Kyriba Privacy Shield Privacy Notice

TRUSTe

Kyriba Corp. (“Kyriba” or “our” or “we”) are dedicated to conducting its business in a manner that complies with the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield both as published by the U.S. Department of Commerce. The United States Department of Commerce and the European Commission have previously agreed on a set of data protection principles to enable U.S. companies to satisfy the requirement under European Union law that adequate protection will be given to personal data transferred from the European Union to the United States. The United States Department of Commerce and the Federal Data Protection and Information Commissioner of Switzerland have previously agreed on a similar set of data protection principles to enable U.S. companies to satisfy the requirement under Swiss law that adequate protection be given to personal information transferred from Switzerland to the United States. Consistent with its commitment to protect personal privacy, Kyriba has certified that it abides by the Privacy Shield Privacy Principles as set forth by the U.S. Department of Commerce regarding the collection, storage, use, transfer and other processing of Personal Data transferred from the European Economic Area (“EEA”) and Switzerland (“Swiss”) to the United States to Kyriba from our corporate customers. This Privacy Shield Privacy Notice (this “Policy”) outlines our general policy and practices for implementing the Privacy Shield Privacy Principles for the handling of personal data for corporate customers. The use of the information collected through our service shall be limited to the purpose of providing the service or which the client has engaged Kyriba. To learn more about the Privacy Shield, and to view the certification for Kyriba, visit https://www.privacyshield.gov/welcome.

Definitions

“Customer(s)” means any individual or entity that legally purchases, installs, activates or subscribes to Kyriba’s products or services.

“Personal Data” means any information that (i) relates to a natural person or individual, (ii) is transferred to Kyriba in the U.S. from the EEA or Switzerland, (iii) is recorded in any form, (iv) relates to an identified or identifiable Customer, and (v) can be linked to that individual. Personal Data does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public personal information.

“Sensitive Personal Data” means Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, the commission or alleged commission of any offense, any proceedings for any offense committed or alleged to have been committed by the individual or the disposal of such proceedings, or the sentence of any court in such proceedings.

Scope

This Policy applies to the Personal Data and Sensitive Personal Data received by Kyriba in the United States from the EEA and from Switzerland, in electronic and paper format, from its Customers only. This Policy does not apply to information that may be received via Kyriba’s website located at www.kyriba.com; Kyriba’s website is governed by a separate privacy policy, http://www.kyriba.com/company/privacy-notice and terms of use, and we encourage you to read those policies carefully before using Kyriba’s website. Please note that the website is a United States-based website and is subject to United States law.

Kyriba participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We are committed to subjecting all Personal Data received from European Union (EU) member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List, https://www.privacyshield.gov.

Kyriba is responsible for the processing of Personal Data it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Kyriba complies with the Privacy Shield Principles for all onward transfers of Personal Data from the EU and Switzerland, including the onward transfer liability provisions.

With respect to Personal Data received or transferred pursuant to the Privacy Shield Frameworks, Kyriba is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.

Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

To read more about how we treat information collected from the EU and Switzerland, please read this Policy.

Notice

When applicable,* we notify our Customers located in the EEA and Switzerland about the purposes for which we collect and use their Personal Data, the types of third parties to which we disclose the information, and the choices and means, if any, Kyriba offers Customers for limiting the use and disclosure of their Personal Data.

Any such notice will be provided in what we believe to be clear and conspicuous language when Customers are first asked to provide Personal Data to Kyriba, or as soon as practicable thereafter, and in any event before Kyriba uses or discloses such Personal Data for a purpose other than that for which it was originally collected or discloses information to a non-agent third party.

*Please note we generally do not collect nor seek to collect Personal Data from our Customers, and never collect Sensitive Personal Data from Customers. When such Personal Data is gathered, it is limited to information necessary to use Kyriba’s technology platform, and Customers are informed of such purposes. Our technology platform does allow information to be collected via “custom fields,” so it is also possible that Personal Data could be stored in our platform, but this is neither required nor encouraged. In those limited instances in which we do collect and use such Personal Data of Customers, such Customers can always contact Kyriba (as further specified below under “How to Contact Us”) regarding Kyriba’s use or disclosure of their Personal Data or to opt out.

Choice

Kyriba will offer Customers the opportunity to choose (opt-out) whether their Personal Data is (i) to be disclosed to a non-agent third party, or (ii) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the Customer. Kyriba will provide Customers with reasonable mechanisms to exercise their choices.

There are circumstances in which Kyriba collects Personal Data about EEA or Swiss residents with whom Kyriba does not have a direct relationship because Kyriba obtained or maintains such Personal Data as vendor for its Customers. In those circumstances, Kyriba informs its Customers that they are responsible for providing the relevant individuals with a choice as to whether their Personal Data may be (i) disclosed to and by Kyriba to certain third parties, or (ii) used for a purpose that is incompatible with the purpose for which the information originally was collected or subsequently authorized by such individual.

Kyriba may disclose Personal Data gathered from its Customers without offering an opportunity to opt out (i) if it is required to do so by law, regulation or legal process (such as a court order or subpoena), (ii) in response to requests by government agencies, such as law enforcement authorities, or (iii) when Kyriba believes disclosure is necessary or appropriate to prevent physical, financial or other harm, injury or loss or in connection with an investigation of suspected or actual illegal activity. Kyriba also reserves the right to transfer Personal Data in the event it sells or transfers all or a portion of its business or assets, or merges with another entity. Should such a sale, transfer or merger occur, Kyriba will use reasonable efforts to direct the transferee to use the Personal Data in a manner that is consistent with this Policy.

Onward Transfers (Transfers to Third Parties)

Kyriba may share Personal Data with Kyriba's subsidiaries and affiliates. Please also note that Kyriba may also share Personal Data with service providers we have retained to perform services on our behalf. We require service providers to whom we disclose Personal Data and who are not subject to either the laws based on the European Union Data Protection Directive or the Swiss Federal Act on Data Protection, as applicable, to either (i) subscribe to the Privacy Shield Privacy Principles, (ii) contractually agree to provide at least the same level of protection for Personal Data as is required by the relevant Privacy Shield Privacy Principles, or (iii) be subject to another European Commission adequacy finding.

Access and Correction

Upon request, Kyriba will provide you with information about whether or not we hold any of your Personal Data. To the extent required by law, we provide you with (i) reasonable access to the Personal Data you provide to us, and (ii) the ability to review, correct and delete such Personal Data. If you believe that any of the Personal Data that you have submitted through Kyriba’s website or technology platform is no longer accurate, or you wish to make any updates or changes, or request deletion, you may do so by emailing us at privacy@kyriba.com. Upon appropriate request we will update or amend your information, but we reserve the right to use any information previously obtained to verify your identity or take other actions that we believe are appropriate and lawful. We will endeavor to comply with your request as soon as reasonably practicable.

We may decline to process requests that are unreasonably repetitive, require disproportionate technical effort, jeopardize the privacy of others, are impractical, or for which access is not otherwise required by local law. Please note we may need to retain certain information for record keeping purposes, and there may also be residual information that will remain within our databases and other records, which will not be removed from such locations. Finally, we are not responsible for removing or deleting information from the databases of third parties (such as service providers or channel partners) with whom we have shared information about you or who host the data on our behalf.

Security

The security of your Personal Data is important to us. We follow generally accepted standards to protect the Personal Data submitted to us, both during transmission and once it is received. If you have any questions about the security of your Personal Data, you can contact us at privacy@kyriba.com.

Data Integrity

Kyriba takes reasonable steps to ensure that Customer Personal Data collected by Kyriba is (i) relevant for the purposes for which it is to be used, (ii) reliable for its intended use, and (iii) accurate, complete and current. We depend on our Customers to update or correct their Personal Data whenever necessary. Kyriba will use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. Please note that in circumstances in which Kyriba maintains Personal Data about EEA or Swiss residents on behalf of one of its Customers, we do not take any responsibility for the integrity of the Personal Data.

Enforcement & Oversight

Kyriba will conduct compliance audits, as needed, of its relevant privacy practices to verify adherence to this Policy. Any employee that Kyriba determines is in violation of this Policy will be subject to disciplinary action up to and including termination of employment, and should any process or procedure be found not to be in accordance with this Policy, Kyriba will, if commercially reasonable, amend as needed.

In circumstances in which Kyriba maintains Personal Data about EEA or Swiss consumers with whom Kyriba does not have a direct relationship because we obtained or maintain such consumer’s Personal Data as an agent for our Customer(s), consumers are directed to submit any complaints concerning the processing of their Personal Data to the relevant Customer, in accordance with the Customer’s dispute resolution process. Kyriba will participate in this process as required and at the request of the Customer. If the issue cannot be resolved through the Customer’s internal dispute resolution mechanism, the consumer may submit the complaint to the relevant data protection authority in the EEA or Switzerland.

Kyriba has established procedures for periodically verifying implementation of and compliance with the Privacy Shield Privacy Principles. Customers residing in the EEA and Switzerland should direct any questions or concerns regarding the use or disclosure of Personal Data to privacy@kyriba.com. Customers may also file a complaint with our Office of the Chief Information Security Officer in connection with Kyriba’s processing of their Personal Data under the Privacy Shield Privacy Principles; letters should be sent to 9620 Towne Centre Drive, Suite 250, San Diego, California 92121. Kyriba will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of Personal Data by reference to the principles contained in this Policy. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

Information Collected through our Service

Kyriba collects information under the direction of our Customers, and has no direct relationship with the individuals whose personal information we process. If you are a client of one of our Customers and would no longer like to be contacted by one of our Customers that use our service, please contact the Customer that you interact with directly. We may transfer personal information (e.g., name, email, address, telephone, government-issued identification) to companies that help us provide our service. Transfers to subsequent third parties are covered by the service agreements with our Customers.

If you would like to gain access, seek correction, amendment or deletion of inaccurate information you should direct your query to Kyriba’s Customer (the data controller). If requested to remove data we will respond within a reasonable timeframe. We will retain the personal information we process on behalf of our Customers for as long as needed to provide services to our Customer. Kyriba will retain this personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Limitations on Application of the Privacy Shield Privacy Principles

Adherence by Kyriba to these Privacy Shield Privacy Principles may be limited (a) to the extent required or permitted by law or legal process, such as to respond to or investigate a legal or ethical obligation or request or pursuant to court orders, subpoenas, interrogatories or similar directive carrying the force of law, including any matters related to national security or public interest; and (b) to the extent expressly permitted by an applicable law, rule or regulation.

How to Contact Us

Please address any questions or concerns regarding our Privacy Shield Privacy Notice or our practices concerning Personal Data by:
Contacting us via email at privacy@kyriba.com or writing to:
Kyriba Corp.
Office of the Chief Information Security Officer
9620 Towne Centre Drive, Suite 250
San Diego, California 92121

Amendment

We may update this Privacy Policy to reflect changes to our information practices. If we make any material changes we will notify you by email (sent to the e-mail address specified in your account) or by means of a notice on this website prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.

This Privacy Shield Privacy Notice was last updated and posted on February 6, 2018.