EU SAFE HARBOR PRIVACY POLICY
Effective Date: May 1, 2008
[---Click here---] for a listing of material modifications to this EU Safe Harbor Privacy Policy and their effective dates. To view this document as a .pdf, click here.
1. Modification of Privacy Policy. Bridgeway Software, Inc. reserves the right to modify this EU Safe Harbor Privacy Policy at any time, and without prior notice, by posting an amended Privacy Policy that is always accessible by clicking on the "EU Safe Harbor Privacy Policy" link on this site's home page.
2. Adoption And Compliance With Safe Harbor Principles.
2.1 This EU Safe Harbor Privacy Policy is published by Bridgeway Software, Inc. and its subsidiaries and affiliates. All references to "we", "us", “our”, "this website" or "this site" shall be construed to mean Bridgeway and its subsidiaries and affiliates.
2.2 Bridgeway recognizes that the European Union (EU) has an “omnibus” data protection regime established pursuant to the European Data Protection Directive (95/46/EC). The Directive generally restricts the transfer of personally information about identifiable individuals in the EU to the United States, unless there is “adequate protection” for such information when it is received in the United States.
2.3 Bridgeway has adopted and complies with the Safe Harbor Principles developed by the U.S. Department of Commerce and the European Commission and the Frequently Asked Questions (FAQs) issued by the Department of Commerce on July 21, 2000. This Safe Harbor Privacy Policy sets forth the privacy principles that Bridgeway follows with respect to the collection and transfer of personal information from anywhere in the world, including collections and transfers from the European Economic Area (“EEA”) (which includes the 15 member states of the European Union (“EU”) as well as Iceland, Liechtenstein and Norway) to the United States.
3. Processor on Behalf.
3.1 Bridgeway provides its customers with software and online services to automate certain operations of corporate law departments, including matter management, electronic discovery, and online invoice processing through our Corridor website. In this capacity, we do not own or control any of the information we process on behalf of our customers; all such information is owned and controlled by our customers. We receive this information transferred from the EU to the United States merely as a processor on behalf of our customers.
3.2 In our capacity as a processor on behalf (an entity that processes data on behalf of a data controller), we process data in accordance with the instructions of a data controller (an entity that determines the purposes and means for processing personal information). As a processor on behalf, we will not transfer personal information to a third party (any entity other than Bridgeway or the data controller) without instructions from the data controller.
3.3 In our capacity as a processor on behalf, we are not aware of the type of information that is actually being processed or stored by our customers on our systems, and we have no general direct access to such information, except as may be expressly authorized by our customers.
4. Processing Contracts.
4.1 Before we begin processing information on behalf our customers as a processor on behalf, we will enter into a processing contract with the EU data controller that is responsible for the personal information as required by the applicable EU Member State Data Protection law.
4.2 Our processing contracts provide that the EU data controller will be in compliance with the Member State Data Protection law. Any information processed by us will not be further disclosed to third parties, except where permitted or required by the processing contract, the EU Safe Harbor, or the applicable Member State Data Protection law. Any information which our customers (acting as the EU controllers) identify as sensitive will be treated accordingly.
4.3 Our processing contract will also specify that our processing will be carried out with appropriate data security measures.
5. Notice.
5.1 Where we collect personal information from an identifiable person, we will inform the person of the category of information collected, the purposes for collection and use, and the types of non-agent third parties to which we may disclose the personal information, and the choices and means, if any, we may offer the individual person for limiting the use and disclosure of their personal information.
5.2 We will provide notice in clear and conspicuous language when identifiable persons are first asked to provide their personal information, or as soon as practicable thereafter, but in no event before we use their personal information for a purpose other than which it was originally collected.
6. Choice.
6.1 We will not process personal information collected by us from an identifiable person for purposes other than those for which the information was originally collected or subsequently authorized by that person, unless the person affirmatively and explicitly consents (“opt-in”) to the processing, or unless an exception applies.
6.2 We also provide identifiable persons with the opportunity to withdraw consent at any time (“opt-out”) from the processing for which their information was collected by us, in which case their personal information will not be further processed.
7. Data Integrity.
7.1 We undertake reasonable measures to ensure that information collected by us from an identifiable person is kept accurate, complete, current, and otherwise reliable in relation to the purposes for which the information was collected. The personal information we collect from identifiable persons is accurate, relevant, and not excessive for the purposes for which it is to be processed.
7. Identifiable persons whose personal information we collect have the responsibility to assist us with maintaining accurate, complete, and current information about them.
8. Access.
8.1 Upon receipt of a written request, we will provide identifiable persons from whom we collect personal information reasonable access to their personal information.
8.2 We will also take reasonable steps to allow identifiable persons to review the personal information we collected for purposes of correcting the information, subject to the following exceptions:
- when the information requested relates to an ongoing investigation, litigation, or potential litigation,
- where the burden or expense of providing access would be disproportionate to the risks to the privacy of the identifiable person, or
- when the rights of persons other than the identifiable person would be violated.
9. Onward Transfer. If and when we transfer personal information to data processors to perform processing tasks on our behalf and under our instructions, we require these data processors either: (i) to subscribe to the EU Safe Harbor Principles, the EU Data Protection Directive, or another adequacy finding; or (ii) to enter into a written agreement with Bridgeway requiring them to provide the same level of protection that we provide.
10. Security.
10.1 We have adopted a security policy to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction. This policy includes technical and organizational security measures, including without limitation, password protections for online information systems, restricted access to personal information, and industry standard technical security measures. Our Security Officer is responsible for conducting investigations into any alleged computer or network breaches, incidents or problems, and promptly instituting any required remediation.
10.2 Our employees are notified periodically of their responsibilities in connection the security policy. Our Security Officer is responsible and ensuring that appropriate disciplinary action is taken against those who violate our security policy.
10.3 We will conduct compliance audits of our security policy to verify compliance with this EU Safe harbor Policy and the US Department of Commerce Safe Harbor Principles.
11. Enforcement And Dispute Resolution.
11.1 If you have any questions regarding this EU Privacy Policy or your dealings with this website, please contact us at:
Bridgeway Software, Inc.
6575 West Loop South, Third Floor
Bellaire, TX, 77401
Contact: Security Officer
Email: security.officer@bridge-way.com
Telephone: 713-599-8303
11.2 Individuals who wish to file a complaint regarding this EU Safe Harbor Privacy Policy should contact our Security Officer at the above address. Our Security Officer will explain the process to be followed when filing a complaint, and will investigate and attempt to resolve complaints in accordance with the principles contained in this EU Safe Harbor Privacy Policy.
11.3 Any other controversy or claim arising out of or relating to this Policy, or the breach thereof, shall be settled by arbitration administered by the American Arbitration Association ("AAA") in accordance with its applicable commercial rules as well as the Safe Harbor Enforcement Principle; provided, further, that any arbitrator shall be either an attorney or retired judge having significant and recognized experience with and knowledge of privacy issues and information technology. In addition, the exclusive location for such arbitration shall be Houston, Texas. All decisions of the arbitration panel shall be final and binding on the parties, which waive any right to further appeal the arbitration award, to the extent an appeal may be lawfully waived.
11.4 We are also subject to the jurisdiction of the U.S. Federal Trade Commission. The Federal Trade Commission may be contacted as the following address:
Federal Trade Commission
Attn: Consumer Response Center
600 Pennsylvania Avenue NW
Washington, DC 20580
www.ftc.gov