Privacy Shield Policy

Socure respects individual privacy and values the trust of Consumers and our Customers. This policy is designed to ensure that we collect, use, disclose and transfer data in a manner consistent with the laws of the countries in which we do business.

In order to legally transfer consumer information from third-parties in the European Union or Switzerland to us in the United States, we must treat transferred Consumer information consistent with European and Swiss privacy principles. This policy describes how we will comply with European Union and Swiss privacy law.

This policy applies to any Consumer information that we receive from our Customers in Europe and Switzerland.

A full list of Privacy Shield participants and their assigned dispute providers can be found on the Department of Commerce website at: https://www.privacyshield.gov/list

Definitions

• A "Consumer" is a natural person that Personal Data relates to.
• "Personal Data" broadly includes any information that could be used to identify a Consumer, either directly or in conjunction with other information and including information that is likely to come into our possession in the future. For example, Personal Data includes IP addresses, user IDs and information such as geolocation data that could be used to identify the person. Personal Data includes encrypted data for which we have a key or can otherwise feasibly decrypt but does not include data that is hashed or otherwise modified in a way that we are unable to reconstruct or use to identify a Consumer.
• "Processing" broadly includes storing, viewing, summarizing, transmitting, forwarding, deleting or any other interaction with Personal Data.
• "Privacy Principles" are the privacy principles consistent with European Union and Swiss law. We must treat Personal Data in accordance with these principles in order to comply with European Union and Swiss privacy law.
• "Sensitive Personal Data" is Personal Data that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, views or activities that concerns health or sex life, information about social security benefits, or information on criminal or administrative proceedings and sanctions other than in the context of pending proceedings. In addition, we will treat as Sensitive Personal Data any information received from a third-party where that third-party treats and identifies the information as sensitive.

Privacy Principles

European Union and Swiss privacy law requires us to treat Personal Data we Process in accordance with Privacy Principles which describe the privacy rights that we must provide Consumers to comply with European and Swiss privacy law.

The Privacy Principles are:

a. Notice – To the extent we collect or maintain Personal Data, we will inform Consumers, through our Customers or other reasonable means,

1. the purposes and use of Personal Data we collect about them;
2. who we disclose their Personal Data to; 
3. the choices they have to limit our use and disclosure of Personal Data about them;
4. when they are subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC), the Department of Transportation (DoT), or any other U.S. authorized statutory body;
5. how to make those choices; and
6. how to contact us about their Personal Data.

Our website privacy policy provides notice of our practices in clear language. Personal Data received from third-parties may only be used as permitted by privacy policies that apply to that Personal Data.

b. Choice – We will take reasonable steps to ensure that our Customers provide Consumers with the opportunity to choose (opt-out of) whether we may use their Personal Data for any purpose not disclosed to the Consumer when the data is collected. To the extent that Socure collects or maintains Personal Data directly, we will ensure that Customers are provided with the same choice to opt-out of uses of their Personal Data not disclosed when the data is collected. 

For Sensitive Personal Data, we will take reasonable steps to ensure that our Customers obtain adequate consent for our uses of the data. To the extent that Socure collects or maintains Sensitive Personal Data directly, we will ensure that Customers are provided with the same choice to opt-in to uses of their Personal Data not disclosed when the data is collected. 

Where Socure provides Consumers with choices regarding their Personal Data, Consumers must be provided with user-friendly mechanisms to exercise their choices.

c. Onward Transfers – We must obtain contractual or other enforceable assurances from third-parties that they will safeguard Personal Data consistently with this Policy prior to transferring any Consumer information. These transfers are used only for limited and specific purposes. Where we have knowledge that a third-party is using or disclosing Personal Data in a manner contrary to this Policy, we will take reasonable steps to prevent or stop the use or disclosure.

d. Security – We will take reasonable precautions to secure and protect Personal Data in its possession from loss, misuse, unauthorized access, disclosure, alteration, and destruction.

e. Data Integrity – Personal Data must be used only in ways that are compatible with the purposes for which it was collected, or subsequently authorized by the Consumer. We must take reasonable steps to ensure that the Personal Data processed is necessary for our intended use, and is accurate, complete, and current.

f. Access and Correction – Where we collect or maintain Personal Data, we will provide Consumers reasonable access to their Personal Data. In addition, we will take reasonable steps to permit Consumers to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete.

g. Recourse, Enforcement, and Liability – Our privacy policies include both a process for Consumers to submit requests or complaints and information on how to appeal an adverse decision to JAMS (http://www.jamsadr.com) for resolution by an independent adjudicator. For EU and Swiss citizens, if after contacting Socure then the independent adjudicator neither party responds, individuals may then pursue binding arbitration when these other mechanisms fail.

We review this policy, our privacy policy, any applicable data transfer agreements or contracts, and our Privacy Shield Certification registration to ensure that any statements regarding how Personal Data is handled are true.

We take reasonable steps to monitor our privacy practices to verify adherence to this Policy. Any employee that we determine is acting or has acted in violation of this policy will be subject to disciplinary action up to and including termination of employment.

Organizations such as Socure are obligated to arbitrate claims and follow the terms as set forth in Annex I of the Privacy Shield Framework provided that an individual has invoked binding arbitration by delivering notice to the organization at issue and following the procedures and subject to conditions set forth in Annex I.

Exceptions to This Policy

We may disclose Personal Data if: (a) we are required to respond to a legal or ethical obligation; (b) necessary to meet national security, public interest or law enforcement obligations; or (c) expressly permitted by an applicable law, rule or regulation.

FAQs

• Does this policy apply to data collected on our US-based websites? 
  No. This policy only applies to data that is transferred to us from Europe or Switzerland. 
  
  
• Can Socure combine Personal Data with information collected through US-based websites or other sources? 
  Yes, but Consumers must be able to exercise their rights with respect to Personal Data, which may require technical solutions that encompass all of the combined data. 
  
  
• How long do these rules apply to the data? 
  This policy applies to Personal Data throughout its lifecycle. Personal Data must be treated in compliance with this Policy as long as we have the data. 
  
  
• Does this policy apply to third-parties with which we share data? 
  The requirements of this policy extend to any third-party who receives Personal Data from us and we are responsible for ensuring that such third-parties comply with this policy, through contractual or other appropriate means. 
  
  
• Does Socure need consent from Consumers to use their Personal Data? 
  Our Customers are primarily responsible for obtaining the consent necessary for us to use the Personal Data that our Customers send to us. We rely on our Customers obtaining any necessary consents because Socure does not have a direct relationship with Consumers. We must take reasonable steps to ensure that our Customers obtain any necessary consents for our use of Personal Data, which is primarily through contractual obligations that require our Customer to comply with applicable laws. In most cases, we can rely on agreements with our Customers and use Personal Data without obtaining additional consents.