Customer: a legal entity with whom AuditDashboard has an Agreement to provide the Engagement Management Platform System
Customer Data: data stored in and generated through the use of the Engagement Management Platform System, including Materials, User information, metadata, and logs
Materials: documents, images, video, compressed files, and any other material that is uploaded by our customer or any user, and stored in, the Engagement Management Platform System
User: an individual authorized by the Customer to access the Engagement Management Platform System.
The following terms are used as defined in the EU General Data Protection Regulation (GDPR):
Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Personal Data: any information relating to an identified or identifiable natural person (“Data Subject”)
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Third-Party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data
3. Data We Process
AuditDashboard may process the following types of Customer Data in order to provide and support the Engagement Management Platform System.
User information: The Engagement Management Platform System requires minimal information from Users for the purpose of authentication and communication. Personal Data is limited to the name, email address, office location, phone and fax numbers. All data except email address is considered optional.
Metadata: User activity within the Engagement Management Platform System is logged automatically. This includes login information, Materials accessed, and trace information to facilitate change history. These logs can be provided to clients upon support request.
Materials: The Materials uploaded to the Engagement Management Platform System by Users may contain Personal Data. AuditDashboard does not access any information within the Materials except in specific support circumstances upon the Customer’s explicit request. Materials are wholly controlled by the Customer and the Users.
4. Purpose for Processing
AuditDashboard processes Customer Data for the purposes of enhancing our product and service offerings, responding to Customer requests for support or assistance, and providing aggregate metrics to help our Customers measure their performance and better understand their use of the Engagement Management Platform System. AuditDashboard acts as a Processor on behalf of Customers. Customers have the primary responsibility for interacting with Data Subject, and the role of AuditDashboard is generally limited to assisting Customers as needed.
AuditDashboard processes data only upon a Customer’s instruction and respects the security and confidentiality of the provided data, pursuant to the measures outlined in agreements with Customers and as required by applicable law.
For clarity, a Customer may be a Controller or a Processor of Personal Data. Where a Customer is a Processor of Personal Data, AuditDashboard shall process Personal Data as a sub-processor on behalf of the Controller. Instructions from the Controller regarding the processing of Personal Data shall be given through the Processor.
5. How we protect Data, Trust, and Security
AuditDashboard puts trust and security at the forefront of our operations. We maintain a comprehensive Trust & Security program focused on Security, Reliability, Compliance, and Confidentiality. Our Trust & Security Program takes into account the sensitivity of the Materials our Customers upload to the Engagement Management Platform System.
AuditDashboard maintains a data protection program to identify risks and implement preventative measures. Our management team is responsible for managing the risk assessment and mitigation program. The program is reviewed on a regular basis and is a core part of the fabric of our day-to-day operations.
Another core part of our Trust & Security Program is our System and Organization Controls. These controls are audited annually by an independent third party who issues a SOC 2 Type 2 Report to provide assurance over their existence and operating effectiveness. Our SOC 2 Type 2 Report covers the Trust Service Criteria for Security and Confidentiality and is available upon request.
6. Transparency and Cooperation with Customers
AuditDashboard strives to maintain transparency with our Customers with regards to providing information to help facilitate their respective data protection obligations.
Security Incident Response Policy: AuditDashboard's Security Incident Response Policy (SIRP) governs our behaviour in the event of any unauthorized access to, or disclosure of Customer Data.
Obligations Upon Termination: Upon termination of the Services, AuditDashboard shall, at the request of the Customer, delete or return all Customer Data. AuditDashboard does not have the ability to physically alter or modify hardware that supports the Engagement Management Platform System. AuditDashboard’s hosting partner (Microsoft) has a standardized, audited process for securely destroying data, including cryptographic wiping. AuditDashboard can, upon request, provide certification of the data deletion.
7. Sharing and Disclosure
There are limited times when information may be shared by AuditDashboard with other parties. This section outlines cases where AuditDashboard may share such information.
Sub-processing by Third Parties: AuditDashboard may retain third-party sub-processors. Such third-party sub-processors shall process the data only in accordance with the Customer’s specific instructions and the commitments outlined in this document and other Agreements.
Such third-party sub-processors have entered into written agreements with AuditDashboard in accordance with the applicable requirements, and AuditDashboard performs due diligence reviews on all sub-processors annually to verify their security measures and operational controls.
Legal or Regulatory Compliance: AuditDashboard may share or disclose data to comply with legal or regulatory requirements and to respond to lawful requests, court orders and legal processes.
Enforcing Our Rights and Preventing Fraud: AuditDashboard may share or disclose data to protect and defend the rights, property, or safety of us or third parties, including enforcing contracts or policies, or in connection with the investigation and preventing fraud.
Changes to our Business Structure: AuditDashboard may share or disclose data if we engage in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of our business, a similar transaction or proceeding, or steps in contemplation of such activities (e.g. due diligence).
8. Data Subject Rights
AuditDashboard acts as a data Processor on behalf of Customers. Customers have the primary responsibility for interacting with Data Subjects, and the role of AuditDashboard is generally limited to assisting Customers as needed.
Access, Correction, Amendment or Deletion Requests: AuditDashboard will promptly notify a Customer if we receive a request from a Data Subject for access to, correction, amendment, or deletion of that person’s Personal Data. AuditDashboard shall not respond to any such Data Subject request without the Customer’s prior written consent except to confirm that the request relates to the Customer.
AuditDashboard shall provide Customers with cooperation, transparency, and assistance in a reasonable period of time and to the extent reasonably possible in relation to any request regarding Personal Data.
Handling of Complaints: Data Subjects may lodge a complaint about the processing of their respective Personal Data by contacting the relevant customer or AuditDashboard privacy department at the email address email@example.com. AuditDashboard shall promptly communicate the complaint to the related Customer.
Customers shall be responsible for responding to all Data Subject complaints forwarded by AuditDashboard, except in cases where a Customer has disappeared or ceased to exist in law or become insolvent. Where AuditDashboard is aware of such a case, it undertakes to respond directly to the Data Subject’s complaints within thirty (30) days, including the consequences of the complaint and further actions Data Subjects may take if they are unsatisfied by the reply.
Regulatory Inquiries and Complaints: AuditDashboard shall, to the extent legally permitted, promptly notify a Customer if it receives an inquiry or complaint from a data protection authority in which that Customer is specifically named. Upon a Customer’s request, AuditDashboard shall provide the Customer with cooperation and assistance in relation to any regulatory inquiry or complaint involving AuditDashboard’s processing of Personal Data.
9. Changes to this Statement
We may change this statement from time to time, and if we do we will post any changes. If you continue to use the Engagement Management Platform after those changes are in effect, you agree to the revised policy. This document was last updated, March 2021.
10. Contacting AuditDashboard
Please feel free to contact us if you have any questions about our data protection commitments and practices. You may contact us at firstname.lastname@example.org or at our mailing address below:
Audit Dashboard Inc.
Suite 320, 115 George Street,
Oakville, Ontario L6J 0A2