EndoSoft Services Privacy Policy

Scope

This policy covers the privacy practices that EndoSoft LLC and its subsidiaries and affiliates (“EndoSoft” or “we”) employ when providing support, consulting, Cloud or other services (the “services”) to its customers (“you” or “your”). EndoSoft established this privacy policy in order to clarify that the use of information to which it may be provided access in order to provide services is more limited than the use of information covered by EndoSoft’s disclaimer and data privacy policy.

Customer Information and Services Data

Customer Information is information that we may collect from your use of the EndoSoft Web sites and your interactions with us offline. We deal with customer information according to the terms of our disclaimer and data privacy policy.

Services Data is data that resides on EndoSoft, customer or third-party systems to which EndoSoft is provided access to perform services (including Cloud environments as well as test, development and production environments that may be accessed to perform EndoSoft consulting and support services). EndoSoft treats services data according to the terms of this policy, and treats services data as confidential in accordance with the terms of your order for services.

To illustrate the difference between customer information and services data, when a customer contracts with EndoSoft for Cloud services, the customer provides information about itself, including its name, address, billing information, and some employee contact information. EndoSoft may also collect other information about the customer and some employees, for example through its web sites, as part of that interaction. All of that information is customer information, and is treated according to EndoSoft’s disclaimer and data privacy policy.

In contrast, having contracted with EndoSoft for Cloud or other services, the customer provides EndoSoft access to its production, development or test environment, which may include personal information about its employees, customers, patients, partners or suppliers (collectively “end users”).

How EndoSoft Collects and Uses Services Data

Below are the conditions under which EndoSoft may access, collect and/or use services data.

To Provide Services and to Fix Issues. Services data may be accessed and used to perform services under your order for support, consulting, Cloud or other services and to confirm your compliance with the terms of your order. This may include testing and applying new product or system versions, patches, updates and upgrades; monitoring and testing system use and performance; and resolving bugs and other issues you have reported to EndoSoft. Any copies of services data created for these purposes are only maintained for time periods relevant to those purposes.

As a Result of Legal Requirements. EndoSoft may be required to retain or provide access to services data to comply with legally mandated reporting, disclosure or other legal process requirements.

EndoSoft may transfer and access services data globally as required for the purposes specified above. If EndoSoft hires subcontractors to assist in providing services, their access to services data will be consistent with the terms of your order for services and this services privacy policy. EndoSoft is responsible for its subcontractors’ compliance with the terms of this policy and your order.

Clinical and Commercial Use. In EndoSoft’s performance of the Services or in connection with your use of the Software, it may be necessary for EndoSoft to obtain, receive, or collect data or information, including system-specific data (collectively, the “Service Data”). In such cases, you grant EndoSoft a non-exclusive, worldwide, royalty-free, perpetual, non-revocable license to use, compile, distribute, display, store, process, reproduce, or create derivative works of the Data solely to facilitate the performance of Services by EndoSoft or your use of the Software. In addition, you grant EndoSoft a license to aggregate the Data for use in an anonymous manner in support of EndoSoft’s clinical research, benchmarking, marketing and sales activities. You also grant EndoSoft the right to copy and maintain such material and content on EndoSoft’s servers (or the servers of its suppliers) during the term of this Agreement. You represent and warrant that you have obtained all rights, permissions, and consents necessary to use and transfer the Data within and outside of the country in which you are located in conjunction with EndoSoft’s performance of the Services or your use of the Software (including providing adequate disclosures and obtaining legally sufficient consent from your patients, customers, employees, agents, and contractors).

EndoSoft does not use services data except as stated above or in your order. EndoSoft may process services data, but does not control your collection or use practices for services data. If you provide any services data to EndoSoft, you are responsible for providing any notices and/or obtaining any consents necessary for EndoSoft to access, use, retain and transfer services data as specified in this policy and your order.

Access Controls

EndoSoft’s access to services data is based on job role/responsibility. Services data residing in EndoSoft-hosted systems is controlled via an access control list (ACL) mechanism, as well as the use of an account management framework. You control access to services data by your end users; end users should direct any requests related to their personal information to you.

Security and Breach Notification

EndoSoft is committed to the security of your services data, and has in place physical, administrative and technical measures designed to prevent unauthorized access to that information. EndoSoft security policies cover the management of security for both its internal operations as well as the services. These policies, which are aligned with the ISO/IEC 27001:2005 standard, govern all areas of security applicable to services and apply to all EndoSoft employees. EndoSoft’s Support, Consulting and Cloud lines of business have developed detailed statements of security practices that apply to many of their service offerings, which are available for review at your request.

EndoSoft is also committed to reducing risks of human error, theft, fraud, and misuse of EndoSoft facilities. EndoSoft’s efforts include making personnel aware of security policies and training employees to implement security policies. EndoSoft employees are required to maintain the confidentiality of services data. Employees’ obligations include written confidentiality agreements, regular training on information protection, and compliance with company policies concerning protection of confidential information.

EndoSoft promptly evaluates and responds to incidents that create suspicions of unauthorized handling of services data. Legal department is informed of such incidents and, depending on the nature of the activity, define escalation paths and response teams to address the incidents. If EndoSoft determines that your services data has been misappropriated (including by an EndoSoft employee) or otherwise wrongly acquired by a third party, EndoSoft will promptly report such misappropriation or acquisition to you.

Cross Border Transfers

EndoSoft is a global corporation with operations in many countries and has developed global data practices designed to assure your personally-identifiable information is appropriately protected. Please note that personal information may be transferred, accessed and stored globally as necessary for the uses and disclosures stated above in accordance with this policy.

The EndoSoft affiliates have entered into and executed an Agreement for the International Transfer of Personal Information within the EndoSoft Group (“Intra-Company Agreement”) which allows for the processing of your personal information and which also incorporates the European Union Model Clauses requirements for transfers of your personal information.

EndoSoft also continues to adhere to the underlying European privacy principles of the US-EU and US-Swiss Safe Harbor programs for personal information received from the EU and Switzerland. To learn more about the Safe Harbor program, and to view Endosoft’s certification, please visit http://www.export.gov/safeharbor/.

Dispute Resolution

If you have any complaints regarding our compliance with this policy or unresolved privacy or data use concerns, you should first contact us. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information in accordance with this privacy policy.

Compliance

EndoSoft has appointed a Chief Privacy Officer. If you believe your services data has been used in a way that is not consistent with this policy, or if you have further questions related to this policy, please contact the Chief Privacy Officer through our inquiry form. Written inquiries may be addressed to:

Chief Privacy Officer,

EndoSoft LLC

135 Broadway
Schenectady NY 12305, USA