VITAL4DATA PRIVACY POLICY

About Us

VITAL4DATA, LLC (“VITAL4DATA”, “we”, “us” or “our”) is a cloud-based software company that offers due diligence solutions and pre-employment screening services that mitigate risks associated with third-party relationships such as customers, suppliers, employees, contractors, partners, and volunteers to protect against financial crimes, terrorism, bribery & corruption. We screen and monitor employees and third-party relationships against global financial sanctions, watchlists, politically exposed persons (PEP), and news media sources around the world. Our international pre-employment screening services help verify a wide range of professional qualifications, employment histories, credit reports, and criminal backgrounds for potential workforces.

Our Commitment to Your Privacy

Your privacy is important to us. This Privacy Policy (the “Policy”) statement outlines how we collect, use, secure, and transfer personal data for our operation, privacy in the performance of our services, and the rights of individuals and our clients for whom we may maintain personal information on their behalf. We are firmly committed to respect your right to privacy and take seriously our
responsibilities in relation to the processing of personal information. We do not collect or process personal information unnecessarily or solicit or receive information from children.

The Policy sets out important information about your rights in relation to the processing of your personal information while using our services. The Policy also outlines the basis on which any personal information, we collect from you or that you provide to us, will be processed in connection with your use of our services.

What We Collect and Why

We collect only the minimal personal information that is necessary to process and operate our business and the services we offer. Consistent with privacy principles, our use of your information is limited to the information that is relevant for processing. We do not process personal information in a way that is incompatible with the purposes for which it has been collected. Our Privacy Policy is primarily related to personal information collected and processed to operate our business.

We may collect personal information from you during our business, including through your use of our website, when you contact or request information from us, and when you engage our team to provide services. We will only process personal information when the law allows us to. We may use your information for the following purposes: fulfillment of services, client services, business administration, and legal compliance or recruitment.

We collect information such as names and contact details to communicate and facilitate the provision of our services with our clients, potential clients, or suppliers. Initial information about you can be provided by the company you are working for. You may provide us with information by using our services or by corresponding with us by phone, e-mail, or otherwise. Other occasions during which you provide us information are when searching for a product, placing an order, reporting a problem, or engaging with any other form of communication with us. We may collect information to respond to inquiries regarding our products and services or to provide you with information, reports, or updates.

When we process your personal information to register you as a customer/user, accept your orders, and deliver services to you; we do so on the basis that it is necessary to perform our obligations under contract with you or a company you work for. It may also be necessary to comply with certain legal obligations.

When you visit our website or use our platforms, we may collect information about your visit such as your IP address, login information, browser type, time zone setting, and the pages you visited and when you use our services, we may collect information on how you use those services. Our websites and online platforms may use cookies from time to time.

When we process your personal information to send you newsletters, respond to your questions, improve the contents of our website and marketing efforts, conduct research and analysis, and display content based on your interests; we do so on the basis that it is necessary for our legitimate business interests. These interests include the interests of ensuring our clients receive premium service, growing our business to best satisfy changing market needs, and ensuring continual improvements to our services.

While providing our services to our clients, they engage us on a wide range of matters to help them mitigate risk such as conducting due diligence on a potential partner, employee, or client through reports. The personal information we process in the performance of services for and on behalf of our clients includes but is not limited to any information relating to an identified or identifiable individual. Personal information can range from the individual’s name, contact information, education information, work history, directorships, financial information, criminal history records, and other lawful regulatory compliance checks. We treat all such information within the strict confines of the GDPR, CPRA, as well as other U.S. and international data privacy regulation laws.

When we process your personal information for business administration and legal compliance, we comply with our legal obligations (including FCPA, Know Your Client, and Anti-Money Laundering or similar obligations), to enforce our legal rights, in connection with a business transaction; we do so on the basis that we have a legal obligation to do so.

When we process your personal information for recruitment purposes to assess your suitability for any position for which you may apply at VITAL4DATA whether such application has been received by us online, via email or by hard copy or an in-person application; we do so in connection with us taking steps at your request to enter a contract we may have with you or it is in our legitimate interest to use personal information in such a way to ensure that we can make the best recruitment decisions for VITAL4DATA. We will not process any special category data except where we can do so under applicable legislation. You may request at any point of the recruitment process VITAL4DATA’s background screening policy.

The lawful bases for such data processing are defined by our client in their privacy policy or another document and will vary depending on the nature of the information and the services. VITAL4DATA’s client has assessed the necessity, permissibility, and relevance of the service before ordering. VITAL4DATA’s client warrants to VITAL4DATA that: (1) the personal data is processed in a lawful, fair, and transparent manner about the data subject; (2) the personal data is collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; (3) the personal data is adequate, relevant, and limited to what is necessary for the purposes for which it is processed; and (4) if applicable after seeking appropriate legal advice, information notice or authorization form or any other mandatory document, has been duly provided to/required from the data subject.

We will only use your personal information for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal information without your knowledge or consent, in compliance with this Policy, where this is required or permitted by law.

To the extent necessary for those purposes, VITAL4DATA has policies and procedures in place and takes reasonable steps to ensure that your data is consistent with its intended use. Because we create, maintain, use, or disseminate your information, we take reasonable and appropriate measures to protect it from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. Considering the risks involved in the processing and the nature of your data, we adopt and follow reasonable and appropriate measures in complying with this provision.

Disclosure of Your Information

We only share your personal information with your consent or by this Policy. We will not otherwise share, sell, or distribute any of the information you provide to us except as described in this notice. We may disclose information to any department or authorized person within our company and selected third parties only in the circumstances where it is necessary, and the supplier has agreed to the same standards and terms of privacy as set out in the Policy.

 International Transfers

To provide the Services, we may need to transfer your personal information to locations outside the jurisdiction in which you provide it. VITAL4DATA signs a data sharing agreement which is based on the EU standard contractual clauses to ensure we will comply with our legal and regulatory obligations about personal information, including having a lawful basis for transferring personal information and putting appropriate safeguards in place to ensure an adequate level of protection for the personal information.

Accountability for Onward Transfers of EU and Swiss PI Pursuant to the EU-US Data Privacy Frameworks (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Frameworks (Swiss-US DPF)

VITAL4DATA complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework program (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. VITAL4DATA has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  VITAL4DATA has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework program Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Taking into account that data will be transferred internationally, in the context of onward transfers, we are responsible for the processing of personal information we receive under the EU-US DPF, the UK Extension to the EU-US DPF and the Swiss-US DPF and subsequently transfer to our partners and third-party agents acting as an agent on its behalf. We remain liable under the Data Privacy Framework Principles if its agent processes such PI in a matter inconsistent with the Principles unless we prove we are not responsible for the event giving rise to the damage.

To transfer personal information to a third party acting as a controller, we comply with the Notice and Choice Principles of the EU-US DPF Program. We will also enter into a contract with the third-party controller that provides that such data may only be processed for limited and specified purposes consistent with the consent provided by you and that the recipient will provide the same level of protection as the Principles and will notify us if it makes a determination that it can no longer meet this obligation. The contract provides that when such a decision is made, the third-party controller ceases processing or takes other reasonable and appropriate steps to remediate.

To transfer personal data to a third party acting as an agent, we: (i) transfer such data only for limited and specified purposes; (ii) ascertain that the agent is obligated to provide at least the same level of privacy protection as is required by the Principles; (iii) take reasonable and appropriate steps to ensure that the agent effectively processes the personal information transferred in a manner consistent with the organization’s obligations under the Principles; (iv) require the agent to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the Principles; (v) upon notice, including under vi), take reasonable and appropriate steps to stop and remediate unauthorized processing, and (vii) provide a summary or a representative copy of the relevant privacy provisions of its contract with that agent to the Department of Commerce upon request.

Under the DPF, we apply the principles of Notice and Choice of EU, UK and Swiss-PI that are transferred to third parties. The EU, UK, and Swiss-PI are only to provide to third parties for purposes described in the Notice section or otherwise disclosed to you, and will not be disseminated to a third party where you have “opted out” or, in the case of “sensitive” information, failed to “opt-in.”

EU and Swiss individuals have the right to access their personal data pursuant to the Data Privacy Framework Principles. You may contact us, as set out at the end of this Privacy Policy, at any time to determine if we hold any personal information about you.

We use EU, UK, and Swiss PI human resources-related data transferred from the EU, the UK, and Switzerland and commit to cooperating with the DPAs concerning such data. Where an organization in the EU, UK, and Switzerland transfers personal information about its employees (past or present) collected in the context of the employment relationship to us, the transfer enjoys the benefits of the EU-US DPF, the UK Extension to the EU-US DPF or Swiss-US DPF.

We commit to cooperate with EU Data Protection Authorities (DPA’s), the UK Information Commissioner’s Office (UK ICO), and Swiss Federal Data Protection and Information Commissioner (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU, the UK or Switzerland in the context of the employment relationship. EU individuals wishing to file a complaint with the appropriate DPA may go to http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm. UK individuals wishing to file a complaint with the ICO may go to https://ico.org.uk/make-a-complaint. Swiss individuals wishing to file a complaint with the appropriate FDPIC office should go to https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/links/data-protection—switzerland.html.

In compliance with the EU-US Data Privacy Framework Principles, VITAL4DATA commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles. European Union, Swiss and United Kingdom individuals with DPF inquiries or complaints should first contact:

VITAL4DATA, LLC

Compliance Department

3901 Mary Eliza Trace NW Suite 203

Marietta, GA 30064, USA

compliance@vital4.net

Retention

We adhere to the privacy principles for as long as we retain such information. We will only retain your personal information for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. The period for which we store your personal information may depend on the type of information we hold.

To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information, and whether we can achieve those purposes through other means, and the applicable legal requirements. For example, we may hold personal data as needed for our accounting or tax compliance purposes or where needed for our compliance with anti-money laundering regulations in accordance with the respective statutory periods. For Data Subjects, we store their personal information for as long as the data controller (our client) has instructed us to in the Service Agreement.

Security

VITAL4DATA adopts the layered security approach known as “Defense in Depth.” This is a cybersecurity strategy that aims to protect computer systems and networks by employing multiple layers of security measures. The concept is based on the idea that relying on a single security measure is not enough to ensure comprehensive protection. Instead, multiple layers or “defense lines” are established to create a more robust and resilient security posture. Each layer of defense in depth adds an additional barrier to potential attackers, making it more difficult for them to penetrate the system. If one layer is breached, the remaining layers act as backups to prevent further compromise and mitigate the impact of the breach. By implementing multiple layers of defense, organizations can create a more resilient security posture. Even if one layer is breached, the other layers provide additional safeguards, minimizing the potential damage and reducing the likelihood of a successful attack. This approach comprises different technical, organizational, and security measures which include company policies, device storage encryption, anti-malware endpoint protection, device management, email encryption, firewalls, and security awareness training.

In addition, VITAL4DATA undergoes an annual SOC 2 Type 2 audit conducted by an independent CPA firm. The audit thoroughly evaluates VITAL4DATA’s internal controls pertaining to the security, availability, processing integrity, confidentiality, and privacy of data. It encompasses a comprehensive review of the system controls implemented and maintained by VITAL4DATA to ensure that its service commitments and system requirements align with the relevant trust services criteria for security, availability, and confidentiality as outlined in TSP Section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria).

Your Rights

We respect your rights as data subjects for whose personal information we hold. We have policies and procedures in place to ensure data subjects’ rights are upheld and easily exercised. You have the following rights in relation to the personal information we hold about you:

Your right of access: If you ask us, we’ll confirm whether we’re processing your personal information and, if necessary, provide you with a copy of that personal information (along with certain other details).

Your right to rectification: If the personal information we hold about you is inaccurate or incomplete, you are entitled to request to have it rectified. If you are entitled to rectification and if we’ve shared your personal information with others, we’ll let them know about the rectification where possible. If you ask us, where possible and lawful to do so, we’ll also tell you who we’ve shared your personal information with so that you can contact them directly.

Your right to erasure: You can ask us to delete or remove your personal information in some circumstances such as where we no longer need it or if you withdraw your consent (where applicable). If you are entitled to erasure and if we’ve shared your personal information with others, we’ll let them know about the erasure where possible. If you ask us, where it is possible and lawful for us to do so, we’ll also tell you who we’ve shared your personal information with so that you can contact them directly.

Your right to restrict processing: You can ask us to ‘block’ or suppress the processing of your personal information in certain circumstances, such as where you contest the accuracy of that personal information or you object to us. If you are entitled to restriction and if we’ve shared your personal information with others, we’ll let them know about the restriction where it is possible for us to do so. If you ask us, where it is possible and lawful for us to do so, we’ll also tell you who we’ve shared your personal information with so that you can contact them directly.

Your right to data portability: You have the right, in certain circumstances, to obtain personal information you’ve provided us with (in a structured, commonly used, machine-readable format) and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.

Your right to object: You can ask us to stop processing your personal information, and we will do so, if we are: (i) relying on our own or someone else’s legitimate interests to process your personal information, except if we can demonstrate compelling legal grounds for the processing; or (ii) processing your personal information for direct marketing purposes.

Your right to withdraw consent: If we rely on your consent (or explicit consent) as our legal basis for processing your personal information, you have the right to withdraw that consent at any time.

Your right to lodge a complaint with the supervisory authority: If you have a concern about any aspect of our privacy practices, including the way we’ve handled your personal information, you can report it to the relevant Supervisory Authority.

Please note that some of these rights may be limited where we have an overriding interest or legal obligation to continue to process the data.

VITAL4DATA has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers  for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2

We are subjected to the investigatory and enforcement powers of the Federal Trade Commission (FTC). If we should ever become subject to an FTC or court order based on non-compliance, we will make public any relevant Data Privacy Framework-related sections of any compliance or assessment report submitted to the FTC, to the extent consistent with confidentiality requirements.

Changes to This Policy

Any material or other change to the data processing operations described in this Policy that is relevant to or impacts on you or your personal data will be notified to you through our website. In this way, you will have an opportunity to consider the nature and impact of the change and exercise your rights in relation to that change such as to withdraw consent or to object to the processing.

Contact Us

If you have any comments or questions about our privacy policy or our processing of your information, please contact:

VITAL4DATA, LLC

Compliance Department

3901 Mary Eliza Trace NW Suite 203

Marietta, GA 30064, USA

compliance@vital4.net

Effective date: September 2023