EU-US Privacy Shield

The European Union (“EU”) adopted Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“EU Directive”), which requires EU member countries to adopt laws protecting personal data collected within their borders. Switzerland adopted the Swiss Federal Data Protection Act (“SFDPA”) and the Data Protection Ordinance (“DPO”), which regulate all acts of personal data processing. In accordance with Article 2a of the EU Directive, and the SFDPA and DPO, personal data includes any information relating to an identified or identifiable natural person (“Personal Data”). The EU Directive, SFDPA and DPO allow the transfer of Personal Data only to countries that have data protection laws deemed “adequate” under the respective legal frameworks. The US Department of Commerce has agreed on the requirements to enable US Companies to satisfy the mandate under EU law and Swiss law that adequate protection be given to Personal Data transferred from the EU or Switzerland to the US. For EU citizens’ Personal Data, these requirements are memorialized in the EU-US Privacy Shield Framework. For Swiss citizens’ Personal Data, these requirements are memorialized in the US-Swiss Safe Harbor Framework.

Zapproved is pursuing certification and adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability.

Zapproved complies with the EU-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries. As an e-discovery company, data we collect and store is done so at the direction of and on behalf of our customers, rather than directly from individuals. All data Zapproved collects and/or retains on behalf of our customers is kept pursuant to strict privacy and confidentiality practices, and Zapproved does not disclose data to third parties.

If there is any conflict between the policies in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.

The United States Federal Trade Commission (FTC) is the enforcement authority with jurisdiction over this compliance with the Privacy Shield.

In compliance with the EU-US Privacy Shield Principles, Zapproved commits to resolve complaints about your privacy and our collection or use of your personal information. An individual who seeks access or who seeks to correct, amend, or delete inaccurate data provided to Zapproved by our customer should direct their query to that customer. An individual wishing to limit the use or sharing of their data should direct their query to that customer. European Union individuals with inquiries or complaints regarding this privacy policy may also contact Zapproved at:

Zapproved, Inc.
Attention: VP of Product Strategy
1414 NW Northrup St. Ste. 700
Portland, OR 97209 USA

Zapproved has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.

Finally, as a last resort and in limited situations, individuals may seek redress from the Privacy Shield Panel, a binding arbitration mechanism.

US-Swiss Safe Harbor
Zapproved has certified that it adheres to the US-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce on July 21, 2000. Zapproved also supports the addition of Standard Contractual Clauses (also referred to as “Model Contracts”) as issued by the European Commission pursuant to Article 26(2) of EU Data Protection Directive 94/46/EC for purposes of establishing safeguards to allow for the transfer of personal data from the EU to countries (such as the U.S.) that are not otherwise deemed to provide “adequate” protection for the data. To learn more about the Swiss Safe Harbor Framework and to view our certification page, please visit http://www.export.gov/safeharbor/.

In compliance with the US-Swiss Safe Harbor Principles, Zapproved commits to resolve complaints about your privacy and our collection or use of your personal information. Swiss citizens with inquiries or complaints regarding this privacy policy should first contact (your company name) at:

Zapproved, Inc.
Attention: VP of Product Strategy
1414 NW Northrup St. Ste. 700
Portland, OR 97209 USA

Zapproved has further committed to refer unresolved privacy complaints under the US-Swiss Safe Harbor to an independent dispute resolution mechanism operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/us/safe-harbor-complaints for more information and to file a complaint.

Processor on Behalf of Customers
Zapproved provides software as a service designed to help companies manage their legal hold notification and preservation process, as well as collect and process data related to corporate legal and IT needs. In this capacity, Zapproved does not own or control any of the information it processes on behalf of its customers. Zapproved receives information transferred from the EU to the United States merely as a processor on behalf of our customers.

Zapproved has appointed a corporate leader of fair information practices who is responsible for the internal supervision of Zapproved’s privacy policies. Zapproved has also appointed a corporate leader for data security. Zapproved is committed to educating its customers and associates (employees) in the United States about the issues, guidelines and laws surrounding compliance with the Privacy Shield Framework.
The corporate leader for fair information practices is available to any associate who has questions concerning Zapproved’s Safe Harbor Policy or data security practices.

Zapproved’s policies and manner of compliance are described separately below.

Zapproved as a Processor on Behalf of Customers
When Zapproved acts as a processor on behalf of its customers, the policies outlined below apply to all data processing operations concerning personal information that has been transferred from the EU to the United States.

Processing Contracts
Before starting any processing on behalf of Zapproved’s customers, Zapproved will enter into a processing contract with the EU data controller responsible for the personal information pursuant to the applicable EU Member State Data Protection law.

The processing contract ensures that the EU data controller will be in compliance with the Member State Data Protection law. The processing contract will also specify that the processing will be carried out with appropriate data security measures. Zapproved has in place measures to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction.

Any information Zapproved’s customer (acting as the EU controller) identifies as sensitive will be treated accordingly. Further, any data processed by Zapproved will not be disclosed to third parties except where permitted or required by the processing contract, EU Privacy Shield or the applicable Member State Data Protection law. Zapproved will not disclose personally identifiable information to third parties unless specifically agreed to and at the direction of the data owner, or when we are required by law in response to lawful requests by public authorities to meet national security or law enforcement requirements including subpoenas, court orders or legal process.

As a processor on behalf of Zapproved’s customers (who is the EU controller), Zapproved is not required to apply other EU Privacy Shield Principles to the personal information received for processing from a customer.

Notice
Prior to the transfer of any non-public personal information from the EU to the United States, Zapproved requires contractual confirmation from the EU controller from whom Zapproved acquired the information that the personal data has been provided to Zapproved in accordance with the applicable EU Member State Data Protection law, thereby ensuring the data subjects have been provided with proper notice regarding how their personal data will be used. In addition, when personal data is collected directly from data subjects, Zapproved provides the data subject with notice regarding the manner and circumstances in which the personal data will be used and transferred to third parties.
Choice
Prior to the transfer of any non-public personal information from the EU to the United States, Zapproved requires contractual confirmation from the EU controller from whom Zapproved acquired the information that the personal data has been collected in accordance with applicable EU member State Data Protection law, thereby ensuring the data subjects have been provided with the proper choice regarding how their personal data may be used.

Data Integrity
Zapproved takes reasonable steps to ensure the information transferred from the EU to the United States is reliable, accurate and complete. The steps Zapproved takes to assure data integrity are based on the purposes for which the personal information is used.

Onward Transfer
Zapproved complies with the notice and choice principles as described above for all data disclosed or transferred to a third party. However, when Zapproved uses data processors to perform processing tasks on behalf and under the instruction of Zapproved, Zapproved requires that its data processors enter into a written agreement with Zapproved requiring them to provide the same level of protection as Zapproved provides, and retains liability for onward transfers to such agents when under the direction of Zapproved.

Security
Zapproved has in place an information security policy to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction. Zapproved has received SOC 2® Type 2 Report certification that it complies with this policy, providing for independent third-party validation that it has controls in place to protect against unauthorized access (both physical and logical).

Zapproved’s security officer is responsible for conducting investigations into any alleged computer or network breaches, incidents or problems and ensuring the proper disciplinary action is taken against those who violate Zapproved’s information security policy.

Any security compromises or potential security compromises and any inquiries concerning security should be reported to the Zapproved consumer advocate. Contact information is provided below.

Access
Zapproved acknowledges the right of EU individuals to access information held about them. When Zapproved acts as a Data Processor, Zapproved’s customers are responsible, pursuant to their contractual agreements with the company, for providing individuals with access to their Personal Information and allowing individuals to correct, amend and delete their information, as required by applicable law. Zapproved requires its customers to maintain appropriate procedures for handling individuals’ requests to access, correct or delete their Personal Information, in accordance with applicable law. To exercise these rights, individual should contact the appropriate Zapproved customer that transferred their Personal Information to Zapproved. Zapproved will cooperate fully with its customers in responding to any such request. In the event a request is made directly to Zapproved, customers are required to cooperate with Zapproved in promptly addressing such requests.
Zapproved agrees to process all reasonable requests for access within a reasonable time period, but reserves the right to deny access or limit access in cases where the burden or cost of providing access would be disproportionate to the risks to the individual’s privacy or in the case of an unwarranted or fraudulent request as provided under “How to Contact Us.”

Enforcement
Zapproved acts as a Data Processor. Individuals should submit complaints concerning the processing of their Personal Information to the company’s customer that originally collected their information in accordance with the customer’s relevant dispute resolution mechanism (if available). Zapproved will participate in the customer’s dispute resolution process at the request of the individual.

How to Contact Us
Please address any questions or concerns regarding this Policy or Zapproved’s practices concerning Personal Information by contacting Zapproved’s VP of Product Strategy by telephone at (888) 806-6750, by email at support@zapproved.com, or in writing addressed to:

Zapproved, Inc.
Attention: VP of Product Strategy
1414 NW Northrup St. Ste. 700
Portland, OR 97209 USA

This EU-US Privacy Shield and Swiss Safe Harbor Privacy Policy was last revised September 1, 2016. Zapproved is a registered trademark of Zapproved, Inc.