GDPR statement
On May 25th, 2018, the General Data Protection Regulation (GDPR) came into effect in all European Union (EU) member states, impacting organizations processing personal data of EU citizens. The GDPR represents the strengthening and harmonization of existing data privacy rights for individuals in the European Union.
SURTECH SOLUTIONS LLC is committed to protecting the personal data of its employees, contractors, clients, and suppliers from the EU, regardless of where such data is processed. We have a robust security program and a set of established practices, processes, and internal policies throughout our organization to ensure that the personal data of EU individuals is processed appropriately and protected in our information systems.
When processing the personal data of EU individuals, we:
- We strive to maintain user privacy and confidentiality.
- We ensure we have consent to collect and use data (where necessary).
- We limit the collection, storage and use of data only to the extent that there is a commercial reason and consent.
Additionally, we want to inform you that we carefully consider all requests for information and, as a standard practice, do not provide third parties with account information that is not theirs unless we are legally obligated to do so, as detailed in the Privacy Policy. This means that we only respond to a court order, subpoena, search warrant, or other legally valid request for information and account history for SURTECH SOLUTIONS. Certain guidelines are followed in responding to information requests, whether from a governmental or non-governmental entity:
- Whenever possible, we encourage the requester to seek the information directly from the account holders rather than from SURTECH SOLUTIONS.
- We ask that requesters provide as much information as possible to properly identify the correct user account. We will not respond to a request unless we first have adequate and specific information, such as an email address, email headers, internet domain, username, IP address, or other similar information that enables us to identify and locate the correct account.
Below are some highlights of how SURTECH SOLUTIONS LLC protects European data to comply to ensure GDPR compliance:
- SECURITY AND MEASURES APPLIED BY SURTECH SOLUCTIONS LLC
A series of measures have been put in place to ensure that European data continues to be protected outside the EU.
Contractual commitments
We specify our commitments to security, processing confidentiality, limitations on international transfers of personal data, cooperation with data subject rights, security incident notification, and other relevant aspects.
Under no circumstances will SURTECH SOLUTIONS sell, rent or commercialize user data.
Security measures and good practices
SURTECH SOLUTIONS places the utmost importance on the privacy and security of its users’ data. Appropriate technical and organizational security measures are implemented and maintained to protect customer data against security incidents and preserve the security and confidentiality of customer data in accordance with security standards.
We want to inform you that when starting new projects or products, implementing changes in software, or incorporating new vendors who may process personal data of EU individuals, the data privacy impact will be assessed to ensure that personal data is adequately protected in any system or process controlled by SURTECH SOLUTIONS.
SURTECH SOLUTIONS is committed according to the following principles:
– Confidentiality of processing. SURTECH SOLUTIONS will ensure that any person authorized to process customer data (including its employees, agents, and subcontractors) has an appropriate obligation of confidentiality (whether a contractual or legal obligation).
– Security measures updates. The Customer is responsible for reviewing the information provided by SURTECH SOLUTIONS regarding data security and independently determining whether the service meets the customer’s legal requirements and obligations under data protection laws. The customer acknowledges that security measures are subject to technical progress and development and that SURTECH SOLUTIONS may periodically update or modify security measures, provided that such updates and modifications do not result in a degradation of the overall security of the service provided to the customer.
– Customer responsibilities. Notwithstanding the above, the customer agrees that they are responsible for secure use of the service, which includes securing their account authentication credentials, protecting the security of customer data when in transit to and from the service, and taking appropriate measures to encrypt or securely back up customer data uploaded to the service.
– Data Breach Response Plan: In the event of a data breach that may affect the security of personal data of employees, clients, or suppliers, we will take steps to notify EU authorities within 72 hours of discovering the incident.
Finally, here is a summary of some of the technical and organizational measures we have implemented so far to protect against unauthorized access to user data:
(1) Encryption: To the extent technically feasible, SURTECH SOLUTIONS has implemented encryption technologies throughout its infrastructure to help protect user data from unauthorized access when internally processed by SURTECH SOLUTIONS.
(2) Access Controls: SURTECH SOLUTIONS restricts third-party access to its internal tools and infrastructure. Our legal team evaluates all access requests, ensures the request is appropriate for the work to be performed, and verifies that the third party follows all security and privacy provisions described in their contract. Once approved, SURTECH SOLUTIONS only grants access via controlled accounts to clearly identified parties in the system.
SURTECH SOLUTIONS is committed to maintaining the highest levels of privacy and security for our users.
(3) Vendor agreements: We take all necessary steps to ensure that our agreements with our external international vendors (including subprocessors) contain the appropriate commitments of such third parties regarding the transfer and processing of European data outside of Europe, and that we implement an adequate and legal data transfer mechanism and any necessary additional safeguards.
SURTECH SOLUTIONS offers the option to exercise redress rights under the GDPR to individuals against SURTECH SOLUTIONS, and the right to resort to international arbitration.
SURTECH SOLUTIONS will make available to the customer all reasonably necessary information to demonstrate compliance with this text and to allow and contribute to audits, including inspections by the customer to assess such compliance. The customer acknowledges and agrees that they will exercise their audit rights granted by data protection laws by directing SURTECH SOLUTIONS to comply with the audit measures described below.
- Security reports. The Customer acknowledges that they are regularly subject to audits according to industry-leading standards by external independent auditors and internal auditors respectively.
- Security due diligence. In addition to the report, SURTECH SOLUTIONS will respond to all reasonable requests for information made by the customer to confirm compliance.
- ABOUT INTERNATIONAL TRANSFERS
If you are a user located in the European Economic Area (EEA), the United Kingdom, or Switzerland (referred to collectively as «Europe»), or you use our platform to process data of your contacts in Europe, we have drafted this text to allow you to transfer European personal data to SURTECH SOLUTIONS LLC (hereinafter, SURTECH SOLUTIONS) in the United States and allow SURTECH SOLUTIONS LLC to legally process that data on your behalf.
By using SURTECH SOLUTIONS or by opening an account on the platform, you accept these Terms. Under SURTECH SOLUTIONS’ Terms, each user promises that their use will comply with all applicable laws.
SURTECH SOLUTIONS has adopted additional measures to ensure an adequate level of protection for transferred data. SURTECH SOLUTIONS has taken into account the Recommendations on Supplementary Measures from the European Data Protection Board, which aim to assist controllers and processors acting as data exporters in meeting their obligations. This includes determining and implementing appropriate supplementary measures when necessary and ensuring a level of protection essentially equivalent to the data they transfer outside Europe. In the event that SURTECH SOLUTIONS cannot guarantee compliance with these conditions, it will immediately inform the customer of its inability to comply.
- RESPONSIBILITIES AND LIMITATIONS
If European data protection laws apply to the processing of customer data by any of the parties, the parties acknowledge and agree that, with respect to the processing of customer data, SURTECH SOLUTIONS is a processor acting on behalf of the customer, as set forth in our privacy policies and as provided for in Article 28 of the GDPR.
SURTECH SOLUTIONS will process customer data in accordance with the documented legal instructions of the customer as necessary to comply with applicable law or as otherwise agreed in writing. The parties agree that the agreement, together with the customer’s configuration or use of service configuration options, features, or service options (which the customer may modify periodically), constitute the complete and final instructions of the customer to SURTECH SOLUTIONS regarding the processing of customer data, and processing beyond the scope of these instructions will require prior written agreement between the parties.
The customer represents and warrants that (i) they have complied, and will continue to comply, with all applicable laws, including data protection laws, regarding their processing of customer data and any processing instructions issued to SURTECH SOLUTIONS; and (ii) they have provided, and will continue to provide, all notices and have obtained, and will continue to obtain, all necessary consents and rights under data protection laws for SURTECH SOLUTIONS to process customer data for the purposes described in the agreement. The customer shall be solely responsible for the accuracy, quality, and legality of customer data and the means by which the customer acquired customer data. Notwithstanding the foregoing, the customer agrees that they are responsible for complying with all laws (including data protection laws) applicable to any campaign or other content created, sent, or managed through the service, including those related to obtaining consents (where applicable) to send emails, email content, and email distribution practices.
The customer will ensure that SURTECH SOLUTIONS’ processing of customer data in accordance with the customer’s instructions does not cause SURTECH SOLUTIONS to violate any applicable law, regulation, or rule, including, among others, data protection laws. SURTECH SOLUTIONS will immediately notify the customer in writing, unless prohibited by European data protection laws, if it becomes aware or believes that any customer data processing instruction violates European data protection laws. When the customer acts as a processor on behalf of an external data controller (or other intermediary of the final data controller), the customer warrants that their data processing instructions, as set forth in the agreement and this text, including their authorizations to SURTECH SOLUTIONS for the appointment of sub-processors, have been authorized by the relevant data controller. The customer will be responsible for forwarding any notifications received under this text to the relevant data controller, as appropriate.
- RIGHTS THAT ASSIST THE INTERESTED PARTY ACCORDING TO THE GDPR
We understand that anyone doing business with us may have questions about the types of personal data SURTECH SOLUTIONS processes about them. As part of the Service, SURTECH SOLUTIONS allows the Customer to use to retrieve, correct, delete, or restrict the use of Customer Data, which the Customer may use to assist them in relation to their obligations (or those of their third-party controller) under Data Protection Laws concerning responding to requests from data subjects through the Customer’s account at no additional cost.
Additionally, SURTECH SOLUTIONS, considering the nature of processing, will provide reasonable additional assistance to the Customer to the extent possible to enable the Customer (or their third party controller) to comply with their data protection obligations regarding data subject rights under Data Protection Laws.
In the event that such request is made directly to SURTECH SOLUTIONS, it will not respond to such communication directly, except as appropriate (e.g., to instruct the data subject to contact the Customer) or as legally required, without the prior authorization of the Customer. If SURTECH SOLUTIONS is required to respond to such request, it shall, where the Customer is identified or identifiable from the request, immediately notify the Customer and provide the Customer with a copy of the request unless legally prohibited from doing so. To avoid any doubt, none of the provisions contained in the agreement will restrict or prevent SURTECH SOLUTIONS from responding to any data subject or data protection authority request regarding personal data for which SURTECH SOLUTIONS is the data processor.
MODIFICATIONS AND UPDATES
These conditions will remain in effect for as long as SURTECH SOLUTIONS carries out customer data processing operations on behalf of the customer or until termination of the agreement (and all customer data has been returned or deleted).
Unless any changes are made under this text, the agreement remains unchanged and in full force and effect. Only the parties to this agreement, their successors, and authorized assignees will have the right to enforce any of its terms.
This text will be governed and construed in accordance with applicable data protection provisions and other provisions applicable to ensure the security and proper functioning of the service.
If you have questions about SURTECH SOLUTIONS and GDPR, please contact our Privacy Policy or you can contact gdpr@midway.la.
Last update; 22/02/2024