Safe Harbor Privacy Policy

Introduction

This Safe Harbor Privacy Policy (“Policy”) describes the privacy practices that Greensoft Solutions, Inc. (“GSI”) applies to Personal Information under the European Commission’s Data Protection Directive (“Directive”) pursuant to the Safe Harbor program of the United States Department of Commerce (“Safe Harbor Program”), to the extent that such Personal Information is stored, transmitted or processed on information technology resources hosted by GSI for its Clients (“Client Resources”). This Policy is effective from the Effective Date until such time as GSI replaces it with a changed or updated policy, or GSI is either not subject to, or no longer certifies its compliance with, the Safe Harbor Program.

For purposes of this Policy, “Personal Information” means information that is: (a) transferred to GSI by Clients from the European Union to the United States; (b) is recorded in any electronic form; (c) is about, or pertains to, a specific individual, and; (d) can be linked to that individual.  Personal Information does not include information that pertains to an individual but from which such individual could not reasonably be identified, or publicly available information that has not been combined with non-public personal information.

GSI adheres to the principles of the Safe Harbor Program.  This Policy does not apply to any data or information other than Personal Information, or to any practice, policy or procedure of GSI concerning any matter not specifically identified in this Policy.  Without limiting any of the foregoing, this Policy does not apply to information collected by Clients that is not transferred from the European Union to GSI or to any other party outside of the European Union .

The provisions of the Safe Harbor Program will be considered to govern in the event of any conflict between this Policy and the Safe Harbor Program.  This Policy and its interpretation shall be governed by applicable United States case or statutory law, rule, regulation or industry standard that is legally binding on GSI, such as PCI DSS v. 1.1 (all collectively referred to in this Policy as “applicable law”).

GSI may change or update this Policy from time to time without giving prior notice to affected parties, provided that such changes are necessary to update this Policy and otherwise comply with the Safe Harbor Program.  Changed or updated versions of this Policy shall be posted on the same section of the GSI web site as this Policy, or on another conspicuously identified section of that site.  Any changed or updated policy shall apply to Personal Information previously collected only to the extent that the changed or updated Policy does not reduce the rights of individuals under the Safe Harbor Program.

In the course of providing hosting, information technology consulting and development services and support (collectively “Services”) to its Clients who collect Personal Information (“ Clients”), GSI may store, process or transmit Personal Information that is collected by such Clients on Client Resources. 

In that respect, it is the Clients, and not GSI, which collect, use or disclose Personal Information.  GSI, acting as the agent of these Clients, simply provides and maintains the Client Resources that Clients use to support their collection, use or disclosure of Personal Information.  GSI therefore relies on each Client to implement the Principles with respect to the Client’s own use of Personal Information in a manner that complies with the Safe Harbor Program and/or the Directive, as applicable.

The Safe Harbor Program consists of seven privacy principles (“Principles”).  The following describes how GSI addresses each of these Principles:

1. Notice.
As part of providing the Services, GSI may store, process or transmit information of individuals collected by Clients that may include Personal Information.  The Personal Information that individuals submit to our Clients is what is transferred to GSI, as directed by such individuals, when such individuals submit their Personal Information to such Client(s).  Such information is transmitted by the Client to GSI via the Internet where it is stored or processed on Client Resources.  

GSI only stores, processes or transmits Personal Information at the direction of and on behalf of the Client who collected it.  GSI does not collect Personal Information on its own behalf or use it for its own purposes, apart from use in providing the Services to the Client who collected it.

Each Client governs the manner in which Personal Information is collected and used by that Client.  Personal Information is only disclosed by GSI to the Client who collects it, to third parties to whom the Client directs GSI to disclose it, or to persons or entities that request and are entitled to receive Personal Information under applicable law or legal process (such as a subpoena or court order).

If an individual wishes to limit use and disclosure of his or her Personal Information, the individual should first contact the official designated for such requests by the Client to which the individual submitted his or her Personal Information.  If the individual cannot locate or contact that Client’s official, or is dissatisfied with their response, then the individual may contact GSI’s Safe Harbor privacy official at legalnotice@gsihosting.com, who will forward the request for limitation of use or disclosure to the applicable Client contact.

Because GSI shall store, process or transmit Personal Information as an agent of its Client, GSI shall use and disclose Personal Information in accordance with the reasonable notice policies provided by each Client and the choices made by individuals when they submit Personal Information to a Client.

2. Choice.
As noted above, GSI acts as the agent of its Clients with respect to Personal Information.  If a Client instructs GSI to provide a reasonable means for individuals to choose to opt out of whether (a) Personal Information may be disclosed to third parties, or (b) used for a purpose that is incompatible with the purpose for which that Client collected such Personal Information, then GSI shall follow that Client’s instructions in that regard, subject to applicable law. 

Furthermore, to the extent that a Client instructs GSI to support that Client’s reasonable opt-in procedures for sensitive personal information as defined in the Directive (“Sensitive Personal Information”), GSI shall follow that Client’s instructions in that regard, subject to applicable law.  It shall be the responsibility of each Client to determine what information is Sensitive Personal Information and to inform GSI accordingly.

3. Onward Transfer.
Because Clients shall utilize Client Resources provided by GSI to collect and use Personal Information, that Personal Information shall be accessible to the Client who has collected it.  GSI shall allow or support the Client’s own access to such Personal Information (which may include transferring it to Client facilities or personnel), and may transfer that Personal Information to (a) third party agents of Client to whom the Client directs GSI to transfer it, such as data processors (b) offsite storage facilities for backup purposes or (c) persons or entities that request and are entitled to receive Personal Information under applicable law or legal process (such as a subpoena or court order). 

In the event that GSI transfers Personal Information to a third party as noted above, GSI shall obtain appropriate assurances either by ascertaining that the third party is subject to the Principles and/or the Directive (as applicable), is Safe Harbor certified, is subject to another European Commission adequacy finding or has entered into a written agreement with GSI requiring that the third party provide the same level of protection to Personal Information as is required by the Principles. 

Last, GSI may transfer Personal Information to an acquirer or successor in interest of GSI’s business or assets, but only for purposes of continuing to deliver the Services to Clients.  Other than the onward transfers described in this section, GSI shall not transfer Personal Information to any third party.

4. Security.
GSI shall take reasonable precautions to protect Personal Information on Client Resources from loss, misuse, unauthorized access, disclosure, alteration or destruction. Details concerning the general security measures that GSI applies to all of its information technology resources and the Client Resources is posted at www.gsihosting.com/security.  Additional details concerning the security measures applied by individual Clients may be hosted on such Clients’ sites.

5. Data Integrity.
As noted above, GSI acts as the agent of its Clients with respect to Personal Information.  Clients shall be responsible for informing GSI of the purpose for which they have collected Personal Information.  GSI shall process Personal Information, in the course of providing the Services, in a way that is compatible with that purpose.  If a Client instructs GSI to take reasonable steps to ensure that data is reliable, accurate, complete and current to the extent needed to ensure that it is used in a way compatible with that purpose, then GSI shall follow that Client’s instructions in that regard, subject to applicable law.  In addition, GSI shall use reasonable efforts to protect data hosted on Client Resources from security-related threats to reliability, accuracy, completeness and currency through application of the general security measures posted at www.gsihosting.com/security.

6. Access.
As noted above, GSI acts as the agent of its Clients with respect to Personal Information.   If a Client instructs GSI to (a) establish a means for individuals to access their Personal Information held on Client Resources, and/or (b) provide a means for such individuals to correct, amend or delete that information where it is inaccurate (subject to exceptions in the Directive and applicable law), then GSI shall follow that Client’s reasonable instructions in that regard.

In the event that an individual wishes to access his or her Personal Information held on Client Resources and/or (b) correct, amend or delete that Personal Information where it is inaccurate, the individual should first contact the responsible official of the Client who collected such Personal Information.  If such an individual cannot locate or contact the responsible official of the Client for these purposes, or is dissatisfied with the response from the Client, then the individual may contact GSI’s Safe Harbor privacy official at legalnotice@gsihosting.com, who will forward the request to the applicable Client contact.

If the individual can verify his or her basis for seeking correction, amendment or deletion of Personal Information to the Client’s reasonable satisfaction, then GSI shall correct, amend or delete such information.  GSI reserves the right to deny access or limit access in cases where the burden or cost of providing access would be disproportionate to the risks to the individual's privacy, in the case of a vexatious or fraudulent request or when permitted by applicable law.

7. Enforcement.
GSI is committed to ensuring that Personal Information is handled in a manner consistent with the Safe Harbor Program.  In the event that an individual has a complaint or dispute concerning the manner in which his or her Personal Information has been handled, that individual may contact GSI’s Safe Harbor privacy official at legalnotice@gsihosting.com to register such complaint or dispute.  GSI will reasonably cooperate with the individual, affected Client(s) and any United States authorities having lawful jurisdiction over such disputes or complaints, to the extent permitted by applicable law and with reference to the Principles, in the investigation and resolution of such complaints and disputes.

Furthermore, if a Client has instructed GSI with respect to its complaint or dispute process for Personal Information on Client Resources, GSI shall follow that Client’s reasonable complaint or dispute process in that regard, subject to applicable law.

GSI shall regularly review its use of Personal Information, as part of its standard security practices, in an attempt to verify that that the attestations and assertions made in this Policy about GSI’s Safe Harbor related privacy practices are true and have been implemented as presented.  GSI shall use reasonable efforts to remedy problems arising out of the failure to comply with the Principles by itself, its Clients or its or their third party agents, and shall apply consequences and sanctions to GSI personnel, Clients, or third party agents that are sufficient to ensure compliance with the Principles, subject to applicable law and GSI’s then-current employee disciplinary policy (for GSI personnel), Client contracts with GSI (for Clients) or third party agent agreements (for third party agents).

Adherence by GSI, its Clients or its or their third party agents to the Safe Harbor Program and the Principles may be limited (a) to the extent required to respond to a legal or ethical obligation and (b) to the extent expressly permitted by applicable law.

Questions?
If you are unsure of whether any contemplated use or action is permitted, please contact GSI at legalnotice@gsihosting.com.