Privacy Shield Policy

Effective Date: 1 May 2019

Purpose

The purpose of this Policy is to provide an overview of Zeplin’s participation in the EU-U.S. and Swiss-U.S. Privacy Shield program.

Summary

Zeplin complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries.

Scope

This Policy applies to all personal data received or processed by Zeplin in the United States from the EU and Switzerland, in any format, including electronic, paper, or verbal. Personal data that Zeplin may collect includes names, email addresses, IP addresses, and any other data our customers direct us to collect. This Policy does not cover data which has been de-identified and/or aggregated.

Audience

This Policy is available to all Zeplin system users.

Policy Administration

The Zeplin Management Team own all Zeplin information privacy and security policies. The Zeplin Information Security Officer maintains this Policy. The Zeplin Security Team is responsible for coordinating with the Zeplin teams to develop relevant procedures, guidelines, and standards for this Policy. This Policy will be reviewed at least annually.

Policy

1. EU-U.S. and Swiss-U.S. Privacy Shield Frameworks

Zeplin complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries.


Zeplin has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfers and Disclosures, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the policies in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

To learn more about the Privacy Shield program, visit the Privacy Shield program website at https://www.privacyshield.gov.

2. Renewal and Verification

Zeplin will renew its Privacy Shield certification annually unless it determines it no longer needs the certification or it employs a different adequacy mechanism. Zeplin will:

3. Responsibilities and Management

All employees of Zeplin and its subsidiaries who handle personal data from Europe are required to comply with this Policy’s principles.


Zeplin will maintain, monitor, test, and upgrade information security policies, practices, and systems to assist in protecting the personal data that it collects. Zeplin personnel will receive training, as applicable, to implement this Policy effectively.


Zeplin has designated an internal owner to oversee its compliance with the Privacy Shield program. The program owner is responsible for reviewing and approving material changes to the program. Questions, concerns, or comments can be directed to privacyshield@zeplin.io

4. Privacy Principles

The following privacy principles are based on the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield frameworks.

4.1 Notice and Choice

To the extent permitted by the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield frameworks, Zeplin will process personal data in the course of providing professional services to its customers who act as controllers. Zeplin’s customers, acting as controllers, are responsible for providing notice to individuals and for ensuring that processing is supported by a lawful basis.


Where Zeplin collects personal data directly from individuals in the EU or Switzerland, it will inform them about the purposes for which it collects and uses personal data about them, the types of third-parties to which Zeplin discloses that information, the choices Zeplin offers individuals for limiting the use and disclosure of personal data about them, and how to contact Zeplin.

The categories of third-parties that Zeplin may disclose personal data to, the purposes for which we do, and options for limiting the use and disclosure of this information are listed in our Privacy Policy (https://zeplin.io/privacy).


Where Zeplin receives personal data from its subsidiaries, affiliates or other customer entities in the EU or Switzerland, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such personal data relates.

4.2 Accountability for Onward Transfers and Disclosures

Zeplin processes personal data only in ways compatible with the purpose for which it was collected or subsequently authorized by the individual. To the extent necessary for such purposes, Zeplin takes reasonable steps to make sure that personal data is accurate, complete, current, and otherwise reliable with regard to its intended use. Zeplin may disclose personal data that it processes under the Privacy Shield if:

Zeplin may disclose an individual’s personal data to another Zeplin entity or to a processor (vendor) providing services on Zeplin or the individual’s behalf consistent with the purpose for which the information was obtained, if the processor (vendor), with respect to the information in question:

With respect to onward transfers to agents under Privacy Shield, Privacy Shield requires that Zeplin remain liable should its agents process personal data in a manner inconsistent with the Privacy Shield principles. Permitted transfers of information, either to third parties or within Zeplin, include the transfer of data from one jurisdiction to another, including transfers to and from the United States of America. Because privacy laws vary from one jurisdiction to another, personal data may be transferred to a jurisdiction where the laws provide less or different protection than the jurisdiction in which the information originated.

Zeplin is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

4.3 Data Security

Zeplin will take reasonable precautions to protect personal data in its possession from loss, misuse, unauthorized access, disclosure, alteration, and destruction and ensure the appropriate use and confidentiality of information, either for its own purposes or on behalf of its customers. Zeplin has put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information it processes. Despite these precautions, no data security safeguards guarantee 100% security.

4.4 Data Integrity

Zeplin will take reasonable precautions to process personal data only in ways compatible with the purpose for which it was collected or subsequently authorized by the Controller. To the extent necessary for such purposes, we take reasonable steps to make sure that personal data is accurate, complete, current, and otherwise reliable with regard to its intended use.

4.5 Access, Correction, and Deletion

EU and Switzerland consumers have a right to access to their personal data. If an EU or Switzerland consumer becomes aware that information Zeplin maintains about that individual is inaccurate, or if an individual would like to access, review, update, or delete his or her information, the individual may contact Zeplin at privacyshield@zeplin.io.


Zeplin will take reasonable steps to permit individuals to correct, amend, or delete personal data that is demonstrated to be inaccurate. The individual will need to provide sufficient identifying information. Zeplin may request additional identifying information as a security precaution. In addition, Zeplin may limit or deny access to or deletion of personal data in accordance with certain exceptions prescribed by law.

4.6 Recourse, Enforcement and Liability, and Dispute Resolution

Zeplin utilizes the self-assessment approach to assure its compliance with this Privacy Policy. Zeplin periodically verifies that the Policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented, and in conformity with the Privacy Shield principles.

In compliance with the Privacy Shield Principles, Zeplin commits to resolve complaints about our collection or use of your personal data. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield Policy should first contact Zeplin at privacyshield@zeplin.io. Zeplin will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal data in accordance with the principles contained in this Policy with 45 days of receipt.

Zeplin has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS are provided at no cost to you.


Specifically, Binding Arbitration is available under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks after an individual has:

  1. Raised the claimed violation directly with Zeplin and has afforded Zeplin an opportunity to resolve the issue within 45 days
  2. Made use of the independent recourse mechanism, via JAMS, listed above
  3. Raised the issue through their Data Protection Authority to the Department of Commerce and afforded the Department of Commerce an opportunity to use best efforts to resolve the issue within the timeframes set forth in the Letter from the International Trade Administration of the Department of Commerce.

As set forth in the Arbitral Model of Annex I (EU-U.S. Privacy Shield Framework Principles Issued by the U.S. Dept. of Commerce), invoking binding arbitration is an option available to an individual to determine, for residual claims, whether Zeplin has violated its obligations under the Principles as to that individual, and whether any such violation remains fully or partially remedied. This option is available only for these purposes and is expressly limited by Section I.5 of the EU-U.S. Privacy Shield Framework Principles.

Exceptions

Exceptions to the policies, plans, and standards of the Privacy Shield Policy must be approved by the Zeplin Information Security Officer. Where appropriate, the basis for the exception will be revisited at a planned interval, by assigning a responsible individual and a due date.

Zeplin reserves all rights under the law. Any and all rights or uses of Zeplin information assets that are not specifically granted by documented policies, standards or procedures are not approved until such time as the Zeplin Information Security Officer approves them in writing.

Enforcement

All Zeplin workforce members and contractors are responsible for adhering to this Policy. Asset owners (both information and information system assets) and functional/business unit owners are responsible for ensuring that all Zeplin employees and contractors are in compliance with the Policy.

Workforce members who have violated Zeplin information security policies and procedures are subject to sanctions. Sanctions may include, but are not limited to, retraining, reassignment, separation, and referral to law enforcement.

References