Service Privacy Policy

Updated: March 7, 2018

1 DEFINITIONS

1.1 “Data Incident” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data according to Data Protection Laws.

1.2 “Data Protection Laws" means the laws and regulations applicable to Us.

1.3 “Data Subject” means the natural person who is identified by the Personal Data.

1.4 “Data Subject Request” means the Data Subject's request for its rights regarding information and access to its Personal Data pursuant to the Data Protection Laws.

1.5 “Personal Data” means any information relating to an identified or identifiable natural person, an identifiable natural person is one who can be identified, directly or indirectly, such as for example a name, an identification number, location data.

1.6 “Policy” means this Teleopti Service Privacy Policy.

1.7 “Processing” or “to Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.8 “Sub-processor” means any Processor engaged by Us or a member of the Teleopti Group to Process Personal Data on behalf of You.

1.9 "Supervisory Authority" means any public body under the Data Protection Laws that has the authority to impose legal sanctions on either of us.

1.10 “Your Privacy Laws” means any law or regulation concerning data protection and privacy applicable to You.

2 DATA PROCESSING

2.1 Scope

2.1.1 We agree to comply with and abide by the Data Protection Laws and You shall comply with and abide by Your Privacy Laws.

2.1.2 This Policy is agreed upon on behalf and for the benefit of You and Your Affiliates. Where a Policy reference is made to You, this shall also mean any of Your Affiliates. We are entitled to enforce this Policy on behalf of Us and also on behalf of any of Our Affiliates. Furthermore, Your Affiliates are entitled to enforce this Policy as if Your Affiliate was a party to this Policy. As a consequence of this You shall also ensure that all Your Affiliates shall abide with the obligations of You pursuant to this Policy, and You shall for any of Your Affiliates’ breaches of any obligations pursuant to this Policy, be liable as if such breaches were those of You.

2.1.3 You shall remain responsible for coordinating all communication with Us under this Policy and be entitled to make and receive any communication in relation to this Policy on behalf of Your Affiliates.

2.2 Your Obligations

2.2.1 You shall in Your use of the Services, Process Personal Data in accordance with the requirements of Your Privacy Laws. For the avoidance of doubt, Your instructions to Us for the Processing of Personal Data, if any, shall comply with Your Privacy Laws and You shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which You acquired Personal Data.

2.2.2 You may submit Personal Data to the Services, the extent of which is determined and controlled by You in Your sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects: (i) Your employees, agents, advisors and freelancers (who are natural persons), (ii) employees of Your business partners and vendors, and (iii) Users.

2.2.3 The type of Personal Data You and Your Affiliates can store and use in the Service, may include, but is not limited to the following categories of Personal Data: (i) Employee ID or another identifier, (ii) first and last name, (iii) title, position, and organizational belonging, (iv) competence, (v) data related to scheduling and reporting, and (vi) contact information (company, email, phone, physical business address).

2.2.4 The Services offers flexibility as to what type of Personal Data You and Your Affiliates can store and use in the Service and instruct Us to process in the Services. If Your use of Personal Data is likely to pose a high risk to the privacy and integrity of a person for example use of sensitive Personal Data, it is Your obligation to make a balanced decision for what purpose and which legal grounds You have for such Processing. It is Your obligation to ensure that the use of Personal Data does not violate Your Privacy Laws or any other legal or ethical rules applicable to You and We shall have no liability for Your decision in this context.

2.3 Our Obligations

2.3.1 We shall only Process Personal Data as necessary to supply, maintain and support the Services, and the Processing shall be on behalf of and in accordance with Your documented instructions, if any, for the following purposes: (i) Processing in accordance with the Agreement; (ii) Processing initiated by Users in their use of the Services; and (iii) Processing to comply with other documented reasonable written instructions provided by You (e.g., via email) where such instructions are consistent with the terms of the Agreement. The duration of the Processing will be for the duration of the Agreement.

2.3.2 All Processing of Personal Data pursuant to this Policy shall be subject to the Non-Disclosure provisions of the Agreement.

3 OUR PERSONNEL

3.1 We will ensure that Our personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. We will also ensure that such confidentiality obligations survive the termination of the personnel engagement.

3.2 We will take commercially reasonable steps to ensure the reliability of any of Our personnel engaged in the Processing of Personal Data and that Our access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.

4 SECURITY

4.1 We have implemented and will continue to improve and implement appropriate technical and organizational security measures to protect the Personal Data in accordance with the provisions of the Agreement and Data Protection Laws.

4.2 You confirm that the security measures, as described in the Teleopti Information Security Overview meets Your obligations under Your Privacy Laws for the actual Processing of the Personal Data performed through the Services.

5 CHANGE REQUESTS

5.1 Any request made by You for change to the instructions You have given to Us for the Processing of Personal Data or request for change in Our security measures described in Section 4, “Security” above due to changes in Your Privacy Laws or otherwise, shall be made by You in writing and will require the written consent by Us. We shall have the right to a reasonable compensation for the cost of such changes.

5.2 If We inform You that We cannot meet Your amended instructions or request for change and if such amended instructions were reasonably requested by You to ensure compliance with Your Privacy Laws, You shall be entitled to terminate the Agreement for the affected Service in writing by at least 30 and maximum 60 days’ notice period. We will reimburse any pre-paid fees after the expiration of the notice period.

6 DATA INCIDENT MANAGEMENT, NOTIFICATION AND ASSISTANCE

6.1 We will maintain adequate procedures designed to detect and respond to any Data Incident, including procedures for preventive and corrective actions, and also to avoid recurrence of any Data Incident. These procedures shall be established by Us in such a manner that We can meet the requirements of the Data Protection Laws. However, We will also strive to ensure that You will be able to meet any notification and documentation requirements in relation to data incidents under Your Privacy Laws provided You notify Us in writing of such requirements.

6.2 Upon discovery or reasonable suspicion of a Data Incident, We will take adequate recovery measures. Furthermore, We will provide reasonable or requested feedback to You and provide effective support to You and (possibly) affected Data Subjects. The feedback and support should include at least:

6.2.1 a description of the nature and the scope of the Data Incident, including an estimation of the number of Data Subjects (possibly) affected, an indication of the types of Personal Data concerned and whether or not such Personal Data are (appropriately) encrypted or otherwise secured or made unintelligible or inaccessible;

6.2.2 a description of the anticipated consequences of the Data Incident;

6.2.3 a description of the preventive and corrective measures taken and to be taken, planned and recommended to minimize possible harm, and the expected resolution and work-around time.

6.3 We will implement appropriate technical and organizational measures to assist You in the fulfillment of any Data Subject Request. Our obligations in this respect shall apply only to the extent possible and to the extent that the nature of the Processing requires according to Data Protection Laws. With respect to any technical and organizational requirements under Your Privacy Laws, We will strive to comply with such requirements provided You notify Us in writing of such requirements.

6.4 Upon Your request, and in addition to the provisions of Section 4, “Security”, We will provide You with reasonable cooperation and assistance needed to fulfil Your obligations under Your Privacy Laws to carry out any risk assessment related to Your use of Personal Data in the Services, to the extent You do not otherwise have access to the relevant information, and to the extent such information is available to Us.

6.5 We shall be entitled to reasonable compensation for the assistance provided by Us to You in accordance with the activities described in this Section 6.

7 SUB-PROCESSING

7.1 Appointment of Sub-processors. You acknowledge and agree that Our Affiliates may be retained as Sub-processors; and We and Our Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. The Sub-processors engaged by Us with Your consent at the execution of the Agreement, the location of the Sub-processor and a description of the Processing carried out by the Sub-processor will be; (i) specified in Your Order for the Agreement or (ii) notified by Us through email to You.

7.2 Sub-Processors Protective Terms. We or Our Affiliates has entered into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this Policy with respect to the protection of Personal Data to the extent applicable to the nature of the Services provided by such Sub-processor. We will ensure that Our Sub-processors have an adequate level of protection and that appropriate safeguards have been put in to place fulfilling the requirements of the Data Protection Laws. To the extent that the selected legal ground for processing is declared invalid by a competent court or authority, We will cooperate with You in finding an alternative legal ground for the adequate protection of the Personal Data Processed under the Services.

7.3 General Consent to New Sub-processors. You hereby give Us a general consent to engage Sub-processors for Processing of Personal Data on behalf of You. Our Sub-processors are listed below in Section 12, “Sub-processors”. We will inform You before transferring any Personal Data to a new Sub-processor. Following receipt of such information You shall notify Us if You object to the new Sub-processor. If You do not object to the Sub-processor within 30 days of receiving the information, You shall be deemed to have accepted the Sub-processor. If You have raised a reasonable objection to the new Sub-processor, You be entitled to, within 30 days from receiving notice of information of a new sub-processor, terminate the Agreement with a 30 days’ notice period. During the termination period, We are not allowed to transfer any Personal Data to the Sub-processor. If the Agreement has not been terminated by You within 30 days from receiving notice of the information of the new Sub-processor, Personal Data may be transferred to the new Sub-processor.

7.4 Liability for Sub-processors. We will enter into appropriate written agreements with all Our Sub-processors on terms which in all materially respects correspond to the obligations as set out in this Policy. We will remain fully liable to You for the performance or non-performance of the Sub-processor’s obligations, subject to Section 10, “Liability and Limitation of Liability” of the Agreement.

8 DISCLOSURE OF PERSONAL DATA

8.1 We will not disclose Personal Data covered by this Policy to a Data Subject or third party, unless required by Data Protection Laws. In cases where We must disclose such information due to law, court- or governmental order, We shall notify You, unless prohibited by Data Protection Laws.

8.2 We will promptly notify You if We receive a request from a Data Subject Request.

8.3 We and Our representatives, are obliged to cooperate with the Data Protection Authority under the Data Protection Laws in the case of enforcement measures, if requested by such Data Protection Authority. We undertake to notify You without delay of requests from such Data Protection Authority or any other regulatory authority that specifically relates to the Processing of Personal Data under this Policy. We shall not be entitled to represent You or act on behalf of You in such requests. We will be entitled to reasonable compensation for such requested cooperation, which specifically relates to the Processing of Your Personal Data and which is not a consequence of the breach of Our obligations for the Processing of Personal Data pursuant to this Policy.

9 SECURITY REPORTS AND AUDIT

9.1 Upon Your request, and subject to the confidentiality obligations set forth in the Agreement, We will make available to You, or a third party appointed by You that is not a competitor of Us, or Your independent, third-party auditor, information regarding Our compliance with the obligations set forth in this Policy, as described in the then current Teleopti Information Security Overview.

9.2 You may contact Us to request an on-site audit of the architecture, systems and procedures relevant to the protection of Personal Data at locations where Personal Data is stored. However, You acknowledge and agree that certain of Our Sub-processors might have internal restrictions that will not allow such an audit.

9.3 Before the commencement of any such on-site audit, We shall mutually agree upon the scope, timing, and duration of the audit and You shall promptly notify Us with information regarding any non-compliance discovered during an audit.

9.4 You shall reimburse the Teleopti Group for any time expended by the Teleopti Group or its third-party Sub-processors for any such on-site audit.

10 COMPENSATION

In addition to what is stated above in this Policy We shall have the right to claim compensation for any written requests from You unless such request falls within the obligations of Us pursuant to the Services to be performed under the Agreement.

11 LIABILITY AND LIMITATION OF LIABILITY

11.1 If We Process Personal Data in breach of the Your lawful instructions or Data Protection Laws, We shall indemnify and hold You harmless for any loss, cost or damage, including but not limited to claims by a Data Subject and financial penalties imposed by any Supervisory Authority or other competent authority, due to Our (or Our Sub-processors) Processing of Personal Data.

11.2 If You Process Personal Data in breach of this Policy or Your Privacy Laws, You shall indemnify and hold Us harmless for any loss, cost or damage, including but not limited to claims by a Data Subject, financial penalties imposed by any Supervisory Authority or other competent authority, due to Your Processing of Personal Data.

11.3  In case of claims by a Data Subject or financial penalties imposed by any Supervisory Authority or other competent authority, each party shall: (a) notify the other party promptly in writing of any such potential or pending claims or penalties; (b) use reasonable endeavors to reduce or avoid such claims or penalties; (c) allow the other party to comment on any response, settlement, defense or appeal in relation to such claim; and (d) to a reasonable extent provide the other party with information in relation to the same.

11.4 Both Your and Our, and Our Affiliates’ liability arising out of or related to this Policy shall be regulated under section 10, “Limitation of Liability” of the Agreement.

11.5 For the avoidance of doubt, We and Our Affiliates’ total liability for all claims from You and all Your Affiliates arising out of or related to this Policy shall apply in the aggregate for all claims under both the Agreement and this Policy and shall not be understood to apply individually and severally You and/or to any of Your Affiliates.

12 SUB-PROCESSORS

12.1 We use the following Sub-processors:

Sub-processor

Description of the provided services and Processing activities

Teleopti Inc.(US)

Support and Maintenance

Teleopti China Co. Ltd (China)

Support and Maintenance

Teleopti AB (Sweden)

Support and Maintenance

Microsoft Ireland Operations Ltd (Ireland)

Providing and Supporting Infrastructure as a Service (IaaS)

Microsoft Corporation (US)

Providing and Supporting Infrastructure as a Service (IaaS)