Validated Cloud US-Swiss US-EU Data Privacy Framework Program
Note: Since the Privacy Shield Framework was invalidated by the EU Court of Justice in the Schrems ll decision, the EU and U.S. have been working together to launch its replacement which has now been finalized. The Data Privacy Framework (DPF) Program will replace Privacy Shield and serve as a mechanism to facilitate international data transfers between the EU and U.S. The European Commission adopted an adequacy decision for the new EU-U.S Data Privacy Framework (DPF). The principles for the DPF entered into effect on July 10th 2023, the same day the adequacy decision was reached.
Introduction
Validated Cloud Inc. (“Validated Cloud”) is a leading technology company specializing in HIPAA, 21 CFR Part 11 & Part 820 (FDA) and EudraLex Annex 11-compliant hosting. Protecting consumer privacy is important to Validated Cloud. This Data Privacy Policy outlines our general policy and practices for implementing the Privacy Shield Principles, including the types of information we gather, how we use it and the notice and choice affected individuals have regarding our use of Personal Information and their ability to correct that Personal Information. This Data Privacy Policy applies to all Personal Information received by Validated Cloud and recorded in any form. Validated Cloud is subject to the regulatory and enforcement jurisdiction of the U.S. Federal Trade Commission (FTC).
Validated Cloud complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Validated Cloud has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Validated Cloud has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Definitions
“Personal Information” or “Information” means information that (1) is transferred from the EU, the UK and Switzerland to the United States; (2) is recorded in any form; (3) is about, or pertains to a specific individual; and (4) can be linked to that individual.
“Sensitive Personal Information” means Personal Information that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership or that concerns an individual’s health.
Personal Information that is transferred by clients to Validated Cloud in the United States from the European Union or Switzerland falls under one of the following two situations:
- “Data Processor”: When acting as a Data Processor on behalf of its clients, Validated Cloud acts only on the instructions of its “data controller” clients and does not control or share such data without direction from the client. For such processing, Validated Cloud enters into appropriate written agreements with each client evidencing and confirming that the client is the data controller for the purpose of the EU Data Directive and is in compliance with the applicable data protection laws. Validated Cloud does not determine what types of data its clients store on Validated Cloud’s servers or how that data is acquired, categorized, classified, accessed, exchanged or otherwise processed. Types of data include intellectual property, identifiable and de-identifiable patient records, emails, names, clinical trial data, validated data and non-validated data. Validated Cloud’s clients have control over such data at all times, and Validated Cloud’s clients are responsible for compliance with all applicable data protection principles for their own customers. Validated Cloud processes that data at the direction of its clients and in accordance with the terms of its written contracts with its clients.
“Data Controller”: Validated Cloud provides the platform for its clients to store and process data. Types of data include intellectual property, identifiable and de-identifiable patient records, emails, names, clinical trial data, validated data and non-validated data. Data can be transferred by clients to Validated Cloud over secure and encrypted channels or via transportable media. Validated Cloud simply accepts client data, but does not create, modify or delete client data of record.
Principles
Notice
Notice is hereby provided in clear and conspicuous language when individuals are first asked to provide Personal Information to Validated Cloud, or as soon as practicable thereafter, and in any event before Validated Cloud uses or discloses the Personal Information for a purpose other than for which it was originally collected. Where Validated Cloud receives transfers of Personal Information from the EU, the UK or Switzerland to the United States, Validated Cloud requires contractual provisions from the EU, UK or Swiss Data Controller that the Personal Information has been provided by clients to Validated Cloud in accordance with the applicable EU Member State, the UK or Swiss data protection laws to ensure that the individuals have been provided with appropriate notice regarding how their Personal Information will be used.
Choice
Where Validated Cloud collects non-public Personal Information directly from EU, UK or Swiss data subjects, Validated Cloud will offer individuals the opportunity to choose (opt out) whether their Personal Information is (1) to be disclosed to a third party or (2) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. For Sensitive Personal Information, Validated Cloud will give individuals the opportunity to affirmatively or explicitly (opt out) consent to the disclosure of the Sensitive Personal Information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. All individual and company data is confidential under the terms of the Validated Cloud hosting agreement signed by each Validated Cloud client, posted privacy policy, web site terms of service, and will not be shared with any third party without the written consent of the company or individual. Validated Cloud shall treat Sensitive Personal Information received from an individual the same as the individual would treat and identify it as Sensitive Personal Information.
Onward Transfers & Liability
Validated Cloud does not share data with any non-agent third parties. If in the future Validated Cloud practices change, this privacy policy will allow individuals choice.
Data Security
Validated Cloud shall take reasonable steps to protect the Information from loss, misuse and unauthorized access, disclosure, alteration and destruction. Validated Cloud has put in place appropriate physical, electronic and managerial procedures to safeguard and secure the Information from loss, misuse, unauthorized access or disclosure, alteration or destruction. Validated Cloud cannot guarantee the security of Information on or transmitted via the Internet. Note that Validated Cloud may be required to reveal an individual’s Personal Information in response to a legal request from public authorities including, but not limited to, the need to meet national security and/or law enforcement requirements.
Data Integrity
Validated Cloud shall only process Personal Information in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, Validated Cloud shall take reasonable steps to ensure that Personal Information which it processes is accurate, complete, current and reliable for its intended use.
Access
Validated Cloud acknowledges the individual’s right to access his or her own Personal Information and shall allow an individual access to his or her own Personal Information and allow the individual to correct, amend or delete inaccurate information, except where the burden or expense of providing such access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated. Furthermore EU, UK, and Swiss individuals have the right to demand erasure of personal information that has been handled in violation of the DPF Principles. Individuals may write to Validated Cloud to receive access to their Personal Information.
Enforcement
Validated Cloud uses a self-assessment approach to assure compliance with this Data Privacy Policy and periodically verifies that the Policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible and in conformity with the Principles. We encourage interested persons to raise any concerns using the contact information provided and we will investigate and attempt to reasonably resolve any complaints and disputes regarding use and disclosure of Personal Information in accordance with the Principles.
Dispute Resolution
In compliance with the EU-U.S Data Privacy Framework (EU-U.S DPF), the UK Extension to the EU-U.S DPF, and the Swiss-U.S Data Privacy Framework (Swiss-U.S DPF) Principles, Validated Cloud commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the EU-U.S DPF, the UK extension to the EU-U.S DPF, and the Swiss-U.S Data Privacy Framework Principles. European Union, United Kingdom, and Swiss individuals with inquiries or complaints should first contact Validated Cloud in writing at:
Validated Cloud Inc.
Attn: Legal Department
330 Bear Hill Road, Suite 205
Waltham, MA 02451
Phone: 800-401-9123
Fax: 617-500-8340
Email: legal@validatedcloud.com
Validated Cloud has further committed to refer unresolved privacy complaints under the Data Privacy Framework program to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2
Amendments
This Data Privacy Policy may be amended from time to time consistent with the requirements of the DPF. Validated Cloud will post any revised Policy on this website.
Contact Information
Questions, comments or complaints regarding Validated Cloud’s Data Privacy Policy or data collection and processing practices must be mailed to:
Validated Cloud Inc.
Attn: Legal Department
330 Bear Hill Road, Suite 205
Waltham, MA 02451
Or emailed to: legal@validatedcloud.com
Effective date: 10OCT2023