Data Privacy & Security Statement

Version 8.3.18

This Data Privacy & Data Security Statement (the “Statement”), is provided by ProcessUnity, Inc. (“ProcessUnity”) to its Customers (each, a “Customer”). This Statement describes ProcessUnity’s commitments with regard to data privacy and data security. ProcessUnity may update this Statement from time to time. Updated versions will be published on ProcessUnity’s website.

1. DEFINITIONS

“Authorized Persons”means ProcessUnity’s employees, agents, and contractors that have a need to know or otherwise access User Data to enable ProcessUnity to provide the Services.

“Controller”means a controller as defined under the GDPR.

“Data Protection Laws”means all international, federal, national and state privacy and data protection laws and regulations to the extent applicable to ProcessUnity and the Services. The Data Protection Laws include GDPR, to the extent applicable to ProcessUnity.

“Data Security Incident”means any accidental, unauthorized or unlawful access, acquisition, theft, destruction, or disclosure of User Data that occurs while such User Data is in the possession of or under the control of ProcessUnity.

“GDPR”means the EU General Data Protection Regulation 2016/679.

“Personal Data”means information relating to an identified or identifiable natural person. An identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Process”or “Processing”means any operation or set of operations that are performed upon User Data, whether or not by automatic means, such as collection, accessing, processing, use, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination, transmittal, alignment or combination, blocking, erasure, destruction or otherwise used as set out in the applicable Data Protection Laws.

“Processor” means a processor as defined under the GDPR.

“Services”means ProcessUnity’s cloud-based governance, risk and compliance solutions.

“Sub-Processor”shall mean an entity engaged by ProcessUnity to assist it in Processing the User Data in fulfillment of its obligations with regard to the Services.

“User Data”means all data relating to a ProcessUnity Customer or its authorized users (“Users”) that is provided to ProcessUnity by a Customer or that is otherwise obtained or accessed by ProcessUnity in connection with the Services. User Data may include Personal Data.

“Third Party”is any person or entity other than ProcessUnity and Customer and Customer’s Users.

2. DATA PRIVACY

2.1 Compliance with Laws.ProcessUnity is committed to complying with its obligations under all Data Protection Laws that are applicable to ProcessUnity and the Services.

2.2 Distribution of User Data.Customers and Users should provide ProcessUnity only with Personal Data that is requested by ProcessUnity or that is otherwise necessary for ProcessUnity to provide the Services. ProcessUnity is not responsible for any other Personal Data.

2.3 Limitations on Use of Personal Data. ProcessUnity will not Process User Data other than for the purpose of providing the Services or as otherwise specified by Users. ProcessUnity will not Process User Data for the benefit of any Third Party. ProcessUnity will access only the User Data that it needs to perform the Services (i.e., no more than necessary). ProcessUnity will not store User Data longer than necessary to achieve the permitted purposes specified by User.

2.4 Restrictions.Except with a User’s prior, written approval, on a case-by-case basis, ProcessUnity will not: (a) use User Data other than as necessary for ProcessUnity to provide the Services, (b) disclose, sell, assign, lease or otherwise provide User Data to Third Parties (other than to its affiliates or Sub-Processors) except to the extent required or permitted by Data Protection Laws, or (c) merge User Data with other data, modify or commercially exploit any User Data.

2.5 Sensitive Personal Data. Customers and Users are advised never to provide ProcessUnity with Sensitive Personal Data. “Sensitive Personal Data” means (a) information that reveals a natural person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, (b) information or data concerning a natural person’s health or sex life or sexual orientation; or (c) genetic data or biometric data about a natural person.

3. SUB-PROCESSORS

ProcessUnity may engage Sub-Processors in connection with the provision of the Services, provided, however, that ProcessUnity will not provide a Sub-Processor with access to User Data unless the Sub-Processor has: (i) a business need to know / access the relevant User Data, as necessary for the purposes of the Services;(ii) signed a written obligation of confidentiality or are under professional obligations of confidentiality; and (iii) implemented technical, operational, physical, and organization safeguards to protect User Data against accidental or unlawful destruction or alteration and unauthorized disclosure or access.

4. DATA SUBJECT RIGHTS AND COOPERATION

ProcessUnity will use commercially reasonable efforts to cooperate and assist with a User’s exercise of his/her rights under applicable Data Protection Laws with respect to Personal Data Processed by ProcessUnity, including, without limitation, the right to be forgotten, the right to data portability, and the right to access data under the GDPR.

5. RETURN OR DESTRUCTION OF USER DATA

Upon the written request of a User, ProcessUnity will return User Data to a User or securely delete User Data as soon as reasonably practicable. However, if ProcessUnity is required by law to retain User Data or if User Data is stored in a manner such that it cannot readily be returned or destroyed without affecting other data, then ProcessUnity will continue to protect such User Data in accordance with this Statement and limit any use to the purposes of such retention.

6. DATA SECURITY

6.1 Security Program Requirements. ProcessUnity will maintain a security program that contains administrative, technical, and physical safeguards appropriate to the complexity, nature, and scope of its activities. ProcessUnity’s security program shall be designed to protect the security and confidentiality of User Data against unlawful or accidental access to, or unauthorized processing, disclosure, destruction, damage or loss of User Data. At a minimum, ProcessUnity’s security program shall include: (a) limiting access of User Data to Authorized Persons; (b) implementing network, application, database, and platform security; (c)means for securing information transmission, storage, and disposal within ProcessUnity’s possession or control; (d) means for encrypting User Data stored on media within ProcessUnity’s possession or control by using modern acceptable cyphers and key lengths, including backup media; (e)means for encrypting User Data transmitted by ProcessUnity over public or wireless networks by using modern acceptable cyphers and key lengths; and(f) means for keeping firewalls, routers, servers, personal computers, and all other resources current with appropriate security-specific system patches.

6.2 Regular Reviews.ProcessUnity will ensure that its security measures are regularly reviewed and revised to address evolving threats and vulnerabilities.

7. DATA SECURITY INCIDENT PROCEDURES

7.1 Notification.ProcessUnity shall notify Customer as promptly as reasonably feasible, but in any event within forty-eight (48) hours of becoming aware of a Data Security Incident. ProcessUnity shall provide Customer with a detailed description of the Data Security Incident, the type of data that was the subject of the Data Security incident and, to the extent known to ProcessUnity, the identity of each affected person, as soon as this information can be collected or otherwise becomes available, as well as all other information and cooperation that Customer may reasonably request relating to the Data Security Incident.

7.2 Mitigation.ProcessUnity agrees to take action immediately, at its own expense, to investigate the Data Security Incident and to identify, prevent, and mitigate the effects of the Data Security Incident and, with Customer’s prior agreement, to carry out any recovery or other action necessary to remedy the Data Security Incident. ProcessUnity will inform Customer of the steps it is taking to mitigate the effects of the Data Security Incident and to minimize the chances of another Data Security Incident happening again.

7.3 Publicity.ProcessUnity will not issue, publish or make available to any third party any press release or other communication concerning the Data Security Incident without Customer’s prior written approval or request.

7.4 Cooperation.ProcessUnity shall provide full cooperation and assistance to Customer to enable Customer to fulfill its obligations to enable Data Subjects affected by the Data Security Incident to exercise their rights under the Data Protection Laws. ProcessUnity will notify Customer within three (3) business days of all communications Customer receives from an affected Data Subject seeking to exercise his/her right in connection with the Data Security Incident.

8. CROSS-BORDER TRANSFERS

8.1 Location.ProcessUnity systems and ProcessUnity’s Processing of User Data will occur within the following jurisdictions: United States of America and Ireland (the “Processing Jurisdictions”). ProcessUnity will not transfer any User Data outside of the Processing Jurisdictions without the prior written agreement of Customer and Users.

8.2 Sub-Processors. Before providing User Data of a European citizen to Sub-Processors, ProcessUnity will use commercially reasonable efforts to ensure that the Sub-Processors will either be certified under the EU-US Privacy Shield or that the Sub-Processors execute EU-prescribed Standard Contractual Clauses.

9. AUDITS REPORTS

If ProcessUnity engages a third party auditor to perform a Statement on Standards for Attestation Engagements No. 16 (SSAE 16) or other data security audit of ProcessUnity’s operations, information security program or disaster recovery/business continuity plan, ProcessUnity shall provide a copy of the audit report to Customer or User within a reasonable period of time after receipt of a request from Customer or the User for such a report. Any such audit reports shall be ProcessUnity’s confidential information.

Cookie	Duration	Description
__cfduid	1 month	The cookie is set by CloudFare. The cookie is used to identify individual clients behind a shared IP address d apply security settings on a per-client basis. It doesnot correspond to any user ID in the web application and does not store any personally identifiable information.
__stripe_mid	1 year	Stripe sets this cookie cookie to process payments.
__stripe_sid	30 minutes	Stripe sets this cookie cookie to process payments.
cli_user_preference	1 year	This cookie stores consolidated information of consent of all categories in the GDPR Cookie Consent plugin. This cookie is used to ensure the smooth functioning of the plugin with certain cache plugins.
connect.sid	2 hours	This cookie is used for authentication and for secure log-in. It registers the log-in information.
cookielawinfo-checkbox-advertisement	1 year	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given their consent to the usage of cookies under the category 'Advertisement'.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-analytics	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-functional	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Functional".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-marketing	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Marketing".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
cookielawinfo-checkbox-preferences	1 year	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Preferences'.
cookiesession1	1 year	This cookie is set by the Fortinet firewall. This cookie is used for protecting the website from abuse.
PHPSESSID	1 year	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__sharethis_cookie_test__	session	ShareThis sets this cookie to track which pages are being shared and by whom.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
bscookie	2 years	This cookie is a browser ID cookie set by LinkedIn share Buttons and ad tags.
cf_ob_info	1 minute	The CloudFlare service is mostly used for content distribution network (CDN) services.
cf_use_ob	1 minute	The CloudFlare service is mostly used for content distribution network (CDN) services.
cookielawinfo-checkbox-uncategorized	1 year	The cookie is set by the GDPR Cookie Consent plugin to record the user consent for cookies in the category "Uncategorized".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category along with the status of CCPA.
lang	1 year	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
lissc	1 year	Cookie used for Sign-in with Linkedin and/or for LinkedIn follow feature.
ppwp_wp_session	30 minutes	ppwp_wp_session is a cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing the user's session on the website. The cookie is a session cookie and is deleted when all browser windows are closed.

Cookie	Duration	Description
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.
__stidv	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.
_ce.s	1 year	This Crazy Egg cookie records visitor session unique ID, tracking host and start time.
_CEFT	1 year	Crazy Egg cookie that stores page variants assigned to visitors for A/B performance testing.
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_ga_63P4X1D7BY	2 years	This cookie is installed by Google Analytics.
_gcl_au	2 months	This cookie is used by Google Analytics to understand user interaction with the website. All information this cookie collects is aggregated and therefore anonymous.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
6suuid	2 years	6sense is a B2B predictive intelligence engine for marketing and sales.
BIGipServerab07web-nginx-app_https	1 year	This is a cookie used by the Marketo marketing platform for user tracking purposes.
cebs	session	This Crazy Egg cookie is used to track the current user session internally.
site_identity	2 years	An analytics cookie that is used to better understand your use of our website.
sliguid	5 years	Salesloft cookie for use in live website tracking to help identify and qualify leads.
slireg	1 week	Salesloft cookie for use in live website tracking to help identify and qualify leads.
slirequested	5 years	Salesloft cookie for use in live website tracking to help identify and qualify leads.
undefined	never	Wistia sets this cookie to collect data on visitor interaction with the website's video-content, to make the website's video-content more relevant for the visitor.

Cookie	Duration	Description
_mkto_trk	2 years	This cookie is associated with an email marketing service provided by Marketo. This tracking cookie allows the website to link visitor behavior to the recipient of an email marketing campaign, to measure campaign effectiveness.
_mkto_trk	2 years	This cookie is associated with an email marketing service provided by Marketo. This tracking cookie allows the website to link visitor behavior to the recipient of an email marketing campaign, to measure campaign effectiveness.
_mkto_trk	2 years	This cookie, provided by Marketo, has information (such as a unique user ID) that is used to track the user's site usage. The cookies set by Marketo are readable only by Marketo.

Cookie	Duration	Description
cebsp	session	No description
m	2 years	No description available.
pvc_visits[0]	past	This cookie is created by post-views-counter. This cookie is used to count the number of visits to a post. It also helps in preventing repeat views of a post by a visitor.