Track record of successful GDPR implementations across industries.
1. Introduction and Scope
At VeraSafe, privacy is what we do. Because of our focus on privacy, we take the protection of personally identifiable information (“Personal Data”) very seriously.
In the course of operating our business, we process Personal Data in a variety of ways. This Privacy Policy (the “Policy”) addresses the individuals (“Data Subjects”) whose Personal Data we process in the course of providing our “Services,” which include:
- the following “Professional Services”:
- professional data protection compliance and cybersecurity consulting services;
- external data protection officer and privacy officer services;
- representative services, including data protection representative services in the European Union (EU) and the United Kingdom (UK); and
- dispute resolution services, including when acting as an Independent Recourse Mechanism (“IRM”) under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and/or the Swiss-U.S. Data Privacy Framework (respectively, the “EU-U.S. DPF”, “UK Extension to the EU-U.S. DPF”, and “Swiss-U.S. DPF”; collectively, the “DPF”); and
- the following “Applications”:
- our web-based learning management system; and
- our website seals, such as the VeraSafe “Privacy Verified” website seal, and their attendant administrative web application.
2. What Is Not Covered in this Policy?
VeraSafe human resources data.
This Policy does not apply to Personal Data we collect about team members and applicants during employment or the application process, respectively, as described by our HR Privacy Policy.
Business development data.
This Policy does not apply to Personal Data we collect about visitors to our websites, or in the context of our sales and marketing initiatives, as described by our Sales, Marketing, & Outreach Privacy Policy.
Information that is not Personal Data.
This Policy does not apply to information that is not Personal Data. Personal Data is information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular individual.
3. Entities Covered by This Privacy Policy
This Policy covers VeraSafe, LLC and the following affiliate entities:
- VeraSafe Czech Republic s.r.o.;
- VeraSafe Ireland Limited;
- VeraSafe Legal, LLP;
- VeraSafe Netherlands BV;
- VeraSafe South Africa (Pty) Ltd.;
- VeraSafe United Kingdom Ltd.
Throughout this Policy, when we refer to “VeraSafe”, “we”, “us”, or “our”, we mean VeraSafe, LLC and its affiliates, collectively.
4. Our Role with Respect to Your Personal Data
VeraSafe as a Controller
Generally, when providing Professional Services, such as consulting services, VeraSafe acts as a data controller for the Personal Data we process. This means that VeraSafe determines the type of Personal Data that clients collect and provide to us to process on their behalf.
VeraSafe as a Processor
When providing access to our Applications and when providing certain Professional Services, VeraSafe acts as a data processor for the Personal Data we process for our clients. This means that those clients determine the type of Personal Data that they provide to us to process on their behalf. We typically have no direct relationship with the individuals whose Personal Data we receive from our clients (generally, employee data) when we act as a data processor in providing access to our Applications.
Absent Controllership
In the context of certain Professional Services, such as data representative services, VeraSafe is neither a data controller nor a data processor.
5. Basis of Processing
Depending upon the context, we process your Personal Data on the basis of:
- the need to perform a contract that we entered into with you or your organization;
- our legitimate interests, such as our interest in providing our Services for valuable consideration, and our clients’ interests in complying with applicable data protection laws;
- our obligation to comply with applicable law; or
- any other ground, as required or permitted by applicable law.
Where we receive your Personal Data as part of providing our Services to you based on a contract, we require certain Personal Data in order to carry out the contract. Without that necessary Personal Data, we will not be able to provide the Services to you.
6. How We Receive Personal Data
We may collect or otherwise receive your Personal Data when:
- you provide it directly to us as part of using our Services;
- our clients (including their employees, contractors, and other representatives of the organization) provide it to us while using our Services;
- we receive it from European data protection authorities;
- we receive it from other companies within our corporate group;
- we obtain it from publicly available sources, such as social media pages or corporate, government, or professional websites; and
- when an associate of yours or one of our partners or clients refers you to our Services by providing your Personal Data to us.
7. Categories of Personal Data
We may process the following categories of Personal Data:
- biographical information, such as first name and last name;
- contact information, such as email address, phone number, postal address, and IP address and associated location;
- professional information, such as job title, position, and information about your company or business;
- other information, such as your interests, whether or not you have opened email(s) we send you, information pertaining to your use of the Applications, details about your data protection inquiry or concern; and any other category of Personal Data submitted to us by you, our client, European data protection authorities, or other companies within our corporate group.
8. Purposes of Processing Personal Data
We may process your Personal Data for the purposes of:
- providing and enabling use of the Services;
- responding to your requests or questions;
- complying with our legal obligations in our role as a data protection officer, a representative in the EU or UK, or an IRM; and
- collecting payments that are due to VeraSafe, enforcing our legal rights, and
complying with laws and regulations applicable to VeraSafe.
9. Personal Data Retention
When we act as a data controller, we only retain Personal Data for as long as necessary to fulfill the purposes of processing or as long as required by applicable law, whichever is longer.
When we act as a data processor, we retain Personal Data for as long as instructed by the respective client (who typically acts as a data controller). We delete the Personal Data submitted to us within six months of the end of our service agreement with the client unless applicable laws require otherwise.
10. Sharing Personal Data with Third Parties
We may share Personal Data with our affiliates, as well as with our service providers, who process Personal Data on our behalf, and who agree to use the Personal Data only to assist us in providing our Services or as required by law. Our service providers provide:
- website and application hosting services;
- software development services;
- professional translation services;
- cloud storage services;
- email software;
- team collaboration tools;
- project management software;
- help desk software;
- video and web conferencing software;
- VOIP telephone software and services;
- Internet messaging software;
- email scheduling, analytics, and tracking software;
- office productivity software;
- professional tax/accounting services;
- customer relationship management software;
- accounting software;
- outsourcing management and contracting software; and
- electronic signature software.
Some of these third parties may be located outside of the European Union, the European Economic Area (EEA), or Switzerland. However, before transferring your Personal Data to these third parties, we will require the third party to maintain at least the same level of privacy and security for your Personal Data that we do. We remain liable for the protection of your Personal Data within the scope of our DPF certifications that we transfer to third parties, except to the extent that we are not responsible for the event that leads to any unauthorized or improper processing.
11. Other Disclosures of Your Personal Data
We may disclose your Personal Data to the extent required by law or if we have a good-faith belief that we need to disclose it in order to comply with official investigations or legal proceedings (whether initiated by government or law enforcement officials or private parties, including to meet national security or law enforcement requirements). We may also disclose your Personal Data if we sell or transfer all or some of our company’s business interests, assets, or both, or in connection with a corporate restructuring. Finally, we may disclose your Personal Data to our subsidiaries or affiliates, but only if necessary for business purposes, as described in the section above.
12. Cookies
A “cookie” is a small file stored on your device that contains information about your device. We may use cookies to provide some of our Applications’ functionality, authentication, usage analytics (web analytics), and to remember your settings, and generally improve our Applications.
We use session and persistent cookies. Session cookies are deleted when you close your browser. Persistent cookies may remain even after you close your browser. Most of the cookies placed on your device through our Applications are first-party cookies since they are placed directly by us. Other parties, such as Google, may also set their own (third-party) cookies through our Applications. Please refer to the policies of these third parties to learn more about the way in which they collect and process information about you.
For more information about the cookies we use, please refer to our Cookie Policy, which forms a part of this Policy.
13. Data Integrity & Security
We have implemented and will maintain technical, administrative, and physical security measures that are reasonably designed to help protect Personal Data from unauthorized processing, such as unauthorized access, disclosure, alteration, or destruction. We have also implemented solutions to prevent accidental loss and mitigate unavailability of relevant information systems used to process Personal Data.
14. Your Privacy Rights: Access & Review
If we process your or your child’s Personal Data, you may have the right to request access to (or to update, correct, or delete) such Personal Data. You may also have the right to ask that we limit our processing of such Personal Data, as well as the right to object to our processing of such Personal Data. You may also have the right to data portability with respect to such Personal Data.
If we have received your Personal Data in reliance on our certification(s) under the DPF, you may also have the right to opt out of having your Personal Data shared with third parties and to revoke your consent to our sharing your Personal Data with third parties.
You may also have the right to opt out if your Personal Data is used for any purpose that is materially different from the purpose(s) for which it was originally collected or which you subsequently authorized.
Requests should be sent directly to the client who provided your Personal Data to us. VeraSafe has limited rights to access Personal Data our clients submit to us. Therefore, if you contact us with such a request, please provide the name of the VeraSafe client who submitted your Personal Data to us. We will forward your request to that client and provide any needed assistance as they respond to your request.
15. Privacy of Children
The Services are not directed at, or intended for use by, children under the age of 16. To the extent that we process any Personal Data about children under the age of 16, we do so according to the documented instructions of our client, who typically acts as a data controller, or in order to comply with applicable law.
16. Data Privacy Frameworks
For Personal Data processed in the scope of this Policy, VeraSafe, LLC complies with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce. VeraSafe, LLC has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. VeraSafe, LLC has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. DPF Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, VeraSafe, LLC commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.
To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
17. Dispute Resolution
Where a privacy complaint or dispute cannot be resolved through VeraSafe’s internal process, in compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, VeraSafe, LLC commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.
18. Binding Arbitration
If your dispute or complaint can’t be resolved by us, nor through the recourse mechanism described in the Dispute Resolution section of this Privacy Policy, you may have the right to require that we enter into binding arbitration with you under the DPF’s “Recourse, Enforcement and Liability Principle” and Annex I of the DPF.
19. European Economic Area and United Kingdom Supervisory Authority Oversight
If you are a Data Subject whose Personal Data we process, you may also have the right to lodge a complaint with a data protection regulator in one or more of the European Economic Area member states or the United Kingdom.
20. U.S. Regulatory Oversight
VeraSafe, LLC is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
21. Changes to This Policy
If we make any material change to this Policy, we will post the revised Policy to this web page. We will also update the “effective on” date. By continuing to use our Services after we post any of these changes, you accept the modified Policy.
22. Contact Us
If you have any questions about this Policy or our processing of your Personal Data, you can reach us at:
| Address: | VeraSafe Attn: General Counsel 100 M Street S.E., Suite 600 Washington D.C., 20003 USA |
| Email: | [email protected] |
| Phone: | +1-617-398-7067 |
We will respond to legitimate inquiries within 30 days of receipt.
23. Data Protection Representatives
European Union – VeraSafe Czech Republic s.r.o.
Address: Klimentská 46, Prague 1, 11002, Czech Republic
United Kingdom – VeraSafe United Kingdom Ltd.
Address: 37 Albert Embankment, London, SE1 7TL, United Kingdom
Phone: +420 228 881 031
Contact Form: https://www.verasafe.com/privacy-services/contact-article-27-representative/