Privacy Center

Core Principles

There are five core principles that IHRDC adheres to when it comes to data privacy and protection – Consent, Security, Data Portability, Accountability & Transparency and Right to be Forgotten.

These core principles are intrinsic to how we operate as a company with each of our customers. Below are the ways in which we are enhancing our policies and procedures to address each principle.

Principle: Consent
IHRDC Compliance Efforts: IHRDC is in the process of reviewing all of the ways in which we process customer and user data. For each process we will provide methods for users to consent in advance of processing as well as withdrawing consent at a later time.
Principle: Security
IHRDC Compliance Efforts: IHRDC is working to enhance our systems to have security built into every layer of our product platforms. The infrastructure layers will include replication, backup, and disaster recovery planning. Network services already have encryption in transit and advanced threat detection. Our application services have impemented identity, authentication, and user permissions.
Principle: Data Portability
IHRDC Compliance Efforts: IHRDC is working to provide easily accessible method to honor requests to export user data. In the short-term, data may be provided through requests to our Support team. It is the long-term objective to provide automated ways for users to download their data in industry standard formats such as reports, CSV, XML, JSON, and others.
Principle: Accountability & Transparency
IHRDC Compliance Efforts: IHRDC will offer customers a robust data processing addendum containing strong privacy commitments that are aligned with the spirit of “lawfulness, fairness, and transparency” as expressed in Article 5(a). This addendum also contains specific provisions to assist customers in their compliance with the GDPR.
Principle: Right to be Forgotten
IHRDC Compliance Efforts: User data may need to be deleted in order to comply with data protection and privacy regulations. IHRDC is working on enhancing our products and processes to help you meet our obligations under the GDPR.

Our Privacy Policy was updated on January 31, 2023.

International Human Resources Development Corporation its affiliates and subsidiaries (collectively “IHRDC,” “we”, “our” or “us”) knows you care about how your Personal Information is used and shared, and we take your privacy seriously. Please read the following to learn more about our Privacy Policy. By using or accessing IHRDC’s Website or by using any of IHRDC’s materials or services (the “IHRDC Solution”) in any manner, you acknowledge that you accept the practices and policies outlined in this Privacy Policy, and you hereby consent that we may collect, use, and share your information in the following ways.

Changes to this Privacy Policy

IHRDC may make changes to this Privacy Policy. The most current version of the Privacy Policy will govern IHRDC’s use of information about you and will be located at https://ihrdc.com/about-ihrdc/privacy-center/. If IHRDC makes material changes to this Privacy Policy, IHRDC will notify you by posting a notice on our website and may send an email to the address IHRDC has on file for your account, if applicable.

This Privacy Policy explains:

The type of information we collect
How IHRDC collects your information, including tracking and cookies
How IHRDC uses your personal information
How you can correct or update the information IHRDC has
Rights to object or restrict processing of Personal Information
Who we may share information with
How we handle Do Not Track requests
Linked sites and services
Data security
Retention of your information
Notice of privacy rights to California residents
Notice of privacy rights to residents of the European Union Area
How to contact us

1. The Type of Information We Collect

IHRDC may collect information that you provide to IHRDC in connection with your use of the IHRDC Solution when you:

Register your account with IHRDC as a user of the IHRDC Solution (including through registration as an employee, contractor or other user of the IHRDC Solution on behalf of a IHRDC customer (“Customer”)
Make changes to your user profile information
Send email messages, forms, or other information to IHRDC or other users using the IHRDC Solution, or
Install, use or otherwise interact with the IHRDC Solution.

This information may include your first and last name, your address, email address, telephone number, your location, and any additional information you provide to IHRDC during the account registration process or via the IHRDC Solution.

IHRDC may also collect certain technical information about your use of the IHRDC Solution. This technical information may include technical information about your device(s), browser type and version, geo-location information, computer and connection information, statistics on page views, traffic to and from the IHRDC Solution, ad data, Wi-Fi connection information, internet protocol (“IP”) address, and standard web log information.

Additionally, when expressing an interest in obtaining additional information about the IHRDC Solution or registering to use the IHRDC Solution, we or a Customer may require you to provide us with personal contact information, such as your name, company name, address, phone number, and email address (“Required Information”). Although IHRDC uses third party service providers to process payments, when purchasing access to the IHRDC Solution, we may require a Customer to provide our payment processing service providers with financial and billing information, such as billing name and address, credit card number, and the number of employees within the Customer that will be using the IHRDC Solution (“Financial Information”). We may also ask an actual or prospective Customer to provide additional information, such as company annual revenues, number of employees, or industry (“Optional Information”). Required Contact Information, Billing Information, and Optional Information about Customers are referred to collectively as “Customer Data.”

2. How IHRDC Collects Your Information; Tracking and Cookies

When you register for an account with IHRDC either directly or through a Customer, we may ask you to provide us with certain information in order to create your account, and to provide you with our IHRDC Solution. This information is collected by us when you fill out forms that may be provided to you through the IHRDC Solution.

IHRDC, and third parties we interact with, including our third-party service providers, may use cookies, web beacons, hashed identifiers derived from email addresses for the purposes of cross-device tracking for targeted advertising, local shared objects (sometimes called “flash cookies”), and similar technologies in connection with your use of the IHRDC Solution to provide and support the IHRDC Solution (collectively referred to in this policy as “Cookies”). Cookies are small data files that may have unique identifiers, and reside, among other places, on your mobile device, in emails we send to you, and on our applications. Locally shared objects or “flash cookies” are data files that can be created on your computer by the websites you visit and are a way for websites to store information for later use. Locally stored objects are different than cookies because they are stored in different parts of your computer than cookies. Web beacons are small strings of code that provide a method for delivering a graphic image on a web page or in an email message for the purpose of transferring data.

If Cookies are used, they may be used to collect information about you and your use of the IHRDC Solution, such as your browser type, preferences, data relating to content that has been displayed to you or that you have clicked on, and the date and time of your use. Cookies may also be used in order to further features and processes on the IHRDC Solution, provide authentication and security for your transactions using the IHRDC Solution, store your preferences, facilitate relevant advertising, and help us learn more about how users engage with the IHRDC Solution.

We sometimes use service providers to help us provide certain products and services or to integrate other features. These third-party providers may collect information when you view or use them, including information about you and your device or browser. They may do this using Cookies or similar technologies. These third-party providers also may use these technologies to help share information with us, like how you use their website or application. To learn more about the information they collect or receive, review their privacy policies.

As part of using our IHRDC Solution, IHRDC’s Customers may submit to IHRDC electronic data or information (“Submitted Data”) that constitutes personal information of other individuals. Such data may include an individual’s name, email address, phone number or any other data that the Customer chooses to submit to us. IHRDC generally has no direct relationship with the individuals to whom Submitted Data may pertain. IHRDC processes Submitted Data on behalf of our Customers and any uses of Customer Data by IHRDC are done so pursuant to our Terms of IHRDC Solution or a separate agreement in place between IHRDC and the applicable Customer, which governs our treatment of Submitted Data.

3. How IHRDC Uses Your Information

IHRDC may use your information to:

Provide access to the IHRDC Solution to communicate with you
Personalize, customize, measure, and improve IHRDC’s products, services, content, and advertising
Prevent, detect, and investigate potentially prohibited or illegal activities or a breach of the applicable agreement(s) between you and IHRDC
Analyze the accuracy, effectiveness, usability, or popularity of the IHRDC Solution
Generate and review reports and data about IHRDC’s user base and IHRDC Solution usage patterns
Compile aggregate data for internal and external business purposes
Resolve disputes and troubleshoot problems; and
Contact you with information, including promotional, marketing, and advertising information and recommendations that IHRDC believes may be of interest to you.

Consistent with applicable laws, including United States CAN-SPAM laws, if you do not wish to receive commercial emails, you may unsubscribe following the instructions on any email. We may still send you administrative notices, however.

We endeavor to protect the privacy of your account and other Personal Information we hold in our records, but unfortunately, we cannot guarantee complete security. Unauthorized entry or use, hardware or software failure, and other factors, may compromise the security of user information at any time. In particular, you acknowledge that IHRDC is not responsible for any loss of any passwords or login information which you receive for access to the IHRDC Solution which results from your failure to keep that information secure.

4. Correcting and Updating Your Information

Customers may update or change their account information through their account settings accessible using the Customer account page included in the IHRDC Solution. Access to your IHRDC account page will require your IHRDC Solution username and password. To update your Information or to delete your account information, please email [email protected].

You can access or change your profile and contact information or delete your account through the IHRDC settings page. If you choose to delete or deactivate your account, you can no longer retrieve content or reactivate your account.

You have the right to request access to any Personal Information which IHRDC may have about you by contacting [email protected]. The information will be provided in a machine-readable format. You may also ask that we transfer the Personal Information to a third party, which we will do if technically feasible.

You also have the right to review, add and update your Personal Information. You may also request the deletion of your Personal Information where:

the personal information is no longer necessary in relation to the purposes for which it was collected or otherwise processed,
you withdraw consent to IHRDC’s possession of the information on which the processing is based and where there is no other legal ground for IHRDC’s retention of the information,
you object to IHRDC’s possession of the information and there is no overriding legitimate basis for the retention,
the personal information has been unlawfully obtained or processed, or
the personal information has to be erased for compliance with a legal obligation in the European Union or other law to which IHRDC is subject.

When you update information, however, we may maintain a copy of the unrevised information in our records. Some information may remain in our records after your deletion of such information from your account. We may use any aggregated data derived from or incorporating your Personal Information after you update or delete it, but not in a manner that would identify you personally.

If your individual personal information has been submitted to us by a Customer as Submitted Data and you wish to exercise any rights you may have to access, correct, amend, or delete such data, please first inquire with the Customer (or his/her organization) directly.

5. Consent to Commercial Electronic Messages

If you provide us with an email address, you expressly consent to receiving Commercial Electronic Messages from IHRDC about your use of the Website, the IHRDC Solution and our Products. If you have any questions about IHRDC’s Commercial Electronic Messages, you can contact IHRDC at:

International Human Resources Development Corporation
20 Park Plaza, Suite 900, Boston, MA 02116

Attention: Privacy Officer or by emailing [email protected]

In addition, you may opt out of receiving Commercial Electronic Messages at any time by emailing [email protected].

6. Rights to Object or Restrict Processing of Personal Information

If IHRDC has your Personal Information as a result of your relationship with one of IHRDC’s Customers, you should first contact that Customer before contacting IHRDC. You may, however, at any time revoke your consent to the collection, processing and use of your Personal Information by emailing [email protected]. Upon receipt of your request, IHRDC will delete your personal data provided IHRDC may retain any data which is required for billing and accounting purposes or which is subject to legal retention requirements. In addition, if you discover any errors in data, you may contact us by emailing [email protected] and we will correct it. You can always opt not to disclose information to us, but keep in mind some information may be needed to take advantage of product features or may be required by your relationship with one of IHRDC’s customers.

7. Right to be informed of appropriate safeguards where Personal Information is Transferred to a Third Country or to an International Organization

IHRDC enters into agreements with its customers regarding the safeguards that have been put in place to protect your Personal Information for transfer outside of Switzerland or the European Economic Area. For transfers to countries without an adequacy decision by Switzerland or the European Commission, IHRDC puts appropriate safeguards through contractual obligations.

8. Who We May Share Information With

IHRDC may disclose the information we collect from you to the following third parties:

Users of the IHRDC Solution; Public Information. When you share information with us via the IHRDC Solution, IHRDC may share your information to other users, in accordance with the privacy settings you or the respective Customer has chosen for your account or that are applicable to that information. To the extent you share any information to a public audience or via a publicly accessible portion of the IHRDC Solution such as an online customer community or forum, that information may be available to anyone who has access to that customer community or forum.

IHRDC’s Solution Providers. IHRDC may share your information with third-party contractors, agents, collaborators, or service providers who provide certain services to IHRDC or on IHRDC’s behalf, such as operating and supporting the IHRDC Solution. IHRDC may also request your information from a previous service provider, which we need to provide our services to you. Alternatively, IHRDC may pass on your information to a service provider that IHRDC Customers have chosen to replace IHRDC.

Companies that Acquire IHRDC’s Business or Assets. If IHRDC becomes involved in a merger, acquisition, sale of assets, securities offering, bankruptcy, reorganization, or dissolution or if the ownership of all or substantially all of IHRDC’s business relating to the IHRDC Solution otherwise changes, IHRDC may provide your information to a third party or parties in connection with the applicable transaction.

IHRDC’s Affiliates. IHRDC may share some or all of your information with IHRDC’s parent company, subsidiaries and corporate affiliates, joint ventures or other companies under common control with IHRDC.

IHRDC Customers. If IHRDC has received your information as part of Submitted Data, IHRDC may share that information, or any modifications or revisions to that information with that Customer.

Switching IHRDC Solution Providers. IHRDC may request your information from your previous service provider, which we need to provide our services to you. Alternatively, IHRDC may pass on your information to a service provider that you have chosen to replace IHRDC.

Aggregate Information. IHRDC may share information relating to our visitors and users with affiliated or unaffiliated third parties on an aggregate basis, however this information will not identify you personally.

Legal Requirements. IHRDC may share your information with law enforcement, governmental agencies, or authorized third parties, in response to a request relating to a criminal investigation or alleged illegal activity or any other activity that may expose IHRDC, you, or any other IHRDC user to legal liability, or to protect IHRDC’s rights or property, or during emergencies when safety is at risk. IHRDC may also share your information in response to court orders, subpoenas, or other legal or regulatory requests, and IHRDC may provide access to your information to IHRDC’s legal counsel and other consultants in connection with actual or potential litigation. IHRDC shall remain liable under the Principles if its agent processes such personal information in a manner inconsistent with the Principles, unless IHRDC proves that it is not responsible for the event giving rise to the damage.

9. How We Handle “Do Not Track” Requests

You may be able to adjust your browser settings or other settings so that “do not track” requests are sent to our websites and mobile applications. IHRDC does not use any tracking technology that would respond to any “do not track” requests that are sent to our services. IHRDC does not collect personally identifiable information about your online activities over time and across different websites when you use the IHRDC Solution; however, certain service providers that use Cookies may collect your personally identifiable information over time and across different websites.

10. Linked Sites and IHRDC Solution

IHRDC’s website or application may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

11. Data Security

IHRDC takes reasonable measures to protect the information you provide to IHRDC or submit through the IHRDC Solution against misuse, loss, theft, unauthorized use, disclosure, or modification. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk and your information may be disclosed to third parties in unforeseeable situations or situations that are not preventable even when commercially reasonably protections are employed, such as in the case that IHRDC or if the IHRDC Solution are subject to a hacking or other attack. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.

12. Retention of Your Information

We retain information about you only for as long as it is necessary and relevant for IHRDC’s operations, and for IHRDC’s customers to work with their consumers. Information about you that is no longer necessary and relevant for IHRDC’s operations will be disposed of securely. IHRDC may also retain information collected from you to comply with the law, prevent fraud, resolve disputes, troubleshoot problems, assist with any investigation, and take other actions permitted by law or disclosed in this Privacy Policy.

13. Notice of Privacy Rights to California Residents

Specific disclosures for California residents as required by the California Consumer Privacy Act and the California Privacy Rights and Enforcement Act are set out in the Schedule below titled “CALIFORNIA RESIDENTS – CCPA”.

14. Notice of Privacy Rights to Residents of the European Economic Area and of the United Kingdom

You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at [email protected]

IHRDC may be contacted in the European Union for data protection matters, pursuant to Article 27 of the General Data Protection Regulation of the European Union at:

International Human Resources Development Corporation
Amsterdam, The Netherlands
Tel: +31 6 5494 8251

IHRDC may be contacted in the United Kingdom for data protection matters at:

IHRDC / U.K.
6 The Windmills, St. Mary’s Close,
Turk Street, Alton, GU34 1EF, UK
Tel: +44 (0) 1420 543 427

15. How to Contact Us

If you have questions or complaints regarding IHRDC’s Privacy Policy or practices, please contact [email protected] or via postal mail at

International Human Resources Development Corporation
20 Park Plaza, Suite 900
Boston, MA 02116
United States

Attention: Privacy Officer.

Effective January 31, 2023

CALIFORNIA RESIDENTS – CCPA

This section contains disclosures required by the California Consumer Privacy Act (“CCPA”) and applies only to “personal information” of California residents that is subject to the CCPA.

We collect, use, share and sell the categories of personal information about California consumers as set out in the table below.

CCPA category reference	Categories of Personal Information	Collected in the last 12 months:	Categories of sources from which information may be collected:	Business or commercial purposes for collection, use, and sharing:	May be disclosed for business purposes to the following categories of third parties:	May be sold to the following categories of third parties:
A.	Personal and online identifiers (such as first and last name, email address, or unique online identifiers)	Yes	From users, corporate customers and third party data vendors	Website improvement, user authentication, security, provision of IHRDC Solution and Website services, marketing,	Service providers and IHRDC customers	None
B.	Categories of information described in Section 1798.80 of the California Civil Code (such as name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories)	No	N/A	N/A	N/A	N/A
C. Protected classification characteristics under California or federal law.	Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).	Yes	From users, and IHRDC customers	Provision of the IHRDC Solution to IHRDC customers	IHRDC Customers	None
D. Commercial information.	Commercial or transactions information (such as records of personal property or products or services purchased, obtained or considered)	No	N/A	N/A	N/A	N/A
E. Biometric information.	Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.	No	N/A	N/A	N/A	N/A
F. Internet or other similar network activity.	Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.	Yes	Directly from users and from third party data vendors	Analytics and IHRDC Solution and Website improvement, user authentication, security, provision of IHRDC Solution and Website services, marketing	Service providers and IHRDC customers	None
G. Geolocation data.	Physical location or movements.	Yes	Directly from user.	Analytics and IHRDC Solution and Website improvement, user authentication, security, provision of IHRDC Solution and Website services, marketing	Service providers and IHRDC customers	None
H. Sensory data.	Audio, electronic, visual, thermal, olfactory, or similar information.	No	N/A	N/A	N/A	N/A
I. Professional or employment-related information.	Current or past job history or performance evaluations.	Yes	IHRDC customers	IHRDC Solution improvement, user authentication, security, provision of IHRDC Solution	IHRDC customers	None
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99).	Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.	No	N/A	N/A	N/A	N/A
K. Inferences drawn from other personal information.	Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	Yes	Directly from users, from vendors of analytics services and from third party data vendors	Analytics and IHRDC Solution and Website improvement, marketing	Service providers and IHRDC customers	None

Business and commercial purposes

The business and commercial purposes set out above are described in more detail in the section entitled “HOW WE USE YOUR PERSONAL INFORMATION”

Exercising your CCPA rights

Requests for Deletion, Right to Know, and Do Not Sell. Subject to certain exceptions, California consumers have the right to make the following requests, at no charge:

Deletion: the right to request deletion of the personal information that we have collected about you, subject to certain exemptions (such as where the information is used by us to detect security incidents, debugging or to comply with a legal obligation).

Right to Know: the right to request (not more often than twice a year) that we disclose certain information about how we have handled your personal information in the prior 12 months, including the:

categories of personal information collected
specific pieces of personal information collected
categories of sources of personal information
the purposes for which we use the personal information
categories of third parties with whom we have shared your personal information
categories of personal information that we have disclosed or sold to a third party

Do Not Sell: the right to request, absent an exception, that we stop selling your personal information (“opt-out”) except where you later provide authorization for us to do so. We will wait at least 12 months before asking you to opt back into the sale of your personal information.

Non-Discrimination. We will not discriminate against you for exercising any of your CCPA rights. However, many features of our Site and Services will not function without your personal information. Unless permitted by the CCPA, we will not deny you products or services, charge you a different price, or provide a different level or quality of products or services just because you exercised your rights under the CCPA.

Submitting Requests. You can exercise your CCPA rights by submitting a request to our data privacy team at [email protected]. You may also open a request using our Privacy Contact form.

We will respond to all CCPA requests within the period of time set out by the regulation.

Verification. When you submit your request, we will take steps to verify your identity. We will seek to match the information in your request to the personal information we maintain about you. We will only complete your request where we are satisfied that we have verified your identity to a reasonably degree of certainty.

Authorized Agents. To the extent the CCPA allows California consumers to designate an authorized agent to exercise their rights under the CCPA, you must provide a signed authorization directing such agent to act on your behalf as part of your access request.

Your California Privacy Rights under California’s Shine-the-Light Law

Under California’s “Shine the Light” law (Cal. Civ. Code § 1798.83), California residents who provide us certain personal information are entitled to request and obtain from us, free of charge, information about the personal information (if any) we have shared with third parties for their own direct marketing use. Such requests may be made once per calendar year pertaining to any relevant third-party sharing in the prior calendar year. If you are a current California resident, you may make a Request by attesting to the fact that you are a California resident and providing a current California address in the Request Details section of the form.

Security

Security, Compliance and Privacy

Objectives: IHRDC shall implement data security measures that are consistent with industry best practices and standards such that IHRDC:
1. Protects the privacy, confidentiality, integrity, and availability of all data which is disclosed by Customer to or otherwise comes into the possession of IHRDC (“Data”), its affiliates or sub-contractors, directly or indirectly as a result of this Agreement, including but not limited to Customer’s Confidential Information and any Customer personally identifiable information;
2. Protects against accidental, unauthorized, unauthenticated, or unlawful access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of the Customer Data including, but not limited to, identity theft;
3. Complies with all federal, state, and local laws, rules, regulations, directives and decisions (each, to the extent having the force of law) that are relevant to the handling, processing, storing or use of Customer Data in accordance with this Agreement;
4. Manages, controls and remediates any threats identified in the Risk Assessments findings that could result in unauthorized access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of any of the Customer Data, including without limitation identity theft; and
5. Complies with and implements the risk policies listed in this document, together with the data protection and confidentiality obligations of the Agreement.
Organization Security Measures:
1. Environment: IHRDC shall provide assurance that it sets the foundation for the necessary tone, discipline, and structure to influence the control consciousness of its people necessary, and for the services provided to Customer, and/or Customer’s Customers.
2. Responsibility: IHRDC shall assign responsibility for information security management to appropriate skilled and senior personnel.
3. Qualification of Employees: IHRDC shall implement and maintain appropriate security measures and procedures, including background checks following industry best practices, to restrict access to information systems used in connection with this Agreement or to Customer information to only those personnel who are reliable, have sufficient technical expertise for the role assigned, and have personal integrity.
4. Obligations of Employees: IHRDC shall Implement and maintain appropriate security measures and procedures in order to verify that any personnel accessing the Customer Information or information systems used in connection with this Agreement knows his or her obligations and the consequences of any security breach, and have read and agree to comply with all applicable Customer Information Security Policies and Standards.
5. Segregation of Duties: IHRDC shall provide reasonable assurance the organization of personnel provides adequate segregation of duties between incompatible functions.
Physical Security Measures:
1. Physical Security and Access Control – IHRDC shall ensure that all systems hosting Customer Data and/or providing services on behalf of Customer are maintained consistent with industry best practices and standards in a physically secure environment that prevents unauthorized access, with access restrictions at physical locations containing Customer Data, such as buildings, computer facilities, and records storage facilities, designed and implemented to permit access only to authorized individuals and to detect any unauthorized access that may occur, including without limitation 24 x 7 security personnel at all relevant locations (“Customer Secure Area”).
2. Physical Security for Media – IHRDC shall implement and maintain appropriate security measures and procedures consistent with industry best practices and standards to prevent the unauthorized viewing, copying, alteration or removal of any media containing Customer Data, wherever located.
3. Media Destruction – IHRDC shall implement and maintain appropriate security measures and procedures consistent with industry best practices and standards to destroy removable media and any mobile device (such as discs, UBS drives, DVDs, back-up tapes, laptops and PDAs) containing Customer Data where such media or mobile device is no longer used, or alternatively to render Customer Data on such removable media or mobile device unintelligible and not capable of reconstruction by any technical means before re-use of such removable media is allowed.
Computer System Access Control Measures:
1. Access Controls – IHRDC shall implement and maintain appropriate security measures and procedures consistent with industry best practices and standards to ensure the logical separation such that access to all systems hosting Customer Data and/or being used to provide services to Customer shall: be protected through the use of access control systems that uniquely identify each individual requiring access, grant access only to authorized individuals and based on the principle of least privileges, prevent unauthorized persons from gaining access to Customer Data, appropriately limit and control the scope of access granted to any authorized person, and log all relevant access events. These security measures and procedures shall include, but shall not be limited to:
2. Access Rights Policies – IHRDC shall implement appropriate policies and procedures regarding the granting of access rights to Customer Data in IHRDC’s possession or control, in order to ensure that only the personnel expressly authorized pursuant to the terms of the Agreement or by Customer in writing may create, modify or cancel the rights of access of the personnel. IHRDC shall maintain an accurate and up to date list of all personnel who have access to the Customer Data and shall have the facility to promptly disable access by any individual personnel. For purposes of this Schedule, the term “personnel” as to Customer or IHRDC shall mean such Party’s employees, consultants, subcontractor or other agents.
Intrusion Detection/Prevention and Malware:
1. IHRDC shall use appropriate security measures and procedures (i) to ensure that Customer Data in IHRDC’s possession and control, and /or systems being used to provide Services, is protected against the risk of intrusion and the effects of viruses, Trojan horses, worms, and other forms of malware, and (ii) to monitor and record each and every instance of access to the IHRDC’s assets and information systems and to Customer Data to detect the same, and to promptly respond to the same. If any malicious code is found to have been introduced by IHRDC or any third party into any of IHRDC’s information systems handling or holding Customer Data, IHRDC shall take appropriate measures to prevent any unauthorized access or disclosure of any Customer Data and in any case (wherever such code originated), IHRDC shall, at no additional charge to Customer, remove such malicious code and eliminate the effects of the malicious code. If such malicious code causes a loss of operational efficiency or loss of data, IHRDC shall monitor such losses and restore such lost data in accordance with the terms of the Agreement. Unless, and to the extent, prohibited by law enforcement authorities, IHRDC shall immediately notify Customer’s Chief Information Security Officer if it knows or reasonably suspects that there has been an actual instances of unauthorized access to the Customer Data and/or systems holding or handling Customer Data and shall cooperate fully in assisting Customer as necessary to enable Customer to comply with its statutory and other legal breach notice requirements, if any.
Incident Response Measures – IHRDC shall implement and maintain appropriate incident response measures and procedures for systems that handle or hold Customer Data, including, but not limited to:
1. Operational problems and security incidents are detected, reported, logged, and resolved in a timely manner.
2. Processing is appropriately authorized, scheduled, and that deviations from scheduled processing are detected, reported, logged, and resolved in a timely manner.
3. System availability, performance and capacity are routinely monitored to help ensure potential issues are detected, reported, logged, and resolved in a timely manner.
4. Networks are routinely monitored for availability and response times to help ensure potential issues are detected, reported, logged, and resolved in a timely manner.
Data Management Controls Measures:
1. Customer Data – Customer Data must only be used by IHRDC for the purposes specified in this Agreement.
2. Customer Production Data – Where access is given to Customer Data on any Customer production system, unless otherwise agreed to in writing by Customer, IHRDC must not and shall procure that its personnel and sub-contractors shall not copy, download or store such Customer Data on any desktop, server or other device at any Location, in IHRDC’s or its personnel’s possession or otherwise.
3. Data Integrity Controls – Implementing and maintaining appropriate security measures and procedures to protect the integrity of the Customer Data in IHRDC’s possession or control, to prevent the unauthorized recording, alteration or erasure of such Customer Data, and to ensure that it is subsequently possible to determine when, by whom and which Customer Data were recorded, altered or erased.
4. Data Destruction – Implementing and maintaining appropriate security measures and procedures to destroy Customer Data in IHRDC’s possession or control when appropriate and in accordance with the Agreement. At the request of Customer at any time, IHRDC will: (i) promptly return to Customer, in the format and on the media reasonably requested by Customer, all or any part of Customer Data; and (ii) erase or destroy all or any part of Customer Data in IHRDC’s possession, in each case to the extent so requested by Customer.
5. Software Patching – Implementing and maintaining appropriate security measures and procedures in order to ensure the regular update and patching of all computer software on systems that handle or hold Customer Data to eliminate vulnerabilities and remove flaws that could otherwise facilitate security breaches. Patching schedule and regular verification access and/or reporting shall be mutually agreed upon by Customer and IHRDC.
6. Virus Management – IHRDC shall implement and maintain appropriate security measures and procedures designed to provide antivirus and spyware software protection to IHRDC’s systems that handle or hold Customer Data, using the most recently distributed version of software.

SCC

Standard Contractual Clauses

Where Personal Data is transferred from EEA countries to countries outside the EEA in the course of provision of the IHRDC Solution, that transfer is subject to the terms set out in the EU Standard Contractual Clauses below.

EUROPEAN COMMISSION
DIRECTORATE-GENERAL JUSTICE
Directorate C: Fundamental rights and Union citizenship
Unit C.3: Data protection

Commission Decision C(2010)593

Standard Contractual Clauses (processors)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection

The entity, individual or organization who accesses or uses the IHRDC Solution

(the data exporter)

And

Name of the data importing organisation:

International Human Resources Development Corporation

Address: 20 Park Plaza, Suite 900

Boston, MA 02116

Tel.: [1](617)536-0202

e-mail:[email protected]

(the data importer)

each a “party”; together “the parties”,

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
‘the data exporter‘ means the controller who transfers the personal data;
‘the data importer‘ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
‘the subprocessor‘ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
‘the applicable data protection law‘ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
‘technical and organisational security measures‘ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
that it will ensure compliance with the security measures;
that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
that it will promptly notify the data exporter about:
1. any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,
2. any accidental or unauthorised access, and
3. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
that the processing services by the subprocessor will be carried out in accordance with Clause 11;
to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.
If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.
If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
1. (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
2. (b) to refer the dispute to the courts in the Member State in which the data exporter is established.
The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.
The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.
The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5 (j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph 1.

On behalf of the data exporter:

Agreed to by the data exporter by accessing or using the IHRDC Solution.

On behalf of the data importer:

Name (written out in full):	Timothy Donahue
Position:	Vice President, e-Learning and Knowledge Solutions
Address:	International Human Resources Development Corporation, 20 Park Plaza, Suite 900, Boston, MA 02116

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter
The data exporter is (please specify briefly your activities relevant to the transfer):
transferring the data to the data importer in connection with the data exporter’s use of the data importer’s Instructional, e-Learning, Kowledge and Competency Solutions (collectively, the “IHRDC Solution”).

Data importer
The data importer is a provider of Instructional, e-Learning, Kowledge and Competency Solutions.

Data subjects
The personal data transferred may concern data which relate to a living individual who can be identified (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Categories of data
The data exporter shall identify to the data importer any categories of personal data transferred.

Processing operations
The personal data transferred will be subject to the following basic processing activities:
tracking and processing related to the use of the IHRDC Solution by the individual and the Data Exporter. The Data Exporter acknowledges that the Data Importer may use third party data hosts such as Amazon Web Services as sub-processors in connection with its processing operations.

DATA EXPORTER

Agreed to by the data exporter by accessing or using the IHRDC Solution.

DATA IMPORTER

Name: International Human Resources Development Corporation

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Technical and Organizational Measures. The following sections define the current security measures established by IHRDC. IHRDC may change these at any time without notice by keeping a comparable or better level of security. This may mean that individual measures are replaced by new measures that serve the same purpose without diminishing the security level.
1. Physical Access Control: Unauthorized persons shall be prevented from gaining physical access to premises, buildings or rooms where data processing systems are located which process and/or use Personal Data.:
  1. All data centers adhere to strict security procedures enforced by guards, surveillance cameras, motion detectors, access control mechanisms and other measures to prevent equipment and data center facilities from being compromised. Only authorized representatives have access to systems and infrastructure within the data center facilities. To ensure proper functionality, physical security equipment (e.g. motion sensors, cameras, etc.) are maintained on a regular basis. In detail, the following physical security measures are implemented at all data centers:
  2. IHRDC protects its assets and facilities using the appropriate means based on a security classification conducted by an internal security department.
  3. In general, buildings are secured through access control systems (smart card access system).
  4. As a minimum requirement, the outermost shell of the building must be fitted with a certified key system including modern, active key management.
  5. Depending on the security classification, buildings, individual areas and surrounding premises are further protected by additional measures. These include specific access profiles, video surveillance, intruder alarm systems and biometric access control systems.
  6. Access rights will be granted to authorized persons on an individual basis according to the System and Data Access Control measures (see Section 1.b and 1.c below). This also applies to visitor access. Guests and visitors to IHRDC buildings must register their names at reception and must be accompanied by authorized IHRDC personnel. IHRDC and all third party data center providers are logging the names and times of persons entering the private areas of IHRDC within the data centers.
2. System Access Control: Data processing systems used to provide the IHRDC Solution must be prevented from being used without authorization.:
  1. Multiple authorization levels are used to grant access to sensitive systems including those storing and processing Personal Data. Processes are in place to ensure that authorized users have the appropriate authorization to add, delete, or modify users.
  2. All users access IHRDC’s systems with a unique identifier (user ID).
  3. IHRDC has procedures in place to ensure that requested authorization changes are implemented only in accordance with the guidelines (for example, no rights are granted without authorization). If a user leaves the company, its access rights are revoked.
  4. IHRDC has established a password policy that prohibits the sharing of passwords, governs what to do if a password is disclosed, requires passwords to be changed on a regular basis and default passwords to be altered. Personalized user IDs are assigned for authentication. All passwords must fulfill defined minimum requirements and are stored in encrypted form. In case of domain passwords, the system forces a password change every six months complying with the requirements for complex passwords. Each computer has a password-protected screensaver.
  5. The company network is protected from the public network by firewalls.
  6. IHRDC uses up–to-date antivirus software at access points to the company network (for e-mail accounts) and on all file servers and all workstations.
  7. A security patch management is implemented to ensure deployment of relevant security updates.
  8. Full remote access to IHRDC’s corporate network and critical infrastructure is protected by strong authentication.
3. Data Access Control: Persons entitled to use data processing systems shall gain access only to the Personal Data that they have a right to access, and Personal Data must not be read, copied, modified or removed without authorization in the course of processing, use and storage.:
  1. Access to personal, confidential or sensitive information is granted on a need-to-know basis. In other words, employees or external third parties have access to the information that they require in order to complete their work. IHRDC uses authorization concepts that document how authorizations are assigned and which authorizations are assigned. All personal, confidential, or otherwise sensitive data is protected in accordance with the IHRDC security policies and standards.
  2. All production servers of any IHRDC Solution are operated in the relevant data centers/server rooms. Security measures that protect applications processing personal, confidential or other sensitive information are regularly checked. To this end, IHRDC conducts internal and external security checks and penetration tests on the IT systems.
  3. IHRDC does not allow the installation of personal software or other software not approved by IHRDC to systems being used for any IHRDC Solution.
  4. iv. A IHRDC security standard governs how data and data carriers are deleted or destroyed.
4. Data Transmission Control: Personal Data must not be read, copied, modified or removed without authorization during transfer.:
  1. Where data carriers are physically transported, adequate measures are implemented at IHRDC to ensure the agreed service levels (for example, encryption, and lead-lined containers).
  2. Personal Data transfer over IHRDC internal networks are protected as any other confidential data according to IHRDC Security Policy.
  3. When the data is being transferred between IHRDC and its customers, the protection measures for the transferred Personal Data are mutually agreed upon and made part of the Agreement. This applies to both physical and network based data transfer. In any case the Customer assumes responsibility for any data transfer from IHRDC’s Point of Demarcation (e.g. outgoing firewall of the IHRDC data center which hosts the IHRDC Solution).
5. Data Input Control: It shall be possible to retrospectively examine and establish whether and by whom at IHRDC Personal Data have been entered, modified or removed from data processing systems used to provide the IHRDC Solution.:
  1. IHRDC only allows authorized persons to access Personal Data as required in the course of their work. IHRDC implemented a logging system for input, modification and deletion, or blocking of Personal Data by IHRDC or its Subprocessors to the greatest extent supported by the IHRDC Solution.
6. Job Control: Personal Data being processed on commission shall be processed solely in accordance with the Agreement and related instructions of the Customer.:
  1. IHRDC uses controls and processes to ensure compliance with contracts between IHRDC and its customers, Subprocessors or other service providers.
  2. As part of the IHRDC Security Policy, Customer Data requires at least the same protection level as “confidential” information.
  3. All IHRDC employees and contractual partners are contractually bound to respect the confidentiality of all sensitive information including trade secrets of IHRDC customers and partners.
7. Availability Control: Personal Data shall be protected against accidental or unauthorized destruction or loss.:
  1. IHRDC employs backup processes and other measures that ensure rapid restoration of business critical systems as and when necessary.
  2. IHRDC uses uninterrupted power supplies (for example: UPS, batteries, generators, etc.) to ensure power availability to the data centers.
  3. IHRDC has defined contingency plans as well as business and disaster recovery strategies for IHRDC Solution.
  4. Emergency processes and systems are regularly tested.
8. Data Separation Control: Personal Data collected for different purposes can be processed separately.:
  1. IHRDC uses the technical capabilities of the deployed software to achieve data separation between Personal Data from one and any other customer.
  2. IHRDC maintains dedicated instances for each Customer.
  3. Customers have access only to their own Customer instance(s).
9. Data Integrity Control: Ensures that Personal Data will remain intact, complete and current during processing activities:
  1. IHRDC has implemented a defense strategy in several layers as a protection against unauthorized modifications.
  2. This refers to controls as stated in the control and measure sections as described above. In particular:
    1. Firewalls;
    2. Security Monitoring Center;
    3. Antivirus software;
    4. Backup and recovery; and

Terms of Use

ACCEPTABLE USE POLICY

1. INTRODUCTION. This acceptable use policy (the “AUP”) specifies guidelines for users of the hosted version of the IHRDC Services (the “IHRDC Solution”). By using the IHRDC Solution, you agree to the latest version of the AUP. IHRDC may modify the AUP at any time by posting a revised version on IHRDC’s website. If you violate the AUP or authorize or help others to do so, we may suspend or terminate your use of the IHRDC Solution.

2. ACCEPTABLE USE POLICY. The IHRDC Solution shall not be used by any person or entity:

a. in any way that violates any applicable federal, state, local, or international law or regulation;
b. for fraudulent purposes;
c. for the purpose of exploiting, harming, or attempting to exploit or harm minors in any way, including by exposing them to inappropriate content;
d. to store, publish, display, or transmit defamatory, infringing, libelous, harassing, abusive, threatening or otherwise unlawful or tortious material;
e. to store, publish, display or transmit material in violation of third-party privacy rights;
f. to send unsolicited messages or postings, including bulk commercial advertising or informational announcements and “spam”;
g. to compromise or attempt to compromise the security of any IHRDC or third party network, system, server, or account;
h. to impersonate or attempt to impersonate IHRDC, IHRDC personnel, another subscriber or user, or any other person or entity; or
i. in any way that restricts or inhibits anyone’s use or enjoyment of the IHRDC Solution or which, as determined by IHRDC, may harm IHRDC or users of the IHRDC Solution or expose them to liability.

3. REPORTING A VIOLATION OF THE AUP

a. Any data placed in the IHRDC Solution (“Customer Data”) is solely the responsibility of IHRDC’s customers
b. Reports of a violation of the AUP by any Customer Data should:
- i. be sent to [email protected] or mailed to the following address:
  - Attention: Abuse
  - International Human Resources Development Corporation
  - 20 Park Plaza, Suite 900
  - Boston, MA 02116
- ii. identify the exact content hosted, referenced or linked by IHRDC that violates the AUP;
- iii. document your efforts to contact the customer directly; and
- iv. provide an email address to permit our customer or IHRDC to contact you.
c. IHRDC will promptly forward this report to the applicable customer. IHRDC reserves the right to investigate any violation of the AUP or misuse of the IHRDC Solution. IHRDC may suspend or terminate a customer’s account or remove or disable access to any content that violates the AUP or any other agreement with a customer for use of the IHRDC Solution.

4. DIGITAL MILLENNIUM COPYRIGHT ACT (“DMCA”)

a. IHRDC complies with laws applicable to it and its services.
b. IHRDC is entitled to rely upon (among other things) the DMCA safe harbor available to hosting service providers and search engines. Although it is IHRDC’s policy to respond to clear notices of alleged copyright infringement, IHRDC recommends that you submit a notice pursuant to the DMCA directly to the customer who provided the content. IHRDC’s response to these notices may include forwarding the notice to the applicable customer or removing or disabling access to material claimed to be the subject of infringing activity. IHRDC maintains policies and procedures to terminate subscribers that would be considered repeat infringers under the DMCA. See 17 U.S.C. 512 available at http://www.copyright.gov/
c. You may submit a DMCA notification to IHRDC’s Designated Copyright Agent with the following information in writing (see 17 U.S.C. 512(c)(3) for additional information):
- i. a physical or electronic signature of a person authorized to act on behalf of the owner of the allegedly infringed copyright;
- ii. identification of the copyrighted work or works claimed to have been infringed;
- iii. identification of, and information reasonably sufficient to permit IHRDC or the applicable customer to locate, the material that is claimed to be infringing or is the subject of infringing activity;
- iv. information reasonably sufficient to permit the applicable customer or IHRDC to contact you, such as an address, telephone number, and, if available, an electronic mail address;
- v. a statement that you have a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law; and
- vi. a statement that the information in the notification is accurate, and under penalty of perjury, that you are authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.
d. Unless it is reasonably apparent to IHRDC that the applicable customer has already received a notice of infringement from you regarding a particular content, IHRDC will forward all the information you provide in your notice, including your contact information, to the applicable customer. IHRDC’s Designated Copyright Agent to receive notifications of claimed copyright infringement is our Head of Legal, International Human Resources Development Corporation, 20 Park Plaza, Suite 900, Boston, MA 02116, email: [email protected].

GDPR

General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a comprehensive update to existing European Union laws that goes into effect on May 25, 2018. The GDPR was designed to harmonize data privacy laws across Europe, to protect and empower all EU resident’s data privacy and to reshape the way organizations across the region approach data privacy.

GDPR Principles Related to Processing of Personal Data

Within the GDPR framework, in most cases IHRDC is considered a Processor as we relate to our customers employee data. Although we will be compliant on all of the GDPR requirements, we are paying special emphasis on the six principles of processing personal data as reference in Article 5 of the GDPR.

GDPR Principle: 1. Lawfulness, fairness and transparency

GDPR Principle Verbiage: a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’)

IHRDC Compliance Efforts: IHRDC will offer customers a robust data processing addendum containing strong privacy commitments that are aligned with the spirit of “lawfulness, fairness, and transparency” as expressed in Article 5(a). This addendum also contains specific provisions to assist customers in their compliance with the GDPR.

In addition, we are in the process of reviewing all of the ways in which we process customer and user data. For each process we will provide methods for users to consent in advance of processing as well as withdrawing consent at a later time.

GDPR Principle: 2. Purpose limitation

GDPR Principle Verbiage: b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’)

IHRDC Compliance Efforts: IHRDC will ensure that the purposes of the processing are precisely and fully identified prior to, or at the moment of the collection. The objective is to make explicit and communicate the reasons why their data are collected and processed.

GDPR Principle: 3. Data minimisation

GDPR Principle Verbiage: c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)

IHRDC Compliance Efforts: IHRDC is committed to capture only the personally identifiable information necessary to provide the highest value to our customers. As part of our GDPR readiness effort, we will inventory and review all data captured by our products and eliminate personally identifiable information that is does not in alignment with the value we offer to our customers through our various product offerings.

GDPR Principle: 4. Accuracy

GDPR Principle Verbiage: d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)

IHRDC Compliance Efforts: IHRDC is working to provide policies, procedures, and features for users to review the data stored within our products and easily request corrections and even export for portability.

GDPR Principle: 5. Storage limitation

GDPR Principle Verbiage: e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)

IHRDC Compliance Efforts: IHRDC will be reviewing all policies related to data storage. We will unify our policies across all lines of business to retain user data only as long as necessary and to provide users with the ability to export their data for portability purposes.

GDPR Principle: 6. Integrity and confidentiality

GDPR Principle Verbiage: f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)

IHRDC Compliance Efforts: IHRDC is working to enhance our systems to have security built into every layer of our product platforms. The infrastructure layers will include replication, backup, and disaster recovery planning. Network services already have encryption in transit and advanced threat detection. Our application services have impemented identity, authentication, and user permissions.

Privacy Center

Security, Compliance and Privacy

APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES

APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES

Privacy Contact

INSTRUCTIONAL PROGRAMS

E-LEARNING SOLUTIONS

COMPETENCY MANAGEMENT

CLEAN ENERGY & SUSTAINABILITY

OTHER AREAS