Data protection

Privacy Policy

360inControl Privacy Policy Website & Software as a Service (SaaS) Platform

Version 1.0, April 29th 2018

1.   Area of Application

(1)   CISS – Comprehensive Information Security Switzerland GmbH of Switzerland [Provider] provides a closed, secured and self-managed area [Tenant] of the “360inControl Software as a Service (SaaS) Platform” [360inControl] to LICENSEES.

(2)   LICENSEE can be an individual person or a legal entity.

(3)   Every LICENSEE can invite individuals [USER] to its Tenant to use the system functionality licensed by the LICENSEE.

(4)   Invited USERS, registering to 360inControl are managed in a central and secured directory.

(5)   A USER can be anonymously invited to one or more Tenants.

(6)   This Privacy Policy in combination with the actual version of the license agreement constitute the entire agreement between the USER of 360inControl and CISS GmbH, the provider of 360inControl.

2.   Parties & Terms Acceptance

(7)   LICENSEES and USERS need to accept the actual version of the license agreement and this policy before any information to 360inControl is stored and the USER profile is created.

3.   Data Privacy Statement

(8)   The Provider is fully committed to Data Protection and individual Data Privacy rights. All relevant information about 360inControl is available to individuals before any personal information is stored.

(9)   Everybody can invite somebody to register to 360inControl with using the email address of the recipient. The system stores the provided eMail address for maximal 96 hours and sends the recipient a mail to confirm the ownership. Without actively registering within the defined time period, the system drops the invitation and all information.

(10)The USER must agree to the license agreement and the Privacy Policy (this document) before any data is stored.

4.   Personal Information processed and purpose

(11)The main purpose for collecting the personal information is to

1.     enable the USER to use the functionality of 360inControl

2.     enable the LICENSEE (Tenant Administrator) to manage the USERS within their Tenant

3.     store e-mail addresses for newsletter registrants (website only)

(12)360inControl is an Internal Control System (ICS) used to perform audits, assessments, manage controls, manage inventories, manage risks. Additional functionality relevant for an Internal Control System might be added over time.

(13)In the USER profile, the USER ID, the USER eMail, the first name and the USER last name are stored as mandatory fields.

(14)By sending an invitation, the LICENSEE (Tenant Administrator) assigns a USER role to the USER which is stored in the profile.

(15)A USER can be acting in multiple Tenants, in different roles.

(16)360inControl will send an eMail notification to the USER. The USER can enable / disable notifications.

(17)The Provider will send eMail notifications to the USER regarding;

1.     360inControl functionality e.g. new action items, overdue actions etc.

2.     New or updated functionality

3.     System availability

4.     Price plan expiration

5.     Support requests, including personal information revalidation request

6.     Warnings e.g. in case of cyber threats or attacks

(18)If a Third-Party Service Provider contact is required, the Provider will ask the USER to contact the Third-Party Service Provider up on his discretion.

(19)The Provider will not sell or handover the LICENSEE and Personal Information of USERS, except;

1.     To protect the rights of LICENSEE and USERS

2.     For governmental, legal or court reasons

3.     For defending and the protection the Provider rights

4.     For solving of technical problems e.g. payment conflicts

5.     To Third Party Service Providers acting on behalf of or supporting the Provider to operate 360inControl

(20)The USER acknowledges the right and obligation of the Provider to monitor the system for

1.     creating USER-specific dash board

2.     availability, improvement and security purposes.

5.   Sensitive Personal Information processed and purpose

(21)For the registration and usage of 360inControl the provider does not request any Sensitive Personal Information to be stored.

(22)Using 360inControl to process Sensitive Personal Information falls under the accountability of the LICENSEE;

1.     A thorough Privacy Impact Assessment is required.

2.     Potential additional security measures might be required.

(23)The Provider cannot be made liable if USERS add intentionally or unintentionally any Sensitive Personal Information.

6.   Who has access to Personal Information?

(24)The USER

1.     has access and can edit to its full profile

2.     can at any given point in time request the Provider to delete its USER profile.

(25)Tenant Administrators/owners for their USER and Tenant management.

(26)All USERS within a Tenant can see active USERS and e.g. add them to tasks, initiate a chat with the etc.

(27)A limited number of CISS or Third-Party administrators has access to execute operational tasks.

(28)A limited number of CISS or Third-Party support staff has access to answer support requests.

(29)If needed, a limited number of CISS or Third-Party staff for incident response, business continuity and system enhancements.

(30)Third parties to;

1.     Secure LICENSEES and USER information

2.     Fulfil legal and court requests

3.     Protect intellectual property rights of CISS GmbH or independent Third-Parties

7.   How long are Personal Information stored?

(31)Personal Information is stored as long as the USER profile is active.

(32)The provider will delete USER profiles that are not assigned at least to one Tenant regularly.

8.   Individual rights regarding Personal Information

(33)The USER (data subject) can request the deletion of its profile at any given point in time.

(34)The USER has the right to request information about the personal data processed. The request needs to be submitted electronically using the provided Web form under www.360inControl.com or by eMail to info@ciss.ch with subject line “Personal Information Request” and will be responded electronically.

(35)Until an automated USER self-service functionality is available, the provider reserves the right to charge requests if more than one request is raised within 12 months after submitting the last request. The requestor is informed beforehand.

(36)All requested information is provided in one or multiple CSV files (comma separated values), to ensure portability. No other formats are supported.

9.   How are Personal Information protected?

(37)The precautions taken by the Provider are outlined in the License Agreement & Terms of Usage, Chapter “System Security”.

(38)The precautions under the accountability of the Third-Party Service Providers are outlined in the License Agreement & Terms of Usage, chapter “Third-Party Service Provider” and chapter “Obligations of the USERS”.

(39)The precautions under the accountability of the USERS are outlined in the License Agreement & Terms of Usage, chapter “Obligations of the LICENSEE” and chapter “Obligations of the USERS”.

10.       Consent

(40)With the explicit acceptance of the

1.     License Agreement and Terms of Usage

2.     Data Protection Policy

(41)for the 360inControl, the USER is made aware of its rights and accepts the usage for the described purpose.

11.       Data Protection Policy Changes

(42)The Provider will distribute new versions of the License Agreement & Terms of Usage and the Data Protection Policy with enough lead time to the LICENSEE and all of its registered USERS.

(43)The Provider decides case by case if the USER needs to explicitly accept changes and updates or if usage after a defined deadline is deemed acceptance. In any case, this is communicated upfront to all LICENSEES and USERS.

(44)If appropriate, the Provider might send the USER digital announcements that need to be accepted to ensure evidence of acceptance.

12.       General

13.  This Provider Privacy Policy in combination with the actual version of the license agreement constitute the entire agreement.

14.  If any provision of this policy is determined by any court or other competent authority to be unlawful and/or unenforceable, the other provisions of this policy will continue to be in effect.

15.  This Policy shall be governed by and construed in accordance with Swiss law.

16.  The courts of Basel and Baselland, Switzerland shall have exclusive jurisdiction to adjudicate any dispute arising under or in connection with this agreement.