As pertains to personal information contained in any "Services Data" (defined below), Core complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce and European Commission regarding the collection, use and retention of personal information from EU member countries when Core and its client have agreed by contract that transfers of personal information from the European Economic Area ("EEA") will be transferred and processed pursuant to the Privacy Shield for the relevant Services. Core commits to cooperate with the EU data protection authorities ("DPAs") to resolve disputes pursuant to the EU-US Privacy Shield Principles. Core is subject to the investigatory and enforcement powers of the Federal Trade Commission ("FTC"). In that regard, We certify that We comply with the seven (7) EU-US Privacy Shield Framework Principles set forth by the United States Department of Commerce, in relation to personal information collected from European Union states.
To learn more about the Privacy Shield framework, and to view Core's certification, please visit https://www.privacyshield.gov/list.
If You have questions or complaints regarding our Policy or practices, please contact us at email@example.com.
Core may access, collect and/or use Services Data in order to provide Services and to correct problems. Services Data may be accessed and used to perform support, consulting, and/or other services including, but not limited to, testing and applying new product or system versions, patches, updates and upgrades; monitoring and testing system use and performance; and resolving bugs and other issues. Any copies of Services Data created for these purposes are only maintained for time periods relevant to those purposes and treated as confidential under an applicable Core agreement with its client. Additionally, in certain circumstances, a law, court order, or other judicial or administrative process may require Core to provide access to Services Data to a government authority or a party to a private lawsuit.
Core may transfer and access Services Data as required for the purposes specified above, in compliance with applicable law and the agreement executed by Core and its client. We may share Services Data with third parties who provide services to Core, including but not limited to information technology and related infrastructure provisioning, customer service, email delivery, auditing, and other similar services. When Core shares Services Data with third party service providers, We require that they use your Services Data only for the purpose of providing services to us and subject to terms consistent with this Policy and an agreement executed by Core and such third party. Core employees and any subcontractors or agents acting on our behalf in order to provide Services are required to sign formal agreements protecting the strict confidentiality of Services Data and any/all client and Core confidential or proprietary information, their access is limited to that which is required for them to perform the service for which they have been employed or engaged and all Core personnel are required to attend annual security, confidentiality, and privacy training. Core is responsible for its agents' and subcontractors' compliance with the terms of this Policy.
Core does not use Services Data except for the purposes stated above and those purposes stated in a client's contract with Core. Core may process Services Data, but Core does not control Services Data. Core has no control over how its clients collect or use personal data or information, or even the nature or type of data or information a client may store on servers hosted or managed by Core, and Core does not own Services Data but all clients are required by contract to comply with all applicable laws, regulations, including the Privacy Shield Principles, if applicable, and the terms and conditions of their contracts with Core. If You provide any Services Data to Core, You are responsible for providing any notices and/or obtaining any consents necessary for Core to access, use, retain and transfer Services Data as specified in this Policy and in your contract with Core.
Core's access to Services Data is based on its specific contract with each of its clients and Core's security policies. Services Data that is stored in Core-hosted or managed systems is controlled via an access control list mechanism, as well as the use of an account management framework. You control access to Services Data by your End Users; End Users should direct any requests related to their personally identifiable information to You; however, if End Users contact Core directly, Core will take reasonable steps to facilitate communication between You and the affected End User.
Security. Core is committed to the security of your Services Data. Core employs physical, administrative and technical measures in order to prevent unauthorized access to Services Data. Core security policies cover the management of security for both its internal operations as well as the Services. These policies govern all areas of security applicable to Services and apply to all Core employees, subcontractors and agents. Core's security policies and procedures are continually reviewed and overseen by Core's CEO, President and CFO, and Vice President, General Counsel and CCO who are responsible for security oversight, compliance and enforcement, and for conducting information security assessments.
Core is also committed to reducing the risks of human error, theft, fraud, and misuse of its facilities. Core's requires that all employees, subcontractors, and agents read and acknowledge its security policies. Core employees, subcontractors, and agents are required to maintain the confidentiality of Services Data. Employees', subcontractors', and agents' confidentiality obligations include written confidentiality agreements, training on data protection, and compliance with all company policies relevant to the protection of confidential information.
Notification of Breach. Core continually evaluates and promptly responds to all incident reports and potential vulnerabilities of Services Data. Core's CEO, President and CFO, CCO, and Vice President, General Counsel and CCO review such incidents to determine appropriate escalation paths based on the specific details of each circumstance and put response teams in place to address the incidents. If Core determines that Services Data has been misappropriated or otherwise wrongly acquired by a third party, Core will promptly inform You of each misappropriation or acquisition.
As relates to Services Data and any information contained therein, including personal information, Core complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries when a client and Core have agreed by contract that transfers of personal information from the European Economic Area ("EEA") will be transferred and processed pursuant to the Privacy Shield for the relevant Services. When conducting those activities on behalf of its EEA or Swiss customers, Core holds and/or processes personal information from the EEA at the direction of the client. Core will then be responsible for ensuring that third parties acting as an agent on Core's behalf do the same. Core is responsible and liable under the Privacy Shield Principles if any third party agent acting on its behalf processes information in a way that is inconsistent with the Privacy Shield Principles, unless Core is able to prove that it is not responsible for the event that gave rise to the damage.
Core has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/list.
We strongly encourage You to contact us if You have any complaints regarding our compliance with this Policy or if You have any general privacy related complaints. We will investigate and attempt to resolve any such complaint and/or dispute regarding the use and/or disclosure of personal information in accordance with this Policy. For any complaints that cannot be resolved with Core directly and relate to Personal Information from EU member countries or Switzerland, Core has chosen to cooperate with EU DPAs and comply with the information and advice provided to it by an informal panel of DPAs in relation to such unresolved complaints (as further described in the Privacy Shield Principles). Please contact us to be directed to the relevant DPA contacts. As further explained in the Privacy Shield Principles, in certain circumstances, binding arbitration option may also be made available to you in order to address residual complaints not resolved by any other means. Core is subject to the investigatory and enforcement powers of the FTC as relates to Personal Information from EU member countries or Switzerland.
Core has appointed a Chief Compliance Officer and regularly reviews compliance with this Policy. If at any time You believe that personal information has been disclosed in violation of this Policy, please address written details concerning the unauthorized disclosure to:
Core Services Corporation
130 Belmont Drive
Somerset, NJ 08873
Attention: Vice President, General Counsel and Chief Compliance Officer
You may also contact us at firstname.lastname@example.org, if You have questions or complaints regarding our Policy or practices.
We will investigate your claim fully. We will also cooperate with appropriate government agencies, including local DPAs as applicable, to resolve any complaint regarding the transfer of personal data from EU member countries. In compliance with the EU-US Privacy Shield Principles, Core commits to resolve complaints about your privacy. Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
We may change this Policy from time to time and will post notices on the Website at the time of any material changes to this Policy. Please refer to the bottom of this Policy, which indicates the date that it was most recently amended.
Last Updated: January 20, 2017
Effective: September 30, 2016