Visier Data Transfer Impact Assessment Info Sheet

1. What categories of personal data does Visier process?

See Schedule 1 of the Visier Data Privacy Addendum (DPA) for information on the nature of our processing activities in connection with the provision of our services; the types of personal data we process and transfer; and the categories of data subjects.

2. Does Visier process any special categories of personal data?

See Schedule 1 of the Visier DPA. Visier customers may elect to transfer special categories of personal data but we do not require customers to submit this type of data.

3. For what purposes is customers’ personal data transferred to third countries?

The purposes for which we process customers’ personal data is described in Schedule 1 of the Visier DPA.

4. Who are the data importers associated with the transfer?

We use sub-processors to provide our services. These sub-processors may act as data importers. Our sub-processors are listed on the Visier Trust site and the list includes the details on location/country of each sub-processor.

5. Where is personal data transferred stored?

Customers choose one of the following data center locations: U.S., Germany, Canada, and Singapore. Customer data is stored exclusively in the selected region unless otherwise authorized by a customer.

6. Does Visier rely on adequacy decisions?

The European Commission (EC) has determined that certain countries outside the European Economic Area (EEA) adequately protect personal data, which means that data can be transferred from the European Union (EU) and Norway, Liechtenstein and Iceland to that third country without any further safeguard being necessary. The UK and Switzerland have approved similar adequacy decisions.

The UK and Canada’s privacy laws have been recognized by the EC as meeting the adequacy requirement for the protection of personal data.

7. Does Visier transfer personal data under the EU-U.S. Data Privacy Framework (EU-U.S. DPF)?

The U.S. Department of Commerce developed the EU-U.S. Data Privacy Framework (EU-U.S. DPF) to facilitate international data transfers. The EC has adopted an adequacy decision for the EU-U.S. DPF concluding that the US ensures an adequate level of protection for personal data transferred under the EU-U.S. DPF from a controller or processor in the EU to certified organizations in the US.

Following the adequacy decision, Visier relies on the EU-U.S. DPF as a legal basis for transfers of personal data from the EU to the U.S. Visier will rely on the UK extension to the EU-U.S. DPF and the Swiss-U.S. DPF when applicable local authorities approve the adequacy decisions. In the meantime, Visier continues, and will continue to offer a DPA which includes the SCCs as a transfer mechanism with every customer who needs one, in addition to reliance on the EU-U.S. DPF.

8. Does Visier have SCCs in place for personal data transfers to subsidiaries/affiliates and/or sub-processors?

We have concluded the SCCs with all data recipients including amongst the Visier group of companies.

9. Does Visier make onward transfers?

In order to provide our services, we may disclose customer data to our subsidiaries/affiliates and authorized sub-processors. These onward transfers are only made as necessary to deliver our services in accordance with our customers’ agreements and customers’ instructions.

10. Is Visier subject to any of the following US laws?

• Section 702 of the Foreign Intelligence Surveillance Act (FISA 702)
• Section 702 of the Foreign Intelligence Surveillance Act (FISA 702)
• Executive Order (EO) 12333
• Clarifying Lawful Overseas Use of Data (CLOUD) Act

We have no reason to believe that we or our US-based sub-processors would be subject to US surveillance under FISA 702, EO 12333, or the CLOUD Act.

FISA Section 702 allows US government authorities to issue orders to certain types of companies in the US about certain individuals located outside the US for the purposes of foreign intelligence information gathering. These orders may only be issued to “electronic communications service providers'' as defined under FISA. Our position is that we are not an “electronic communications service provider,” and as such are not subject to requests to access personal data under FISA 702.

EO 12333 authorizes intelligence agencies to conduct surveillance outside of the US, in particular, to collect foreign signals intelligence information collected from communications and other data passed by radio, wire and electromagnetic means. EO 12333 cannot authorize the US government to require any company or person to disclose data; instead, it must rely on a statute such as FISA 702 to collect data. In addition, bulk data collection is prohibited under EO 12333. We do not believe that EO 12333 introduces a substantial risk to our customers with respect to the use of our services. The type of data that our customers send to us as part of their use of the services do not constitute the types of data that are relevant for the US government during intelligence operations. Furthermore, we encrypt data when in transit and the risk of intercepting customer data in the clear is low.

The CLOUD Act is part of the US Stored Communications Act (SCA). The SCA only permits US public authorities to request data from “electronic communications service providers.” Our position is that our services are not an electronic communications service subject to the SCA. As such, we would not be subject to requests under the CLOUD Act for that data.

11. Is Visier subject to India government authority surveillance?

Surveillance in India takes place primarily under two laws - the Telegraph Act, 1885 and the Information Technology Act, 2000. A comprehensive data protection law to address the gap in existing frameworks for surveillance is yet to be enacted. Under the existing laws, the Indian government can intercept communications only in certain, limited situations and the Indian courts have stepped in several times against unlimited surveillance.

All India-based companies could be subject to clandestine surveillance by Indian government authorities for data in transit; however, we have no reason to believe our India-based sub-processors would be subject to Indian surveillance based on the types of data that our customers send to us as part of their use of the services.

12. Is Visier subject to Singapore public authority surveillance?

Public agencies in Singapore are not subject to the data protection provisions under the Singapore Personal Data Protection Act (PDPA); rather they have their own set of data protection rules which all public agencies must comply with.

There are certain laws in Singapore that empower Singapore authorities to access and seize data stored in Singapore, whether for domestic purposes or at the request of a foreign country. These laws include the Telecommunications Act; Official Secrets Act; Prevention of Corruption Act; Foreign Interference Act. However, depending on the laws there are safeguards in place in relation to the exercise of such power such as a requirement to obtain a court order.

All Singapore-based companies could be subject to clandestine surveillance by Singapore public authorities for data in transit; however, we have no reason to believe our Singapore-based sub-processors would be subject to Singapore surveillance based on the types of data that our customers send to us as part of their use of the services.

13. What is Visier’s experience dealing with government access requests?

To date, we have never received a US National Security Request, including requests for access under FISA 702, the CLOUD Act, or direct access under EO 12333, in connection with customers’ personal data.

In addition, we have never disclosed any personal data from any customer to any government authority.

14. What supplementary measures does Visier apply to protect the transferred data?

We take privacy and security of our customers’ data seriously and have implemented technical, contractual, and organizational measures to safeguard the data entrusted to us.

Technical measures:

• All personal data sent to us is encrypted in transit and at rest, including data stored in backups.
• Customers choose one of the following data center locations: U.S., Germany, Canada, and Singapore. While customer data may be accessed from outside the chosen location, for example, when a support request is opened and one of our team members needs access to the data to provide assistance, customer data is never stored in a separate or different region.
• Upon expiration or termination of the customer agreement, or upon request from a customer, we delete and/or destroy all customer data within thirty (30) days.
• We undergo an annual SOC2 Type II audit using an internationally recognized accounting firm and maintain a formal information security program.
• See our Customer Data Safeguards Policy on the Visier Trust site for more information.

Contractual measures:

• We offer a DPA with SCCs as a transfer mechanism with every customer who requests one, and with every sub-processor to whom we may transfer our customers’ data.
• Our DPAs with sub-processors require at least the same level of protection as our DPA with our customers, and they always include the SCCs as a transfer mechanism.

Organizational measures:

• Before we engage a new sub-processor, we conduct a comprehensive vendor assessment including reviewing the vendor’s privacy and security practices to ensure they meet our standards. We require sub-processors to sign a DPA with SCCs that provides protections at least as protective as those in our DPA with customers.
• We conduct annual audits including a SOC2 Type II audit to ensure compliance with technical and organizational measures and we make our relevant audit reports available to customers.
• We enforce strict security and access controls to ensure that only limited and authorized team members have access to customers’ personal data as required to perform their job functions.
• We have dedicated privacy and security teams responsible for maintaining and enforcing internal policies, standards and controls.
• All employees are required to complete mandatory privacy and security training on an annual basis and employees with access to customer data must complete additional training.
• We design the Visier solution with privacy-in-mind. We incorporate privacy assessments and reviews into the product development lifecycle for all new functions, features, and content. Visier’s Head of Privacy is a stakeholder in the go no-go decision for all releases and before they become generally available.

To learn more, please visit the Visier Trust site.

15. Where are Visier’s DTIAs?

We have conducted our own DTIAs with respect to processing of personal data in connection with Visier services. These assessments include legal interpretation and analysis and we do not provide legal counsel or results of internal assessments to customers. Customers must conduct their own assessment with respect to their use of Visier services.

If you have specific questions not covered in this info sheet please contact us at privacy@visier.com.

16. When will this DTIA info sheet be updated?

The global privacy landscape is constantly evolving and we are committed to continuously monitor all developments and guidance from national supervisory authorities and other regulatory bodies.

We will update this info sheet from time to time to reconsider risks involved, and the measures implemented, as it relates to personal data transfers.