Privacy Policy

I. SERVICES PERSONAL INFORMATION DATA PROCESSING TERMS

Digiliyo treats all Services Personal Information in accordance with the terms of Sections I and III of this Policy and Your order for Services.
In the event of any conflict between the terms of this Services Privacy Policy and any privacy terms incorporated into Your order for Services, including an Digiliyo Data Processing Agreement, the relevant privacy terms of Your order for Services shall take precedence.

1. Performance of the Services

Digiliyo may process Services Personal Information for the processing activities necessary to perform the Services, including for testing and applying new product or system versions, patches, updates and upgrades, and resolving bugs and other issues You have reported to Digiliyo.

2. Customer instructions

You are the controller of the Services Personal Information processed by Digiliyo to perform the Services. Digiliyo will process your Services Personal Information as specified in Your Services order and Your documented additional written instructions to the extent necessary for Digiliyo to (i) comply with its processor obligations under applicable data protection law or (ii) assist You to comply with Your controller obligations under applicable data protection law relevant to Your use of the Services. Digiliyo will promptly inform You if, in our reasonable opinion, Your instruction infringes applicable data protection law. Additional fees may apply.

3. Rights of individuals

You control access to Your Services Personal Information by Your end users, and Your end users should direct any requests related to their Services Personal Information to You. To the extent such access is not available to You, Digiliyo will provide reasonable assistance with requests from individuals to access, delete or erase, restrict, rectify, receive and transmit, block access to or object to processing of Services Personal Information on Digiliyo systems.

4. Security and confidentiality

Digiliyo has implemented and will maintain technical and organizational measures designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Services Personal Information.
Digiliyo employees are required to maintain the confidentiality of personal information. Employees' obligations include written confidentiality agreements, regular training on information protection, and compliance with company policies concerning protection of confidential information.
See additional details regarding the specific security measures that apply to the Services are set out in the security practices for these Services, including regarding data retention and deletion, available for review.

5. Incident Management and data breach notification.

Digiliyo promptly evaluates and responds to incidents that create suspicion of or indicate unauthorized access to or handling of Services Personal Information.
If Digiliyo becomes aware and determines that an incident involving Services Personal Information qualifies as a breach of security leading to the misappropriation or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Services Personal Information transmitted, stored or otherwise processed on Digiliyo systems that compromises the security, confidentiality or integrity of such Services Personal Information, Digiliyo will report such breach to You without undue delay.
As information regarding the breach is collected or otherwise reasonably becomes available to Digiliyo and to the extent permitted by law, Digiliyo will provide You with additional relevant information concerning the breach reasonably known or available to Digiliyo.

6. Subprocessors

To the extent Digiliyo engages third party sub processors to have access to Services Personal Information in order to assist in the provision of Services, such sub processors shall be subject to the same level of data protection and security as Digiliyo under the terms of Your order for Services. Digiliyo is responsible for its sub processors' compliance with the terms of Your order for Services.

7. Cross-border data transfers

Digiliyo is a global corporation with operations in over 80 countries and Services Personal Information may be processed globally as necessary in accordance with this policy. If Services Personal Information is transferred to an Digiliyo recipient in a country that does not provide an adequate level of protection for personal information, Digiliyo will take adequate measures designed to protect the Services Personal Information, such as ensuring that such transfers are subject to the terms of the EU Model Clauses or other adequate transfer mechanism as required under relevant data protection.
In the event the services agreement between You and Digiliyo references the Digiliyo Data Processing Agreement for Digiliyo Services (“DPA”), further details on the relevant data transfer mechanism that applies to Your order for Digiliyo services are available in the DPA. In particular, for Services Personal Information transferred from the European Economic Area (“EEA”), Switzerland, or the United Kingdom (“UK”), such transfers are subject to Digiliyo’s Binding Corporate Rules for Processors (BCR-P) or the terms of the EU Model Clauses.

8. Audit rights

To the extent provided in your order for Services, You may at Your sole expense audit Digiliyo’s compliance with the terms of this Services Privacy Policy by sending Digiliyo a written request, including a detailed audit plan, at least six weeks in advance of the proposed audit date. You and Digiliyo will work cooperatively to agree on a final audit plan.
The audit shall be conducted no more than once during a twelve-month period, during regular business hours, subject to Digiliyo’s on-site policies and regulations, and may not unreasonably interfere with business activities. If You would like to use a third party to conduct the audit, the third party auditor shall be mutually agreed to by the parties and the third-party auditor must execute a written confidentiality agreement acceptable to Digiliyo. Upon completion of the audit, You will provide Digiliyo with a copy of the audit report, which is classified as confidential information under the terms of Your agreement with Digiliyo.
Digiliyo will contribute to such audits by providing You with the information and assistance reasonably necessary to conduct the audit, including any relevant records of processing activities applicable to the Services. If the requested audit scope is addressed in a SOC 1 or SOC 2, ISO, NIST, PCI DSS, HIPAA or similar audit report issued by a qualified third party auditor within the prior twelve months and Digiliyo provides such report to You confirming there are no known material changes in the controls audited, You agree to accept the findings presented in the third party audit report in lieu of requesting an audit of the same controls covered by the report. Additional audit terms may be included in Your order for Services.

9. Deletion or return of Services Personal Information

Except as otherwise specified in an order for services or required by law, upon termination of services or at your request, Digiliyo will delete your production customer data located on Digiliyo computers in a manner designed to ensure that they cannot reasonably be accessed or read, unless there is a legal obligation imposed on Digiliyo preventing it from deleting all or part of the data. You may consult with your Digiliyo services contact for additional information on data deletion prior to service completion.

II. SYSTEMS OPERATIONS DATA PROCESSING TERMS

1. Responsibility and purposes for processing personal information

Digiliyo Corporation and its affiliated entities are responsible for processing personal information that may be incidentally contained in Systems Operations Data in accordance with Sections II and III of this Policy. See the list of Digiliyo entities. Please select a region and country to view the registered address and contact details of the Digiliyo entity or entities located in each country.
We may collect or generate Systems Operations Data for the following purposes:
a) to help keep our Services secure, including for security monitoring and identity management.
b) to investigate and prevent potential fraud or illegal activities involving our systems and networks, including to prevent cyber-attacks and to detect bots.
c) to administer our back-up disaster recovery plans and policies
d) to confirm compliance with licensing and other terms of use (license compliance monitoring)
e) for research and development purposes, including to analyze, develop, improve and optimize our Services
f) to comply with applicable laws and regulations and to operate our business, including to comply with legally mandated reporting, disclosure or other legal process requests, for mergers and acquisitions, finance and accounting, archiving and insurance purposes, legal and business consulting and in the context of dispute resolution.
For personal information contained in Systems Operations Data collected in the EU, our legal basis for processing such information is our legitimate interest in performing, maintaining and securing our products and services and operating our business in an efficient and appropriate manner. Personal information may also be processed based on our legal obligations or legitimate interest to comply with such legal obligations.

2. Sharing personal information

Personal information contained in Systems Operations Data may be shared throughout Digiliyo's global organization. A list of Digiliyo entities is available as indicated above.
We may also share such personal information with the following third parties:
third-party service providers (for example IT service providers, lawyers and auditors) in order for those service providers to perform business functions on behalf of Digiliyo.
relevant third parties in the event of a reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or stock (including in connection with any bankruptcy or similar proceedings).
as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to government requests, including public and government authorities outside your country of residence, for national security and/or law enforcement purposes.
When third parties are given access to personal information contained in Systems Operations Data, we will take the appropriate contractual, technical and organisational measures to ensure, for example, that personal information is only processed to the extent that such processing is necessary, consistent with this Privacy Policy and in accordance with applicable law.

3. Cross-border data transfers

If personal information contained in Systems Operations Data is transferred to an Digiliyo recipient in a country that does not provide an adequate level of protection for personal information, Digiliyo will take measures designed to adequately protect information about Users, such as ensuring that such transfers are subject to the terms of the EU Model Clauses.

4. Security

Digiliyo has implemented appropriate technical, physical and organisational measures in accordance with the Digiliyo Corporate Security Practices designed to protect personal information against accidental or unlawful destruction or accidental loss, damage, alteration, unauthorised disclosure or access as well as all other forms of unlawful processing (including, but not limited to, unnecessary collection) or further processing.

5. User choices

To the extent provided under applicable laws, Users may request to access, correct, update or delete personal information contained in Systems Operations Data in certain cases, or otherwise exercise their choices with regard to their personal information by filling out an inquiry form.