Privacy Policy - EU GDPR Addendum

Inflectra is considered the “data controller” for its website as defined within the GDPR. The following agreement applies solely to personal data held within the Inflectra website, and support help desk.

If you have GDPR-related questions about our cloud hosted services instead, please consult our Inflectra Cloud Hosting Terms of Service (ToS) which describes our responsibilities as “data processor” for our customers who act as “data controller” for the contracted services.

1. Lawful Basis for Processing

Data can only be processed if there is at least one lawful basis to do so. The lawful bases for processing data are:

the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
processing is necessary for compliance with a legal obligation to which the controller is subject.
processing is necessary in order to protect the vital interests of the data subject or of another natural person.
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

For use of the Inflectra website, the data subject either:

If a non-paying customer (and have requested information from us, or have signed up for a trial version of our products), you give us your consent to the use of your personal data to provide information that you have requested on Inflectra products and services
If a paying customer, the processing is needed for the performance of the contract between you (the customer) and Inflectra to deliver the service.

2. Responsibility and accountability

It is the responsibility and liability of the data controller to implement effective measures and be able to demonstrate the compliance of processing activities even if the processing is carried out by a data processor on behalf of the controller.

As a user of the Inflectra website, Inflectra is acting as the data controller for the personal data we receive from you when you access our website to learn about Inflectra and our products/services, and from you as a paying customer, using our website to manage your contracted service with us.

3. Consent

Where consent is used as the lawful basis for processing, consent must be explicit for data collected and the purposes data are used for (Article 7; defined in Article 4). Consent for children[16] must be given by the child’s parent or custodian, and verifiable (Article 8). Data controllers must be able to prove "consent" (opt-in) and consent may be withdrawn.

Inflectra obtains the following personal information with your consent on our website:

Visitors using the customer enquiry form or the blog enquiry forms will have their name, email address, country and (optionally) self-chosen industry stored in our website for a period of up to two years unless consent is withdrawn. This is for the purpose of providing useful information in response to their enquiry
Prospects signing up for a trial version of our software will have their name, email address, country IP address, and (optionally) self-chosen industry stored in our website for a period of thirty days (unless extended at their request) to provide them information related to their trial
- If they choose the option to receive “local contact” we will pass on their information to a partner company of Inflectra to assist them in their trial evaluation process
Customers purchasing software or services from Inflectra will have their name, email address, physical address, industry, and (optionally) phone number, and IP address stored in our customer database for the purposes of providing their service and communicating service updates and other contractual information with them.
Users submitting help desk tickets or forum posts through the support section of our website will have their name, email address, and country stored in our support web site.
- In addition, any user provided information relevant to the resolution of the support issue will also remain in our support system.

4. Right of access

The Right of Access (Article 15) is a data subject right.[20] This gives citizens the right to get access to their personal data and information about how these personal data are being processed. A Data Controller has to provide, upon request, an overview of the categories of data that are being processed (Article 15(1)(b)) as well as a copy of the actual data (Article 15(3)). Furthermore, the Data Controller has to inform the data subject on details about the processing such as; what the purposes are of the processing (Article 15(1)(a)), with whom the data are shared (Article 15(1)(c)) and how it acquired the data (Article 15(1)(g)).

As described in section (3), depending on how you interact with our website, and what consent you have given, Inflectra may have the following personal data stored about you:

First, Last Name, Middle Initial
Email Address
Country
Industry
IP Address
Mailing Address
Phone Number
History of Support Tickets
History for Forum Posts

If you as a user of our website request that we provide you a copy of your personal data in writing by means of our website or support help desk, upon verification of the request being genuine, we will provide your personal information in an industry standard format such as Excel, XML, or CSV that will allow you to use it somewhere else.

5. Right to erasure

A right to be forgotten was replaced by a more limited right to erasure in the version of the GDPR adopted by the European Parliament in March 2014.[21][22] Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds including non-compliance with article 6.1 (lawfulness) that includes a case (f) where the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

If you as a user of our website request that we delete your personal data in writing by means of our website or support help desk, upon verification of the request being genuine, we shall erase or obfuscate all requested personal data within a reasonable time (not to exceed five (5) business days). Should this request result in the inability for Inflectra to provide a contracted service (for example hosting a subscription of our software for you) we will inform you of the potential impact prior to performing the erasure.

In addition, visitors to the website who are not contracted customers, will have their personal data erased automatically after two (2) years if they do not continue to interact with the website or emails sent from Inflectra.

6. Data portability

A person shall be able to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller. Data that has been sufficiently anonymized is excluded, but data that have only been de-identified but remains possible to link to the individual in question, such as by him or her providing the relevant identifier, is not.

7. Data protection by Design and by Default

Data protection by Design and by Default (Article 25) requires that data protection is designed into the development of business processes for products and services. This requires that privacy settings must be set at a high level by default and that technical and procedural measures should be taken care by the controller in order to make sure that the processing, throughout the whole processing lifecycle, complies with the regulation. Controllers should also implement mechanisms to ensure that personal data are only processed when necessary for each specific purpose.

Inflectra has designed the security of its infrastructure used for providing its website in layers that build upon one another, from the physical security of data centers, to the security protections of hardware and software, to the processes used to support operational security. This layered protection creates a strong security foundation for the website.

In addition, Inflectra’s maintains certification under the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the Swiss-U.S. Data Privacy Framework for its website, which provides the legal mechanism for transfers of personal data outside the EU and Switzerland.

8. Records of processing activities

Records of processing activities must be maintained, that include purposes of the processing, categories involved and envisaged time limits. These records must be made available to the supervisory authority on request.[26] (article 30) to the data controller.

As outlined in sections (3) and (4) we have documented our data processing activities and will provide such records to the supervisory authority upon request.

9. Data breaches

Under the GDPR, the Data Controller will be under a legal obligation to notify the Supervisory Authority without undue delay. The reporting of a data breach is not subject to any de minimis standard and must be reported to the Supervisory Authority within 72 hours after having become aware of the data breach (Article 33). Individuals have to be notified if adverse impact is determined (Article 34). In addition, the data processor will have to notify the controller without undue delay after becoming aware of a personal data breach (Article 33).

Inflectra will report to the Supervisory Authority (SA) within 72 hours, as well as to affected users once we have determined there has been a data breach in our website.

10. Data Protection Officer

Where the processing is carried out by a public authority, except for courts or independent judicial authorities when acting in their judicial capacity, or where, in the private sector, processing is carried out by a controller whose core activities consist of processing operations that require regular and systematic monitoring of the data subjects, a person with expert knowledge of data protection law and practices should assist the data controller or data processor to monitor internal compliance with this Regulation.

Inflectra does not as its core activity, handle the data processing of operations that require regular and systematic monitoring of the data subjects, therefore Inflectra does not have a formal Data Protection Officer (DPO) for its website.

11. GDPR Representative

In the case where the Data Controller or Data Processor is not established in the EU, The GDPR representative shall be established in one of the Member States where the data subjects, whose personal data are processed in relation to the offering of goods or services to them, or whose behaviour is monitored, are. (Article 27 (4) GDPR)

In this context, 'representative' means a natural or legal person established in the Union who, designated by the controller or processor in writing pursuant to Article 27, represents the controller or processor with regard to their respective obligations under this Regulation. The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, supervisory authorities and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation.

Inflectra has officially designated the following legal person to be its GDPR representative: