Kyriba Safe Harbor Privacy Policy Statement

Kyriba Corp. (“Kyriba” or “our” or “we”) is dedicated to conducting its business in a manner that complies with the European Union Safe Harbor Framework and the Switzerland Safe Harbor Framework, both as published by the U.S. Department of Commerce. The United States Department of Commerce and the European Commission have previously agreed on a set of data protection principles to enable U.S. companies to satisfy the requirement under European Union law that adequate protection will be given to personal data transferred from the European Union to the United States. The United States Department of Commerce and the Federal Data Protection and Information Commissioner of Switzerland have previously agreed on a similar set of data protection principles to enable U.S. companies to satisfy the requirement under Swiss law that adequate protection be given to personal information transferred from Switzerland to the United States. Consistent with its commitment to protect personal privacy, Kyriba has certified that it abides by the Safe Harbor Privacy Principles as set forth by the U.S. Department of Commerce regarding the collection, storage, use, transfer and other processing of Personal Data transferred from the European Economic Area (“EEA”) and Switzerland (“Swiss”) to the United States to Kyriba from our corporate customers. The Court of Justice of the European Union recently invalidated the Safe Harbor Privacy Principles, however, Kyriba continues to comply with the principles set forth therein. Kyriba does not rely on Safe Harbor Privacy Principles to legitimize exports from the EEA to the US. This Safe Harbor Privacy Policy Statement (this “Policy”) outlines our general policy and practices for implementing the Safe Harbor Privacy Principles for the handling of personal data for corporate customers. To learn more about the Safe Harbor program, and to view the certification for Kyriba, visit http://www.export.gov/safeharbor

Definitions

“Customer(s)” means any individual or entity that legally purchases, installs or activates Kyriba’s products or services. 

“Personal Data” means any information that (i) relates to a natural person or individual, and (ii) is transferred to Kyriba in the U.S. from the EEA or Switzerland, (iii) is recorded in any form, (iv) relates to an identified or identifiable Customer, and (v) can be linked to that individual. Personal Data does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public personal information.

“Sensitive Personal Data” means Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, the commission or alleged commission of any offense, any proceedings for any offense committed or alleged to have been committed by the individual or the disposal of such proceedings, or the sentence of any court in such proceedings.

Scope

This Policy applies to the Personal Data and Sensitive Personal Data received by Kyriba in the United States from the EEA and from Switzerland, in electronic and paper format, from its Customers only. This Policy does not apply to information that may be received via this website located atwww.kyriba.com; this website is governed by a separate privacy policy and terms of use, and we encourage you to read those policies carefully before using this website. Please note that the website to which this Policy is linked is a United States-based website and is subject to United States law. 

Notice

When applicable,* we notify our Customers located in the EEA and Switzerland about the purposes for which we collect and use their Personal Data, the types of third parties to which we disclose the information, and the choices and means, if any, Kyriba offers Customers for limiting the use and disclosure of their Personal Data. Any such notice will be provided in what we believe to be clear and conspicuous language when Customers are first asked to provide Personal Data to Kyriba, or as soon as practicable thereafter, and in any event before Kyriba uses or discloses such Personal Data for a purpose other than that for which it was originally collected or discloses information to a non-agent third party.

*Please note we generally do not collect nor seek to collect Personal Data from our Customers, and never collect Sensitive Personal Data from Customers. When such Personal Data is gathered, it is limited to business contact information, it is used for the purposes of contacting and communicating with such Customer, and Customers are informed of such purposes. Our technology platform does allow information to be collected via “custom fields,” so it is also possible that Personal Data could be stored in our platform, but this is neither required nor encouraged. In those limited instances in which we do collect and use such Personal Data of Customers, such Customers can always contact Kyriba (as further specified below under “How to Contact Us”) regarding Kyriba’s use or disclosure of their Personal Data or to opt out. 

Choice

Kyriba will offer Customers the opportunity to choose (opt-out) whether their Personal Data is (i) to be disclosed to a non-agent third party, or (ii) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the Customer. Kyriba will provide Customers with reasonable mechanisms to exercise their choices.

In circumstances in which Kyriba collects Personal Data about EEA or Swiss residents with whom Kyriba does not have a direct relationship because Kyriba obtained or maintains such Personal Data as vendor for its Customers, Kyriba informs its Customers that they are responsible for providing the relevant individuals with a choice as to whether their Personal Data may be disclosed to and by Kyriba to certain third parties or used for a purpose that is incompatible with the purpose for which the information originally was collected or subsequently authorized by such individual. 

Kyriba may disclose Personal Data gathered from its Customers without offering an opportunity to opt out (i) if it is required to do so by law, regulation or legal process (such as a court order or subpoena), (ii) in response to requests by government agencies, such as law enforcement authorities, or (iii) when Kyriba believes disclosure is necessary or appropriate to prevent physical, financial or other harm, injury or loss or in connection with an investigation of suspected or actual illegal activity. Kyriba also reserves the right to transfer Personal Data in the event it sells or transfers all or a portion of its business or assets, or merges with another entity. Should such a sale, transfer or merger occur, Kyriba will use reasonable efforts to direct the transferee to use the Personal Data in a manner that is consistent with this Policy. 

Onward Transfers (Transfers to Third Parties)

Kyriba may share Personal Data with Kyriba's subsidiaries and affiliates. Please also note that Kyriba may also share Personal Data with service providers we have retained to perform services on our behalf. We require service providers to whom we disclose Personal Data and who are not subject to either the laws based on the European Union Data Protection Directive or the Swiss Federal Act on Data Protection, as applicable, to either (i) subscribe to the Safe Harbor Privacy Principles, (ii) contractually agree to provide at least the same level of protection for Personal Data as is required by the relevant Safe Harbor Privacy Principles, or (iii) be subject to another European Commission adequacy finding (e.g., companies located in Canada).

Access and Correction

Upon request, Kyriba will grant Customers reasonable access to Personal Data that it holds about them. Requests can be initiated by contacting us as specified below in the “How to Contact Us” section. Please note that in circumstances in which Kyriba maintains Personal Data about EEA or Swiss residents with whom Kyriba does not have a direct relationship because Kyriba obtained or maintains the Personal Data as a vendor on behalf of one of its Customers, such Customers are responsible for providing such residents with access to the Personal Data and the right to correct, amend or delete the information where it is inaccurate. In these circumstances, an EEA or Swiss resident should direct their questions to the applicable Kyriba Customer. Notwithstanding anything herein to the contrary, we may limit or deny access to Personal Data where providing such access is unreasonably burdensome or expensive under the circumstances, or as otherwise permitted by the Safe Harbor Privacy Principles.

Security

Kyriba will take reasonable precautions to protect Personal Data in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. Kyriba uses physical, electronic and administrative security measures to protect Personal Data. Kyriba limits access to Personal Data to those persons in Kyriba’s organization that have a specific business purpose for maintaining and processing the Personal Data, or approved third party vendors that are involved in the processing of the Personal Data. Individuals who have been granted access to Personal Data will be made aware of their specific responsibilities to protect the security, confidentiality, and integrity of the Personal Data, and will be provided training and instruction on how to do so.

Data Integrity

Kyriba takes reasonable steps to ensure that Customer Personal Data collected by Kyriba is (i) relevant for the purposes for which it is to be used, (ii) reliable for its intended use, and (iii) accurate, complete and current. We depend on our Customers to update or correct their Personal Data whenever necessary. Kyriba will use Personal Data only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. Please note that in circumstances in which Kyriba maintains Personal Data about EEA or Swiss residents on behalf of one of its Customers, we do not take any responsibility for the integrity of the Personal Data. 

Enforcement & Oversight

Kyriba will conduct compliance audits, as needed, of its relevant privacy practices to verify adherence to this Policy. Any employee that Kyriba determines is in violation of this Policy will be subject to disciplinary action up to and including termination of employment, and should any process or procedure be found not to be in accordance with this Policy, Kyriba will, if commercially reasonable, amend as needed. 

In circumstances in which Kyriba maintains Personal Data about EEA or Swiss consumers with whom Kyriba does not have a direct relationship because we obtained or maintain such consumer’s Personal Data as an agent for our Customer(s), consumers are directed to submit any complaints concerning the processing of their Personal Data to the relevant Customer, in accordance with the Customer’s dispute resolution process.  Kyriba will participate in this process as required and at the request of the Customer.  If the issue cannot be resolved through the Customer’s internal dispute resolution mechanism, the Consumer may submit the complaint to the relevant data protection authority in the EEA or Switzerland.

Kyriba has established procedures for periodically verifying implementation of and compliance with the Safe Harbor Privacy Principles. Customers residing in the EEA and Switzerland should direct any questions or concerns regarding the use or disclosure of Personal Data to privacy@kyriba.com.  Customers may also file a complaint with our Office of the Chief Information Security Officer in connection with Kyriba’s processing of their Personal Data under the Safe Harbor Privacy Principles; letters should be sent to 9620 Towne Centre Drive, Suite 250, San Diego, California 92121. Kyriba will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of Personal Data by reference to the principles contained in this Policy. If the complaint cannot be resolved though our internal process, we will cooperate with the Judicial Arbitration and Mediation Services, Inc. (“JAMS”) pursuant to the JAMS International Mediation Rules. We will take steps to remedy any problems arising out of a failure to comply with the Safe Harbor Privacy Principles.

Limitations on Application of the Safe Harbor Privacy Principles

Adherence by Kyriba to these Safe Harbor Privacy Principles may be limited (a) to the extent required or permitted by law or legal process, such as to respond to or investigate a legal or ethical obligation or request or pursuant to court orders, subpoenas, interrogatories or similar directive carrying the force of law, including any matters related to national security or public interest; and (b) to the extent expressly permitted by an applicable law, rule or regulation.

How to Contact Us

Please address any questions or concerns regarding our Safe Harbor Privacy Policy Statement or our practices concerning Personal Data by:
Contacting us via email at privacy@kyriba.com or writing to:
Kyriba Corp.
Office of the Chief Information Security Officer
9620 Towne Centre Drive, Suite 250
San Diego, California 92121


Amendment

This Policy may be amended from time to time in compliance with the requirements of the Safe Harbor Privacy Principles. The date this Policy was last updated is stated below. 

This Safe Harbor Privacy Notice was last updated and posted on August 12, 2016.