We respect your privacy and appreciate the importance of your trust. As part of our efforts to help you understand how we handle the personal information you share with us, and in compliance with the regulations named in Section 11 within, please review the following terms carefully.
1. General Terms.
As more fully described below, we may collect and process certain information that is provided by you to us. We have a legal basis for collecting and processing such information because:
- You have given us permission to do so;
- We must provide services to you in conjunction with a contract you have entered into for the provision of products or services, or an order you have placed via our software platform, or through other means (such order authorization may take various forms, such as signed service orders or master service agreements); and/or
- We are required to do so in order to comply with applicable law.
The Section below describes the types of information that we may collect from you and our business purposes for collecting such information.
2. Information that We Collect and Process.
Information Provided by You:
We may collect Personal Information that you provide to us. “Personal Information” is information that can be used to identify you individually, and includes items such as your name, company name, business address, e-mail address, and telephone number. If you are a user of our products and/or Cloud-Based Platform, we may also collect payment information (such as your account or card number), if used to make a purchase from our Website or our Cloud-Based Platform or pay your invoices. Further, you may provide information like employee business title, employee ID, login credentials, and assigned IT assets. By means of managing service providers with whom you contract, we may collect information like reference number, call detail records, cost center, department, and ICCID/IMEI. The type of Personal Information that we may collect also depends on your use of this Website or our Cloud-Based Platform and what information you provide to us.
You are sharing Personal Information with us when you apply for employment with vCom Solutions. We may ask you to submit your resume or CV with your application for employment, along with any other information required to verify your qualifications. vCom Solutions’ applicants will have log-in credentials for our third-party recruiting software, which enables applicants to access their previous job applications, documents submitted, and the option to specify interest in being considered for other job openings in the future.
We and our third-party service providers may also use a variety of technologies that automatically or passively collect information about how this Website or our Cloud-Based Platform is accessed and used (known as “Usage Information”). Usage Information may include the type of browser and device you used to access our Website or our Cloud-Based Platform, your operating system and application version, the web pages accessed by you, the time you accessed these web pages, preceding web page views, and your use of any features or applications on this Website or our Cloud-Based Platform. Statistical data like this helps us understand what is interesting and relevant to our customers, so we can best adapt our content for our customers’ benefit.
We and our third-party service providers may also automatically collect an IP address or other unique identifier information from the computer, mobile device, technology or other device you use to access this Website or our Cloud-Based Platform. We may use this information to, among other things, administer this Website or our Cloud-Based Platform, help diagnose server problems, analyze trends, track web page movements, help identify you and your shopping cart, and gather broad demographic information for collected use.
3. Cookies and Other Technology:
Most Internet browsers are initially set up to accept cookies. You may disable cookies on your web browser within the Privacy & Security settings section of your browser; however, your ability to use the Website or our Cloud-Based Platform will be then limited and/or unavailable. To learn more about cookies, please click here. You may also choose to download an opt-out cookie (a cookie must be on your computer to tell our systems that you have opted-out). To learn more about opt-out cookies, please click here.
4. Our Use and Sharing of Your Information.
We use the information that we collect about you for a variety reasons, including the following:
- Verifying your identity;
- Fulfilling your orders for products or services;
- Responding to your questions;
- Invoicing you for services rendered or products purchased;
- Communicating with you about your purchases and activities on this Website or our Cloud-Based Platform;
- Improving the Website or our Cloud-Based Platform and our customers’ experience;
- Sending you emails and other marketing communications; and
- Sending notices or information; and
- For those who apply for employment with vCom Solutions, to process your employment application, including background checks and education and employment verification, as applicable.
We may share your Personal Information as described below:
- With our sub-processors that we use to support our business;
- To provide you with any information or services that you request;
- To respond to subpoenas, court orders, and other legal process, or as otherwise required by law;
- To exercise our legal rights or to defend ourselves against legal claims, to enforce our contracts, to investigate, respond to and resolve problems or inquiries (including governmental inquiries), or to permit us to pursue available remedies or limit the damages that we may sustain;
- In connection with an actual or potential merger, sale, acquisition, assignment, or transfer of all or part of our assets, affiliates, lines of business, or products and services, including at bankruptcy;
- With our affiliates, subsidiaries, or parent companies; and
- With your consent.
If you would like to subscribe to the current list of our sub-processors with whom we share Personal Information, you may sign up here.
We may also use and disclose any information that is aggregated or de-identified so that it does not identify you personally, in our discretion.
5. Security and Your Information.
We, and our sub-processors, use reasonable safeguards to protect Personal Information against loss, unauthorized use, disclosure or destruction and when transferring information for processing. However, please note that no electronic data transmission or storage of information can be absolutely secure. We cannot ensure or warrant the security of any information you transmit to us. When we are made aware of vulnerability in our security practices, we will address them according to our “Incident Response Protocol.”
6. How Long We Will Retain Your Information.
We will not retain your personal information for longer than required. We will keep your personal information until we no longer have a valid legal or business reason for keeping it or you request us to stop using it. Please note that we may keep just enough of your personal information to ensure that we comply with your request not to use your personal information or comply with your right to erasure. For example, we must keep your request to be erased even if it includes your personal data until such time as you are no longer our customer. Please note we may also keep just enough of your personal information to remain compliant with tax authorities or regulatory entities.
7. Your Rights
You have certain rights relating to your Personal Data, subject to local data protection laws. These rights may include:
- To access your Personal Data held by us (right to access);
- To rectify inaccurate Personal Data and, taking into account the purpose of processing the Personal Data, ensure it is complete (right to rectification);
- To erase/delete your Personal Data, to the extent permitted by applicable data protection laws (right to erasure; right to be forgotten);
- To restrict our processing of your Personal Data to the extent permitted by law (right to restriction of processing);
- To transfer your Personal Data to another controller, to the extent possible (right to data portability);
- To object to any processing of your Personal Data carried out on the basis of our legitimate interests (right to object). Where we process your Personal Data for direct marketing purposes or share it with third parties for their own direct marketing purposes, you can exercise your right to object at any time to such processing without having to provide any specific reason for such objection;
- To not be subject to a decision based solely on automated processing, including profiling, which produces legal effects (“Automated Decision-Making”); Automated Decision-Making currently does not take place on our websites; and
- To the extent we base the collection, processing and sharing of your Personal Data on your consent, to withdraw your consent at any time, without affecting the lawfulness of the processing based on such consent before its withdrawal.
8. Consent to Processing Information.
Our Website or our Cloud-Based Platform are governed by and operated in accordance with the laws of the State of California and the United States, and are intended for the use of residents of the United States. If you are located outside of the United States, please be aware that information we collect will be transferred to and processed in the United States.
9. Third Party Links and Services.
10. Our Children’s Policy.
Neither this Website nor our Cloud-Based Platform is directed to children under the age of thirteen (13). Children may not use our Website or our Cloud-Based Platform or purchase our products, and we do not knowingly collect any personal information from children under the age of thirteen (13). We have no way of distinguishing the age of individuals who access our Website or our Cloud-Based Platform. If a child has provided us with personal information, the parent or guardian should contact us to remove the information and opt out of promotional opportunities.
12. Acceptable Use Policy
For information on our Acceptable Use Policy, click here.
13. Questions or Requests?
In the event that you wish to submit a question regarding our use of your personal information or request to modify, erase, or restrict the processing of your personal information, please contact us here: firstname.lastname@example.org
- EU General Data Protection Regulation 2016/679
- California Consumer Privacy Act of 2018
16. For California Consumers
The California Consumer Privacy Act (the “Act”), in effect January 1, 2020 affords California consumers several basic rights. Those rights include the right to know what personal information is collected, where it is sourced, the purpose of its use, whether it is disclosed or sold, and to whom it is disclosed or sold. California consumers have the right to opt out of allowing the sale of their personal information to third parties (or, for consumers under the age of 16, the right to not have their personal information sold without a parent or guardian’s consent). You have the right to have a business delete your personal information upon request, and you have the right to receive equal and non-discriminatory service and pricing from a business, even if you exercise your privacy rights under the Act.
- Refer to Section 2 above regarding “Information that we Collect and Process.” If you have questions about the data we have collected from you or how it is used, you may contact our Data Protection Officer at: (800) 804-8266, or email@example.com
- vCom takes your privacy very seriously, and does not ever monetize consumer data to any third-party organizations.
- You have the right to request erasure of your personal information, and may do so by contacting us at: (800) 804-8266 or firstname.lastname@example.org.
- To request erasure of your Personal Information in connection with an employment application, contact us at: (800) 804-8266 or email@example.com.
- We will not retain your personal information for longer than required. We will keep your personal information until we no longer have a valid legal or business reason for keeping it or you request us to stop using it. Please note that we may keep just enough of your personal information to ensure that we comply with your request not to use your personal information or comply with your right to erasure. For example, we must keep your request to be erased even if it includes your personal data until such time as you are no longer our customer. Please note we may also keep just enough of your personal information to remain compliant with tax authorities or regulatory entities.
- If you choose to exercise any of your privacy rights, rest assured you will continue to receive equal service and pricing on a non-discriminatory basis.
17. Employment Information Collected other than through vCom Solutions Online Employment Process
If you submit Personal Information to vCom Solutions through any channel other than our online job application process, the same policy set forth above will be applied to such Personal Information you submit through channels other than the vCom Solutions Employment Application, except as follows:
- Hardcopy Personal Information provided to vCom Solutions which is not converted to electronic media and hosted by vCom Solutions will be subject to different security procedures than will stored electronic Personal Information. vCom Solutions has security measures equal to or better than those reasonably expected in the industry, in place to protect against the loss, misuse and alteration of your hardcopy Personal Information under its control.
Acceptable Use Policy
At vCom, we value you, and wish to provide you with an experience that exceeds your expectations. When you open an account with vCom, you may elect to subscribe to services that use Internet technology (for example, vManager or a high capacity data service). Subscribing to Internet-based services provides you with certain rights and privileges, but also carries with it certain duties and responsibilities.
As such, vCom reserves the right to monitor any and all facilities in use by its customers, and as required in its agreements with underlying service and facilities providers as outlined in the Acceptable Use Policy that follows. This Acceptable Use Policy is in place to both clearly state customers’ duties and responsibilities, as well as to provide a safe and secure network experience.
Customers agree to use services in a manner consistent with any and all applicable state, federal or other laws or regulations. Reproduction or transmission of any material in violation of any local, state federal or internal law or regulation is strictly prohibited. Customer shall be responsible for all content that Customer makes available on or through services provided by vCom. Customer warrants that all such contents will not infringe upon, or otherwise violate any copyright, patent or other right held by a third party, and shall not violate any applicable law, regulation or industry standard. Customers agree that any materials to be reproduced or transmitted using vCom’s service through customer’s account(s) does not violate any such laws, nor does it contain materials which are in violation of obscenity laws or are libelous or threatening. Software intended to facilitate any such violation may not be stored using services procured from vCom.
Customer shall hold vCom, including its officers, agents, contractors or affiliates, or anyone else involved in administering, distributing, or providing services or equipment harmless from any losses, including, but not limited to, special, indirect, incidental, consequential or punitive damages. Customer shall hold harmless vCom from and against any claims, liabilities, and expenses, including attorney’s fees, resulting from Customer’s use of vCom’s service or Customer’s account in an unlawful manner or otherwise in violation of or contrary to Customer’s Agreement with vCom or this Acceptable Use Policy.
Specific examples of inappropriate usage include, but are not limited to:
Spamming – Sending unsolicited e-mail messages.
Intellectual Property Violations – Engaging in activities that infringe or misappropriate the intellectual property rights of others (such as copyrights, trademarks or patents).
Obscene Speech or Materials – Using services procured by vCom to store, disseminate or otherwise display child pornography or other materials in violation of obscenity laws.
Defamatory or Abusive Language – Using services procured by vCom to post or transmit harassing, abusive, defamatory or threatening language to others.
Forging of Headers – Forging or misrepresenting message headers, so as to mask the originator of the message.
Illegal or Unauthorized Access to Other Computers or Networks (“Hacking”) – Illegal access to computers or networks belonging to another party.
Distribution of Internet Viruses, Worms, Trojan Horses, or Other Destructive Activities – Distributing information regarding the creation of, or sending of Internet viruses, worms, Trojan horses, or other destructive activities.
Export Control Violations – Exporting encryption software over the Internet to points outside the United States is in violation of Federal laws.
Other Illegal Activities – Engaging in any other activities that are determined to be illegal or harmful to others, including those activities determined by vCom to be lawful or unlawful that may be harmful to its subscribers, operations, reputation, goodwill or customer relations.
It is the responsibility of the Customer to adhere to this Acceptable Use Policy. Although vCom may monitor communications to ensure such compliance, as well as compliance with applicable laws, vCom does not undertake widespread monitoring as a general practice. However, upon receipt of a complaint from a vCom subscriber, law enforcement personnel, or if vCom becomes aware of any inappropriate or unlawful activities, it will undertake to verify such activities, identify the subscriber, and remedy the situation.
Use of the Internet is neither more nor less secure than other means of communication, including mail, facsimile or voice telephone service. As such, vCom does not assume responsibility for the security of information transmitted over facilities procured by it for use by a Customer.
Limitation of Liability
VCOM DOES NOT MAKE ANY REPRESENTATIONS OR WARRANTIES OF ANY KIND, WHETHER STATUTORY, EXPRESS OR IMPLIED, REGARDING THE SERVICES OR EQUIPMENT PROVIDED BY VCOM, OR IN CONNECTION WITH ANY VCOM FACILITIES OR EQUIPMENT INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, NONINFRINGEMENT OR FITNESS FOR A PARTICULAR PURPOSE OR IMPLIED WARRANTIES ARISING FROM A COURSE OF DEALING OR A COURSE OF PERFORMANCE. VCOM EXPRESSLY DISCLAIMS ANY REPRESENTATION OR WARRANTY THAT THE SERVICES OR EQUIPMENT PROVIDED BY VCOM HEREUNDER OR IN CONNECTION HEREWITH, WILL BE ERROR FREE, SECURE OR UNINTERRUPTED. NO ORAL ADVICE OR WRITTEN INFORMATION GIVEN BY VCOM, ITS OFFICERS, EMPLOYEES, AGENTS, CONTRACTORS OR LICENSEES SHALL CREATE ANY SUCH WARRANTY, NOR SHALL CUSTOMER RELY ON ANY SUCH ADVICE.
vCom Customers are responsible to report to vCom any network issue which could compromise the stability, service or security of use by vCom or its customers of services provided by vCom. Complaints concerning prohibited uses of services, or any other abuse of services or terms contained within this Acceptable Use Policy should be reported immediately via e-mail:firstname.lastname@example.org , phone: 1-800-804-8266, or in writing: vCom Solutions, 12657 Alcosta Boulevard, Suite 418, San Ramon, CA 94583. Please include all applicable information pertinent to the complaint so vCom can investigate.
Additional Terms & Conditions
Use of the vCom network, equipment or services by a Customer of vCom is subject to the terms and conditions contained within any Service Order or Master Services Agreement entered into by such Customer with vCom. The Acceptable Use Policy is incorporated into such agreements by reference, and vCom reserves the right to modify the Policy at any time by posting modifications.
Data Processing Agreement (“DPA”)
This Data Processing Agreement (“DPA”) governs the terms and conditions under which vCom Solutions, Inc. (“vCom”) and Customer, (respectively, “the Parties”) will interact with respect to data processing. This DPA is entered into between the Parties in accordance with provisions set forth in the California Consumer Privacy Act of 2018 and the European Union General Data Protection Regulation (Regulation (EU) 2016/679), and where appropriate, governs vCom’s provision of services as more fully described in any applicable Service Order (“SO) or Scope of Work (“SOW”) documentation (collectively, “the Services”).
IT IS AGREED as follows:
a. The terms “Personal Data,” “Personal Data Breach,” “Processing,” and “Supervisory Authority” have the meanings given those terms in the GDPR.
b. “Supervisory Authority” may also mean (as applicable) an independent public authority which is established by the California Attorney General.
c. “Customer Personal Data” means any Personal Data of Data Subjects based in the European Economic Area (as defined in the Agreement on the European Economic Area dated January 1, 1994, “EEA”) that is Processed by vCom or any of its Sub-processors on behalf of Customer pursuant to the Agreement. For clarification, aggregated or otherwise anonymized data is not Customer Personal Data.
d. “Data Protection Law” means, (a) on and after May 25, 2018, the GDPR, and (b) before May 25, 2018, Directive 95/46/EC. For the avoidance of doubt, until May 25, 2018, any provisions of this DPA relating to GDPR are deemed to refer to the corresponding provisions (if any) of Directive 95/46/EC and as later notified in Document C(2010) 593) .
e. “Data Subject Request” means the exercise by Data Subjects of their rights under Chapter III of the GDPR.
f. “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates. With respect to CCPA a Data Subject may also be known as a “Consumer.”
g. “Directive 95/46/EC” means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
h. “GDPR” means the EU General Data Protection Regulation 2016/679 and, to the extent the GDPR is no longer applicable, any implementing legislation or legislation having equivalent effect.
i. “Standard Contractual Clause(s)” or “SCCs” means the agreement executed by and between the Controller and Processor, incorporated herein pursuant to the European Commission’s decision (C(2010)593) of February 5, 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection. It is understood that the European Commission may revise SCCs in the future; in which case, Customer and vCom agree that the latest version of European Commission-approved SCCs shall replace the SCCs set forth herein.
j. Sub-processor” means any third party (including any vCom Affiliate) appointed by or on behalf of vCom to Process Customer Personal Data.
k. Third Party” under California law means any entity that is not a Business or a Service Provider.California Consumer Privacy Act of 2018” or (“CCPA”) means Assembly Bill 375 of the California House of Representatives, an act to add Title 1.81.5 (commencing with Section 1798.100) to Part 4 of Division 3 of the Civil Code, pertaining to privacy and approved by the California Governor on June 28, 2018.Contracted Processor” or “Service Provider” means vCom.
l. “Business” means you (the customer), or the business entity which has contracted with vCom for specific products or services.
2. PROCESSING OF CUSTOMER PERSONAL DATA
a. vCom shall implement processes and maintain procedures designed to comply with the CCPA and Data Protection Law in Processing Customer Personal Data/consumer data and shall not Process such data other than on Customer’s instructions or as otherwise required by applicable law. In accordance with this DPA and all Data Protection regulation, Customer (Controller) authorizes vCom (Processor) to process, store or transfer Customer Personal Data in the United States or in any other country in which vCom or its Sub-processors maintain facilities, solely for purpose of providing the Services.
b. Customer instructs vCom, subject to Customer’s compliance with the CCPA and Data Protection Law, to Process Customer Personal Data as necessary to provide the Services to Customer in a manner consistent with the DPA and associated Documentation. Where vCom receives an instruction from Customer that, in its reasonable opinion, infringes the Data Protection Law, vCom shall inform Customer.
c. To the extent that the Services involve a transfer of Personal Data from systems used by one party in the EEA or Switzerland to systems used by the other party located in countries outside the EEA or Switzerland that have not received a binding adequacy decision by the European Commission or by a competent national EEA data protection authority, the Parties agree that the Standard Contractual Clauses (incorporated hereto as Articles 1-8, the Annex, and Clauses 1-12) shall apply.
d. Section 3 to this DPA describes the details of the Processing of Customer Personal Data. vCom may update Section 3 from time to time as vCom reasonably considers necessary to reflect the Processing and meet any applicable requirements of the CCPA or Data Protection Law.
e. Each Party shall comply with its respective obligations under the CCPA and Data Protection Law concerning the Processing of Customer Personal Data.
3. DATA PROCESSING DETAIL
a. Data Subjects. Customer may submit Customer Personal Data to vCom, the extent of which is determined and controlled by Customer in its sole discretion, and which may include Customer Personal Data relating to the following categories of data subjects:
Customer’s Authorized Users, employees, contractors, agents, or representatives;
b.Categories of Data. Customer may submit Customer Personal Data to vCom, the extent of which is determined and controlled by Customer in its sole discretion, and may include the following categories of Customer Personal Data:
Customer’s Authorized Users, employees, contractors, agents, or representatives, contact details of the individual, which may include: name, job title, telephone number, business physical or mailing address, e-mail address, or user IDs.
c. Nature, Subject Matter, and Purpose of Processing. The objective of Processing of Customer Personal Data by vCom is the performance of the Services pursuant to the DPA. vCom shall only process Personal Data in accordance with Customer’s instructions.
d. Duration of Processing. Subject to Section 9 (Return or Deletion of Customer Personal Data After Termination) of this DPA, vCom will process Customer Personal Data for the duration of the DPA, unless otherwise agreed upon in writing.
4. vCom PERSONNEL
vCom shall use commercially reasonable measures to ensure that vCom personnel who may Process Customer Personal Data (I) comply with vCom’s technical and organizational security measures, including ensuring that they are subject to appropriate confidentiality obligations, and (ii) Process Customer Personal Data only as instructed by the Customer or as otherwise required by applicable law.
vCom shall implement commercially reasonable technical and organizational measures to ensure an appropriate level of security for Customer Personal Data, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, vCom shall take into account the risks of Processing Personal Data, in particular from accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Personal Data.
Adherence to an approved certification mechanism will be sufficient to demonstrate vCom’s (or a Sub-processor’s) compliance with its security obligations under this DPA.
Customer authorizes vCom to appoint Sub-processors or Third Parties in accordance with this Section 6 and any restrictions in the DPA. vCom may continue to use those Sub-processors or Third Parties already engaged at the date of this DPA, subject to vCom’s compliance with the obligations set out in Section 6(c) with respect to such Sub-processors or Third Party.
vCom shall maintain a list of its Sub-processors or Third Parties, which may be updated from time to time. If you would like to subscribe to the current list of our Sub-processors or Third Parties with whom we share personal information, you may sign up here
Under California law, such Sub-processors may also be known as a Third Party.
vCom shall ensure that each Sub-processor is governed by a written contract that imposes data protection obligations at least as protective as those of this DPA.
7. DATA SUBJECT REQUESTS
Taking into account the nature of the Processing, vCom shall implement processes and maintain procedures to enable Customer to fulfill its obligations under the Data Protection Law to respond to Data Subject or Consumer Requests.
If vCom receives a request directly from a Data Subject or Consumer under the Data Protection Law with respect to Customer Personal Data, then to the extent legally permissible, vCom will advise the Data Subject or Consumer to submit his or her request to Customer or Business, and Customer/Business will be responsible for responding to any such request. For California consumers, any such request will be handled by vCom within accordance of applicable law.
8. PERSONAL DATA BREACH
vCom shall notify Customer without undue delay upon vCom’s confirmation of any Personal Data Breach affecting Customer Personal Data.
vCom shall provide Customer with information regarding such Personal Data Breach as required by the Data Protection Law.
vCom shall use commercially reasonable efforts to: (i) identify the cause of such Personal Data Breach; and (ii) remediate the cause of such Personal Data Breach within vCom’s systems, to the extent such remediation is within vCom’s reasonable control.
The obligations of this Section 8 will not apply to Personal Data Breaches caused by Customer or its personnel.
9. RETURN OR DELETION OF CUSTOMER PERSONAL DATA AFTER TERMINATION
Customer may request the return or deletion of Customer Personal Data by contacting: email@example.com
vCom and any Sub-processor may retain Customer Personal Data (i) to the extent necessary to comply with applicable law (including but not limited to tax or regulatory authority audit requirements), (ii) to respond to support requests, and (iii) in backups and historical archives in accordance with vCom’s standard backup and archival procedures (unless prohibited by the Data Protection Law and provided that all Customer Personal Data will continue to be subject to this DPA until deleted).
10. AUDIT RIGHTS
Upon written request, vCom shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. If Customer reasonably considers the information made available to Customer as insufficient to demonstrate compliance with this DPA, then vCom will allow an audit by Customer (or its designated appointees) with respect to vCom’s processing of Customer Personal Data. Any such audit shall be conducted remotely (unless otherwise required by a supervisory authority), and in accordance with vCom’s reasonable security requirements. Customer shall reimburse vCom for any time expended by vCom for the audit at vCom’s then-current professional services rates. Prior to audit commencement, Customer and vCom shall mutually agree upon the scope, timing and duration of the audit. Customer shall promptly notify vCom of any non-compliance discovered during the audit. All results of the audit shall be subject to the confidentiality obligations of the Parties under these Terms and Data Protection law.
11. CALIFORNIA CONSUMER PRIVACY ACT OF 2018
vCom is a Service Provider as defined in CCPA Section 1798.140(v), and Customer (or “Business”) discloses certain Personal Data to vCom solely for a valid business purpose and for vCom to perform the contracted services. vCom is prohibited from selling personal data, retaining, using or disclosing Personal Data for a commercial purpose other than providing the services, or retaining, using, or disclosing Personal Data outside the DPA between vCom and Customer. vCom certifies it understands and will abide by these regulations.
12. GENERAL PROVISIONS
Except as set forth by this DPA, all other terms and conditions between vCom and Customer remain in full force and effect. This DPA shall automatically expire on the termination or expiration of the last Service provided by, or under management by vCom, except with respect to any Customer Personal Data retained by vCom after such termination or expiration.
To the extent that vCom processes Personal Data in the course of providing the Services, each party acknowledges that, for purpose of these Data Protection Laws, Customer is the Controller (or the Business) of the Personal Data and vCom is the Processor (or Service Provider). For avoidance of doubt, Customer will assume the role of Controller/Business for any and all Personal Data that it collects and processes which is not Personal Data collected and processed by vCom on behalf of Customer.
Subject at all times to the terms of this DPA and applicable Data Protection Laws, Customer (Controller) authorizes vCom (Processor) to transfer, store or process Personal Data in the United States or any other country in which Processor or its Sub-processors maintain facilities, solely as necessary in the course of providing the Services. Processor will conduct all such activity in compliance with this DPA, applicable law and Controller’s instructions.
To the extent that the Services involve a transfer of Personal Data from systems used by one party in the EEA or Switzerland to systems used by the other party located in countries outside the EEA or Switzerland that have not received a binding adequacy decision by the European Commission or by a competent national EEA data protection authority, the Parties agree that the Standard Contractual Clauses (incorporated hereto as Articles 1-8, the Annex, Clauses 1-12 and Appendix 2) shall apply.
STANDARD CONTRACTUAL CLAUSES
The Standard Contractual Clauses (“SCCs”) set out in the Annex are considered as offering adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of
the corresponding rights as required by Article 26(2) of Directive 95/46/EC.
This Decision concerns only the adequacy of protection provided by the standard contractual clauses set out in the Annex for the transfer of personal data to processors. It does not affect the application of other national provisions implementing Directive 95/46/EC that pertain to the processing of personal data within the Member States.
This Decision shall apply to the transfer of personal data by controllers established in the European Union to recipients established outside the territory of the European Union who act only as Processors.
For the purposes of this Decision the following definitions shall apply:
(a) “Special Categories of Data” means the data referred to in Article 8 of Directive 95/46/EC;
(b) “Supervisory Authority” means the authority referred to in Article 28 of Directive 95/46/EC;
(c) “Data Exporter” means the Controller who transfers the personal data;
(d) “Data Importer” means the Processor established in a third country who agrees to receive from the Data Exporter Personal Data intended for processing on the Data Exporter’s behalf after the transfer in accordance with his instructions and the terms of this Decision and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(e) “Sub-Processor” means any Processor engaged by the Data Importer or by any other Sub-Processor of the Data Importer and who agrees to receive from the Data Importer or from any other Sub-Processor of the Data Importer Personal Data exclusively intended for the processing activities to be carried out on behalf of the Data Exporter after the transfer in accordance with the Data Exporter’s instructions, the SCCs set out in the Annex, and the terms of the written contract for sub-processing;
(f) “Applicable Data Protection Law” means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of Personal Data applicable to a Data Controller in the Member State in which the Data Exporter is established;
(g) “Technical and Organizational Security Measures” means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Whenever the competent authorities in Member States exercise their powers pursuant to Article 28(3) of Directive 95/46/EC leading to the suspension or definitive ban of data flows to third countries in order to protect individuals with regard to the processing of their Personal Data, the Member State concerned shall, without delay, inform the Commission which will forward the information to the other Member States.
The Commission shall evaluate the operation of this Decision on the basis of available information three years after its adoption. It shall submit a report on the findings to the Committee established under Article 31 of Directive 95/46/EC. It shall include any evidence that could affect the evaluation concerning the adequacy of the SCCs in the Annex and any evidence that this Decision is being applied in a discriminatory way.
This Decision shall apply from 15 May 2010.
- Decision 2002/16/EC is repealed with effect from 15 May 2010.
- A contract concluded between a Data Exporter and a Data Importer pursuant to Decision 2002/16/EC before May 15, 2010 shall remain in force and effect for as long as the transfers and data-processing operations that are the subject matter of the contract remain unchanged and Personal Data covered by this Decision continue to be transferred between the Parties. Where the contracting Parties decide to make changes in this regard or subcontract the processing operations that are the subject matter of the contract they shall be required to enter into a new contract which shall comply with the SCCs set out in the Annex.
This Decision is addressed to the Member States.
STANDARD CONTRACTUAL CLAUSES (PROCESSORS)
For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of Personal Data to Processors established in third countries which do not ensure an adequate level of data protection.
Name of the data exporting organization (the Data Exporter):
Click or tap here to enter text.
Address/phone/email of the data exporting organization:
Click or tap here to enter text.
Name of the data importing organization (the Data Importer):
vCom Solutions, Inc. (“vCom”)
Address/phone/email of the data importing organization:
12657 Alcosta Blvd., Suite 418, San Ramon, CA 94583 (800) 804-8266 / firstname.lastname@example.org
each a “Party”; together “the Parties”,
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to put forth adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Data Exporter to the
Data Importer of the Personal Data specified in Section 3 of the DPA.
For the purposes of the Clauses:
(a) “Personal Data,” “Special Categories of Data,” “Process/Processing,” “Controller,” “Processor,” “Data Subject” and “Supervisory Authority” shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data;
(b) “the Data Exporter” means the Controller who transfers the Personal Data;
(c) “the Data Importer” means the Processor who agrees to receive from the Data Exporter Personal Data intended for Processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
(d) “the Sub-Processor” means any Processor engaged by the Data Importer or by any other Sub-Processor of the Data Importer who agrees to receive from the Data Importer or from any other Sub-Processor of the Data Importer Personal
Data exclusively intended for Processing activities to be carried out on behalf of the Data Exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
(e) “the Applicable Data Protection Law” means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the Processing of Personal Data applicable to a Data
Controller in the Member State in which the Data Exporter is established;
(f) “Technical and Organizational Security Measures” means those measures aimed at protecting Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing.
Details of the Transfer
The details of the transfer and in particular the special categories of Personal Data where applicable are specified in Section 3 of the DPA which forms an integral part of the Clauses.
Third-Party Beneficiary Clause
1. The Data Subject can enforce against the Data Exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
2. The Data Subject can enforce against the Data Importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the Data Exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the Data Exporter, in which case the Data Subject can enforce them
against such entity.
3. The Data Subject can enforce against the Sub-Processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the Data Exporter, in which case the Data Subject can enforce them against such entity. Such third-party liability of the Sub-Processor shall be limited to its own Processing operations under the Clauses.
4. The Parties do not object to a Data Subject being represented by an association or other body if the Data Subject so
expressly wishes and if permitted by national law.
Obligations of the Data Exporter
The Data Exporter agrees and warrants:
(a) that the Processing, including the transfer itself, of the Personal Data has been and will continue to be carried out in accordance with the relevant provisions of the applicable Data Protection Law (and, where applicable, has been notified to the relevant authorities of the Member State where the Data Exporter is established) and does not violate the relevant provisions of that State;
(b) that it has instructed and throughout the duration of the personal data-processing services will instruct the Data Importer to Process the Personal Data transferred only on the Data Exporter’s behalf and in accordance with the applicable Data Protection Law and the Clauses;
(c) that the Data Importer will provide sufficient guarantees in respect of the Technical and Organizational Security Measures specified in Appendix 2 to this contract;
(d) that after assessment of the requirements of the applicable Data Protection Law, the Security Measures are appropriate to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the Processing involves the transmission of data over a network, and against all other unlawful forms of Processing, and that these measures ensure a level of security appropriate to the risks presented by the Processing and the nature of the Data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the Security Measures;
(f) that, if the transfer involves special categories of data, the Data Subject has been informed or will be informed before, or as soon as possible after, the transfer that its Data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
(g) to forward any notification received from the Data Importer or any Sub-Processor pursuant to Clause 5(b) and Clause 8(3) to the Data Protection Supervisory Authority if the Data Exporter decides to continue the transfer or to lift the suspension;
(h) to make available to the Data Subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for Sub-Processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
(i) that, in the event of Sub-Processing, the processing activity is carried out in accordance with Clause 11 by a Sub-Processor providing at least the same level of protection for the Personal Data and the rights of Data Subject as the Data Importer under the Clauses; and
(j) that it will ensure compliance with Clause 4(a) to (i).
Obligations of the Data Importer
The Data Importer agrees and warrants:
(a) to Process the Personal Data only on behalf of the Data Exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the Data Exporter of its inability to comply, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;
(b) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the Data Exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the Data Exporter as soon as it is aware, in which case the Data Exporter is entitled to suspend the transfer of data and/or terminate the contract;
(c) that it has implemented the Technical and Organizational Security Measures specified in Appendix 2 before Processing the Personal Data transferred;
(d) that it will promptly notify the Data Exporter about:
(i) any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
(ii) any accidental or unauthorized access; and
(iii) any request received directly from the Data Subjects without responding to that request, unless it has been otherwise authorized to do so;
(e) to deal promptly and properly with all inquiries from the Data Exporter relating to its Processing of the Personal Data subject to the transfer and to abide by the advice of the Supervisory Authority with regard to the Processing of the data transferred;
(f) at the request of the Data Exporter to submit its data-processing facilities for audit of the Processing activities covered by the Clauses which shall be carried out by the Data Exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the Data Exporter, where applicable, in agreement with the Supervisory Authority;
(g) to make available to the Data Subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the Data Subject is unable to obtain a copy from the Data Exporter;
(h) that, in the event of sub-processing, it has previously informed the Data Exporter and obtained its prior written consent;
(i) that the Processing services by the Sub-Processor will be carried out in accordance with Clause 11;
(j) to send promptly a copy of any Sub-Processor agreement it concludes under the Clauses to the Data Exporter.
1. The Parties agree that any Data Subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any Party or Sub-Processor is entitled to receive compensation from the Data Exporter for the
2. If a Data Subject is not able to bring a claim for compensation in accordance with paragraph 1 against the Data Exporter, arising out of a breach by the Data Importer or his Sub-Processor of any of their obligations referred to in Clause 3 or in Clause 11, because the Data Exporter has factually disappeared or ceased to exist in law or has become insolvent, the Data Importer agrees that the Data Subject may issue a claim against the Data Importer as if it were the Data Exporter, unless any successor entity has assumed the entire legal obligations of the Data Exporter by contract of by operation of law, in which case the Data Subject can enforce its rights against such entity. The Data Importer may not rely on a breach by a Sub-
Processor of its obligations in order to avoid its own liabilities.
3. If a Data Subject is not able to bring a claim against the Data Exporter or the Data Importer referred to in paragraphs 1 and 2, arising out of a breach by the Sub-Processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the Data Exporter and the Data Importer have factually disappeared or ceased to exist in law or have become insolvent, the Sub-Processor agrees that the Data Subject may issue a claim against the data Sub-Processor with regard to its own processing operations under the Clauses as if it were the Data Exporter or the Data Importer, unless any successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law, in which case the Data Subject can enforce its rights against such entity. The liability of the Sub-Processor shall be limited to its own Processing operations under the Clauses.
Mediation and Jurisdiction
1. The Data Importer agrees that if the Data Subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the Data Importer will accept the decision of the Data Subject:
(a) to refer the dispute to mediation, by an independent person or, where applicable, by the Supervisory Authority;
(b) to refer the dispute to the courts in the Member State in which the Data Exporter is established.
2. The Parties agree that the choice made by the Data Subject will not prejudice its substantive or procedural rights to seek
remedies in accordance with other provisions of national or international law.
Cooperation with Supervisory Authorities
1. The Data Exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
2. The Parties agree that the Supervisory Authority has the right to conduct an audit of the Data Importer, and of any Sub-Processor, which has the same scope and is subject to the same conditions as would apply to an audit of the Data Exporter under the applicable Data Protection Law.
3. The Data Importer shall promptly inform the Data Exporter about the existence of legislation applicable to it or any Sub-Processor preventing the conduct of an audit of the Data Importer, or any Sub-Processor, pursuant to paragraph 2. In such a case the Data Exporter shall be entitled to take the measures foreseen in Clause 5(b).
The Clauses shall be governed by the law of the Member State in which the Data Exporter is established, namely …
Click or tap here to enter text.
Insert location of Data Exporter
Variation of the Contract
The Parties undertake not to vary or modify the Clauses. This does not preclude the Parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
1. The Data Importer shall not subcontract any of its processing operations performed on behalf of the Data Exporter under the Clauses without the prior written consent of the Data Exporter. Where the Data Importer subcontracts its obligations under the Clauses, with the consent of the Data Exporter, it shall do so only by way of a written agreement with the Sub- Processor which imposes the same obligations on the Sub-Processor as are imposed on the Data Importer under the Clauses. Where the Sub-Processor fails to fulfill its Data Protection obligations under such written agreement the Data Importer shall remain fully liable to the Data Exporter for the performance of the Sub-Processor’s obligations under such agreement.
2. The prior written contract between the Data Importer and the Sub-Processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the Data Subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the Data Exporter or the Data Importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the Data Exporter or Data Importer by contract or by operation of law. Such third-party liability of the Sub-Processor shall be limited to its own processing operations under the Clauses.
3. The provisions relating to Data Protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the Data Exporter is established, namely
… Click or tap here to enter
text. (insert location of Data Exporter).
4. The Data Exporter shall keep a list of Sub-processing agreements concluded under the Clauses and notified by the Data Importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the Data Exporter’s data protection supervisory authority.
Obligation After the Termination of Personal Data-Processing Services
1. The Parties agree that on the termination of the provision of Data-Processing services, the Data Importer and the Sub-Processor shall, at the choice of the Data Exporter, return all the Personal Data transferred and the copies thereof to the Data Exporter or shall destroy all the Personal Data and certify to the Data Exporter that it has done so, unless legislation imposed upon the Data Importer prevents it from returning or destroying all or part of the Personal Data transferred. In that case, the Data Importer warrants that it will guarantee the confidentiality of the Personal Data transferred and will not actively process the Personal Data transferred anymore.
2. The Data Importer and the Sub-Processor warrant that upon request of the Data Exporter and/or of the Supervisory Authority, it will submit its Data-Processing facilities for an audit of the measures referred to in paragraph 1.
On behalf of
Customer (Data Exporter/Controller): Click or tap
here to enter text.
On behalf of
vCom Solutions, Inc. (Data Importer/Processor):
Name: Jenna Brown
Title: Sr. Director, Partner & Compliance Management
Date: Click or tap here to enter text.
Date: October 14, 2020
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed and signed by the Parties.
Description of the technical and organizational security measures implemented by vCom in accordance with Clauses 4(d)
vCom will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data as described in the DPA. More specifically, the company has implemented strict policies in the following areas:
- Acceptable Use Policy
- Access Control and Password Policy
- Backup Policy
- Change Management Policy
- Data Classification Policy
- Disaster Recovery Plans
- Security Policy
- Security Response Policy
- Vendor Management Policies
- Web Application Security Policy
On behalf of
Customer (Data Exporter/Controller): Click or tap
here to enter text.
On behalf of
vCom Solutions, Inc. (Data Importer/Processor):
Name: Jenna Brown
Title: Sr. Director, Partner & Compliance Management
Date: Click or tap here to enter text.
Date: October 14, 2020