Safe Harbor Policy
Processor on Behalf of Customers
Zapproved provides software as a service designed to help companies manage their legal hold notification and preservation process, as well as collect and process data related to corporate legal and IT needs. In this capacity, Zapproved does not own or control any of the information it processes on behalf of its customers. Zapproved receives information transferred from the EU to the United States merely as a processor on behalf of our customers.
Zapproved has appointed a corporate leader of fair information practices who is responsible for the internal supervision of Zapproved’s privacy policies. Zapproved has also appointed a corporate leader for data security. Zapproved is committed to educating its customers and associates (employees) in the United States about the issues, guidelines and laws surrounding compliance with EU Safe Harbor.
The corporate leader for fair information practices is available to any associate who has questions concerning Zapproved’s EU Safe Harbor Policy or data security practices.
Zapproved’s policies and manner of compliance are described separately below.
Zapproved as a Processor on Behalf of Customers
When Zapproved acts as a processor on behalf of its customers, the policies outlined below apply to all data processing operations concerning personal information that has been transferred from the EU to the United States.
Before starting any processing on behalf of Zapproved’s customers, Zapproved will enter into a processing contract with the EU data controller responsible for the personal information pursuant to the applicable EU Member State Data Protection law.
The processing contract ensures that the EU data controller will be in compliance with the Member State Data Protection law. The processing contract will also specify that the processing will be carried out with appropriate data security measures. Zapproved has in place measures to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction.
Any information Zapproved’s customer (acting as the EU controller) identifies as sensitive will be treated accordingly. Further, any data processed by Zapproved will not be disclosed to third parties except where permitted or required by the processing contract, EU Safe Harbor or the applicable Member State Data Protection law.
As a processor on behalf of Zapproved’s customers (who is the EU controller), Zapproved is not required to apply other EU Safe Harbor Principles to the personal information received for processing from a customer.
Prior to the transfer of any non-public personal information from the EU to the United States, Zapproved requires contractual confirmation from the EU controller from whom Zapproved acquired the information that the personal data has been provided to Zapproved in accordance with the applicable EU Member State Data Protection law, thereby ensuring the data subjects have been provided with proper notice regarding how their personal data will be used. In addition, when personal data is collected directly from data subjects, Zapproved provides the data subject with notice regarding the manner and circumstances in which the personal data will be used and transferred to third parties.
Prior to the transfer of any non-public personal information from the EU to the United States, Zapproved requires contractual confirmation from the EU controller from whom Zapproved acquired the information that the personal data has been collected in accordance with applicable EU member State Data Protection law, thereby ensuring the data subjects have been provided with the proper choice regarding how their personal data may be used.
Zapproved takes reasonable steps to ensure the information transferred from the EU to the United States is reliable, accurate and complete. The steps Zapproved takes to assure data integrity are based on the purposes for which the personal information is used.
Zapproved complies with the notice and choice principles as described above for all data disclosed or transferred to a third party. However, when Zapproved uses data processors to perform processing tasks on behalf and under the instruction of Zapproved, Zapproved requires that its data processors either:
● Subscribe to the EU Safe Harbor Principles, the EU Data Protection Directive or another adequacy finding; or
● Enter into a written agreement with Zapproved requiring them to provide the same level of protection as Zapproved provides.
Zapproved has in place an information security policy to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction. Zapproved’s security officer is responsible for conducting investigations into any alleged computer or network breaches, incidents or problems and ensuring the proper disciplinary action is taken against those who violate Zapproved’s information security policy.
Any security compromises or potential security compromises and any inquiries concerning security should be reported to the Zapproved consumer advocate. Contact information is provided below.
Zapproved acts as a Data Processor, Zapproved’s customers are responsible, pursuant to their contractual agreements with the company, for providing individuals with access to their Personal Information and allowing individuals to correct, amend and delete their information, as required by applicable law. Zapproved requires its customers to maintain appropriate procedures for handling individuals’ requests to access, correct or delete their Personal Information, in accordance with applicable law. To exercise these rights, individual should contact the appropriate Zapproved customer that transferred their Personal Information to Zapproved. Zapproved will cooperate fully with its customers in responding to any such request. In the event a request is made directly to Zapproved, customers are required to cooperate with Zapproved in promptly addressing such requests.
Zapproved agrees to process all reasonable requests for access within a reasonable time period, but reserves the right to deny access or limit access in cases where the burden or cost of providing access would be disproportionate to the risks to the individual’s privacy or in the case of an unwarranted or fraudulent request.
Zapproved acts as a Data Processor. Individuals should submit complaints concerning the processing of their Personal Information to the company’s customer that originally collected their information in accordance with the customer’s relevant dispute resolution mechanism (if available). Zapproved will participate in the customer’s dispute resolution process at the request of the individual. If the issue cannot be resolved through the customer’s internal dispute resolution mechanism, the individual may submit the complaint to JAMS for mediation under the JAMS International Mediation Rules.
JAMS mediation may be commenced as provided for in the JAMS International Mediation Rules, which are accessible on the JAMS website. Mediation will be conducted by telephone, email or other electronic means of communication. Zapproved will take steps to remedy any problem arising out of a failure to comply with the Safe Harbor principles. Zapproved may not be required, however, to take any action contrary to applicable law.
The mediator or the individual also may refer the matter to the U.S. Federal Trade Commission, which has Safe Harbor enforcement jurisdiction over Zapproved.
How to Contact Us
Please address any questions or concerns regarding this Policy or Zapproved’s practices concerning Personal Information by contacting Zapproved’s VP of Products by telephone at (888) 806-6750, by email at firstname.lastname@example.org, or in writing addressed to:
Attention: VP of Products
2175 NW Raleigh St, Suite 400
Portland, OR 97210 USA
This Safe Harbor Policy was last revised April 14, 2015. Zapproved is a registered trademark of Zapproved, Inc.