Customer Data, including any Personal Data contained therein, at the direction of and pursuant to the instructions of our Customers. In particular, Cloudreach processes several types of Personal Data obtained from our Customers as necessary to provide our Services, including: names, email addresses, telephone numbers, cloud provider access credentials, work IP addresses and potentially additional Personal Data depending on the content of Customer databases, file shares and/or data repository accessible to Cloudreach.

 

Cloudreach also collects general information about its Customers for billing and contracting purposes (“General Information”).

 

In addition, Cloudreach collects Personal Data on website visitors and commercial prospects as described in our website visitors and commercial prospects privacy notice located here.

 

Purpose of collection and use. Cloudreach may use Personal Data provided by our Customers as necessary to provide our Services and to carry out our contractual obligations to our Customers. Cloudreach also obtains General Information in connection with providing the Services and maintaining its relationships with its Customers.

 

Cloudreach use Personal Data collected on website visitors and commercial prospects to send them content, event information and messages regarding our products and services, to contact them to discuss opportunities and to use data analytics to improve our website, products/services, marketing, customer relationships and experiences.

 

Third party disclosures. We may disclose Customer Personal Data:

  • to Cloudreach affiliates under an inter-company data processing agreement (in accordance with the standards of the EU Data Protection Directive);
  • to third-party service providers engaged to assist us in providing our Services to our Customers. These third parties may access, process, or store personal data in the course of providing their services. Cloudreach performs due diligence on the information security practices and data protection compliance of all these third parties and maintains contracts with them restricting their access, use and disclosure of personal data in compliance with the Privacy Shield obligations, including the onward transfer provisions;
  • in the event Cloudreach sells or transfers all or a portion of its business or assets (including in the event of a merger, acquisition, joint venture, reorganization, dissolution or liquidation), in which case Personal Data held by us about our Customers will be among the assets transferred to the buyer or acquirer;
  • if required to do so by law or legal process;
  • in response to lawful requests from public authorities, including to meet national security, public interest or law enforcement requirements.

 

Liability for onward transfers. Cloudreach complies with the Privacy Shield’s Principle regarding accountability for onward transfers. Cloudreach remains liable under the Privacy Shield Principles if its onward transfer recipients process Personal Data in a manner inconsistent with the Privacy Shield Principles, unless Cloudreach proves that it was not responsible for the event giving rise to the damage.

 

Access. Individuals in the EEA and Switzerland have rights to access their Personal Data and to limit use and disclosure of their Personal Data. As an agent processing Personal Data on behalf of its Customers, Cloudreach does not own or control the Personal Data that it processes on behalf of its Customers and might not have a direct relationship with the individuals whose Personal Data may be processed in connection with providing the Services. Individuals should therefore contact the applicable Customer administrator with any inquiries about how to access or correct Personal Data contained in Customer Data. To the extent that an individual makes an access or correction request to Cloudreach, we will refer the request to the appropriate Cloudreach Customer and will support such Customer as needed in responding to any request.To access or correct any General Information or Personal Data that Customer has provided, the Customer should contact their Cloudreach account representative directly or by using the contact information indicated below.

 

Choice. In accordance with the Privacy Shield Principles, Cloudreach will offer Customers choice to the extent it uses their Personal Data for a purpose that is materially different from the purposes for which the Personal Data was originally collected or subsequently authorized by the Customer. To the extent required by the Privacy Shield Principles, Cloudreach also will obtain opt‑in consent if it engages in certain uses or disclosures of Sensitive Data. Unless Cloudreach offers Customers an appropriate choice, Cloudreach uses Personal Data only for purposes that are materially the same as those indicated in this Policy.

 

Inquiries and complaints. In compliance with the Privacy Shield Principles, Cloudreach commits to resolve complaints about our collection or use of your personal information. European Union and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact dpo@cloudreach.com. Cloudreach shall respond within 45 days. Cloudreach has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact or visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint.  The services of JAMS are provided at no cost to you. You may have the option to select binding arbitration under the Privacy Shield Panel for the resolution of your complaint under certain circumstances. For further information, please see the Privacy Shield website.

 

Enforcement authority. The Federal Trade Commission has jurisdiction over Cloudreach’s compliance with the Privacy Shield.

 

Changes to this policy. We reserve the right to amend this policy from time to time consistent with the Privacy Shield’s requirements.

 

Effective as of November 19th, 2018

Last modified: November 19th, 2018