Launchcloud LLC is committed to preserving the confidentiality and integrity of all information it holds and processes and to operating its business in compliance with the requirements of the UK Data Protection Act 1998.
We recognize the importance of Personal Data and of respecting the privacy rights of individuals. This Data Protection & Security Policy (“Policy”) sets out the principles which we apply to our Processing of Personal Data and use of Confidential Information so that we not only safeguard one of our most valuable assets, but also that which belongs to our customers and employees. For the most part we process this information in one of two capacities, either: (i) as a Data Controller for our own internal business operations, such as human resources, administration, marketing, sales etc., or (ii) as a Data Processor when carrying out our software-as-a-service (or “SaaS”) operations for our customers. However for certain software products, Launchcloud LLC will undertake processing in both capacities and employees will be specifically advised when they are processing Personal Data in both capacities.
Although the Legislation places most of the obligations upon the Data Controller, it is the responsibility of all Launchcloud LLC employees to apply the provisions of this Policy in relation to all Processing of Personal Data and handling of Confidential Information, whether Launchcloud LLC is acting as Data Controller or Data Processor (or both). Launchcloud LLC provides employees with regular instruction in respect of such matters.
means all information (however recorded, preserved or disclosed) disclosed to Launchcloud LLC or its representatives, whether or not marked as “confidential”, including but not limited to:
Personal Data, any information designated as confidential or commercially sensitive or that which is, by its nature, clearly confidential
the business, affairs, customers, clients, suppliers, plans, developments, intentions, or market opportunities of the disclosing party or of the disclosing party’s group
the operations, processes, product information, know-how, designs, trade secrets or software of the disclosing party or of the disclosing party’s group
any information or analysis derived from Confidential Information
but not including any information that:
is or becomes generally available to the public other than as a result of its disclosure by Launchcloud LLC in breach of this Policy
was available to Launchcloud LLC on a non-confidential basis prior to disclosure by the disclosing party
is received by Launchcloud LLC from a third party who lawfully acquired or developed it and who is under no obligation of confidentiality in relation to its disclosure
the parties agree in writing is not confidential or may be disclosed
is independently developed by Launchcloud LLC without the use of the disclosing party’s Confidential Information.
means information that is processed electronically (e.g. by computer), is recorded manually (e.g. on paper) with the intention of being processed electronically, or is recorded as part of any filing system structured by reference to individuals or criteria relating to them in such a way that specific information relating to a particular individual is readily accessible.
means the organization that determines the purposes for which and the manner in which Personal Data are processed.
means the organization that processes Personal Data on behalf of the Data Controller.
means a living, identifiable individual about whom Personal Data is processed.
means Data which relate to a living individual who can be identified from those Data or from those Data and other information which is in the possession of or is likely to come into our possession as Data Controller or Data Processor, as the case may be. Personal Data include opinions and any indications of our intentions towards an individual.
includes obtaining, recording, holding, altering, retrieving, consulting, using, disclosing, blocking, erasing or destroying Personal Data.
“Sensitive Personal Data”
means information about the Data Subject relating to the (a) racial or ethnic origin, (b) political opinions, (c) religious beliefs or other beliefs of a similar nature, (d) trade union membership, (e) physical or mental health or condition, (f) sexual life, (g) commission or alleged commission by any offence, and (h) any proceedings for any offence committed or alleged to have been committed, the disposal of such proceedings or the sentence of any court in such proceedings.
2. DATA PROTECTION PRINCIPLES
Launchcloud LLC is committed to complying with the data protection principles set out in the Legislation. Under the UK Data Protection Act, these are set out as eight data protection principles, under which Personal Data must:
be processed fairly and lawfully
be obtained and processed only for one or more specified and lawful purposes
be adequate, relevant and not excessive in relation to the purpose
be accurate and, where necessary, kept up-to-date
be kept for no longer than is necessary for the purpose
be processed in accordance with the rights of Data Subjects under the Legislation
be held securely and appropriate technical and organizational measures must be taken against unauthorized or unlawful Processing and against accidental loss, destruction or damage
not be transferred to a country or territory outside the European Economic Area unless adequate protection is in place.
Further details of how Launchcloud LLC complies with these principles are set out below.
PRINCIPLE 1 – FAIR & LAWFUL PROCESSING
The Legislation requires that Personal Data must be processed fairly. This means the Data Controller must ensure transparency of Processing so that Data Subjects are aware of who is Processing their Personal Data and why. This is primarily an obligation on the Data Controller who determines what is being processed and is much less relevant to a Data Processor who does not determine what is processed.
This obligation affects Launchcloud LLC primarily when acting as a Data Controller in relation to the operation of our own internal business. For example all employees’ terms of employment contain a data protection notice which includes the following information:
the identity of the Data Controller (i.e. Launchcloud LLC)
the purposes for the Processing
any other information that is necessary to make the Processing fair (such as any recipients of the Data and their purposes, a reminder of the Data Subject’s right of access (see below) and correction and whether any of the information we are asking for is mandatory or voluntary).
In the case of Launchcloud LLC marketing activities e.g. advertisement of Launchcloud LLC products and services on our website, we include a description of the communication channels that we intend to use. If any of those channels involve marketing by email, SMS, fax or automated calling systems, we will (as a general rule) obtain the Data Subject’s consent by means of a suitable (reversible) opt in provision. Where we obtain Personal Data directly from the Data Subject (e.g. as a result of a telephone call, or online capture) we give the notice to the Data Subject at the time we obtain their Data. Where we obtain Personal Data about a Data Subject from a third party source (e.g. an agent) we provide the data protection notice as soon as reasonably practicable after we have started Processing their Data (unless it would be a disproportionate effort to do so).
Accordingly where we act as a Data Processor for our SaaS customers, the obligation to issue any necessary data protection notices rests with our customer.
This is primarily an obligation for Data Controllers and for the most part only affects Launchcloud LLC in the operation of our own internal business. Launchcloud LLC will only process Personal Data where it is justified under one of the following conditions:
the Data Subject has given his consent to the Processing, or
the Processing is necessary:
in order to enter into or perform a contract with the Data Subject
for compliance with a legal obligation to that applies to Launchcloud LLC (other than an obligation under a contract)
in order to protect the vital interests of the Data Subject (i.e. a life or death situation)
for the purposes of legitimate interests pursued by the Data Controller or by the third party to whom the information is disclosed, except where the Processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the Data Subject.
Processing Sensitive Personal Data
In addition, where Launchcloud LLC processes Sensitive Personal Data, due to the sensitive and sometimes confidential nature of this category of Personal Data we will only process Sensitive Personal Data where it is justified under one of the following additional conditions:
the Data Subject has given explicit consent to the Processing, or
the Processing is necessary for:
Launchcloud LLC to comply with employment law
the protection of the vital interests of the Data Subject or another person, where the Data Subject’s consent cannot be given or has been unreasonably withheld, or where the Data Controller cannot reasonably be expected to obtain consent
the purposes of legal proceedings or for obtaining legal advice, or otherwise for establishing, exercising or defending legal rights
medical purposes and is undertaken by a health professional or someone subject to an equivalent duty of confidentiality
the prevention or detection of any unlawful act, and must necessarily be carried out without the explicit consent of the Data Subject being sought so as not to prejudice those purposes
research purposes in the substantial public interest and it does not support measures or decisions with respect to any particular Data Subject and does not cause, nor is likely to cause, substantial damage or distress to the Data Subject or any other person.
monitoring equality of opportunity and is carried out with appropriate safeguards for the rights of Data Subjects
PRINCIPLE 2 – COLLECTION & PROCESSING FOR SPECIFIED & LAWFUL PURPOSES
The Legislation requires that Personal Data must be obtained by Data Controllers only for one or more specified and lawful purposes, and must not be further processed in any manner incompatible with those purposes.
Accordingly the purposes for which Launchcloud LLC will process Personal Data as a Data Controller are set out below:
Advertising, Marketing and Public Relations
Advertising, Marketing and Public Relations on behalf of customers
Accounts and Records
Consultancy and Advisory Services
Information and databank administration.
Launchcloud LLC will not process Personal Data for any other purpose unless the Data Subject gives consent. Where Launchcloud LLC acts as a Data Processor for a SaaS customer the responsibility for obtaining any such consent rests with the relevant SaaS customer.
Launchcloud LLC has notified the Information Commissioner’s Office of the types of personal information it processes and the purposes for which it does so.
PRINCIPLE 3 – ADEQUATE, RELEVANT AND NOT EXCESSIVE
The Legislation requires that Personal Data must be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed and that it must be kept up-to-date.
To fulfill the requirement for Personal Data to be adequate, relevant and not excessive, Launchcloud LLC ensures that when acting as Data Controller:
we identify the Personal Data needed for a particular purpose and we collect the minimum amount required to properly fulfill that purpose
we do not hold Personal Data on a ‘just-in-case’ basis or because we think it might be useful in the future except where a Data Subject consents, e.g. a prospective employee agrees to us retaining Personal Data should a suitable vacancy arise
we keep Data up to date, and
we do not keep Data for too long.
PRINCIPLE 4 – ACCURATE & UP TO DATE
When inputting Data onto our system in our capacity as a Data Controller, Launchcloud LLC takes reasonable steps to ensure the Data is accurate and may contact Data Subjects for clarification if we are unsure as to the accuracy of certain information.
Launchcloud LLC will not be in breach of this principle, even if we are holding inaccurate Data if:
we accurately recorded those Data when we received them from the Data Subject or a third party
we took reasonable steps to ensure the accuracy of those Data, and
if the Data Subject has notified us that the Data are inaccurate, we have taken steps to indicate this fact.
Launchcloud LLC takes reasonable steps to keep Data up-to-date to the extent necessary.
PRINCIPLE 5 – KEPT FOR NO LONGER THAN IS NECESSARY
The Legislation requires that Personal Data processed for any purpose must not be kept for longer than is necessary for that purpose.
Launchcloud LLC reviews the Personal Data it holds on a regular basis and, where relevant, securely removes any Data which is no longer required in connection with the purpose for which it was originally obtained. Securely removes means that any printed material is appropriately shredded or electronic media has the record removed from it relating to the subject including from backups, in a manner that the material is not normally retrievable.
Where Launchcloud LLC acts as Data Processor and holds Data on its servers on behalf of its customers that the customer has input directly into Launchcloud LLC’s system, the customer will be responsible for maintaining such Data and deleting any Data that is no longer required. Launchcloud LLC will return or destroy all Data held on behalf of a SaaS customer in accordance with the terms of the relevant contract with that customer.
PRINCIPLE 6 – PROCESSED IN ACCORDANCE WITH THE RIGHTS OF DATA SUBJECTS
Data Subjects have certain rights under the Legislation to access their Data and to prevent processing in certain circumstances. Most requests will come from our employees where Launchcloud LLC is a Data Controller, although Launchcloud LLC will also have to respond to subject access requests from the customers of our SaaS customers.
Right of Subject Access
If Launchcloud LLC receives a written request from a Data Subject for access to his/her Personal Data, we will respond within 20 days of receipt of the request and provide a description of:
the Personal Data relating to that Data Subject
the purposes for which the Data are being processed
the recipients of the Data
the information constituting the Personal Data, and
the source of those Data (if available).
Launchcloud LLC reserves the right to charge the Data Subject a fee for the provision of this information as defined by the Legislation. Where the Data is held on behalf of a SaaS customer, Launchcloud LLC will notify that customer of such request for access and give the SaaS customer the option to deal with the request itself.
Right to Prevent Processing Likely to Cause Damage or Distress
Data Subjects have the right to ask us not to process their Personal Data if the Processing of the Data in a particular way or for a particular purpose is causing, or is likely to cause, damage or distress to that Data Subject or another person; and that damage or distress is, or would be, unwarranted.
If we receive a written request from any person exercising this right, we will respond within 20 days of receipt of the request and confirm that we have either complied or intend to comply with the request, or stating our reasons for non-compliance. Where this occurs in the case of Launchcloud LLC acting as a Data Processor for a SaaS customer, the request must be forwarded to the relevant SaaS customer and the Data Subject advised whether Launchcloud LLC has the authority to cease processing the Personal Data.
Right to Prevent Processing for the Purposes of Direct Marketing
If we receive a request from a Data Subject that we stop processing their Personal Data for direct marketing purposes, we will take the appropriate action to ensure that the individual’s details are suppressed on our marketing database and the individual is no longer contacted by us for marketing purposes.
Right to Object to Automated Decision Taking
Data Subjects have the right to object to automated decisions being taken about them in relation to important matters that significantly affect them (such as evaluating performance at work, creditworthiness, reliability or conduct).
If we receive a written request from any person exercising this right, we will respond within 21 days of receipt of the request and inform the individual of the steps that we intend to take to comply with the request. Where this affects the services being provided to a SaaS customer, Launchcloud LLC will notify the relevant SaaS customer before responding to the Data Subject.
PRINCIPLE 7 – SECURITY AND TECHNICAL AND ORGANIZATIONAL MEASURES
The Legislation requires Launchcloud LLC to take appropriate technical and organizational measures to safeguard Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
Launchcloud LLC has put in place a number of technical and organizational measures and procedures which we apply not only to Personal Data, but also to all information we hold, including Confidential Information and information of any other kind that is used within the business.
Details of our technical and organizational measures are available upon request.
Where Launchcloud LLC uses third parties to process Personal Data on our behalf, they will be acting as our Data Processors and we will ensure that we:
put in place a contract in writing with each of our Data Processors under which they agree to act only on instructions from us
include the right to audit our Data Processors to ascertain compliance with the data protection requirements in their contract, and
ensure that the Data Processor agrees to comply with obligations equivalent to those set out in this Policy.
PRINCIPLE 8 – OVERSEAS TRANSFERS
The Legislation requires that Personal Data must not be transferred to a country or territory outside the European Economic Area (i.e. the member states of the EU plus Iceland, Liechtenstein and Norway), unless that country or territory ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of Personal Data.
Launchcloud LLC has offices across the world and, as a Data Processor, there may be occasions where it is necessary to transfer Data between these offices or to third parties to process Personal Data on our behalf. Launchcloud LLC recognizes that in addition to complying with the rules on overseas transfers contained in the Legislation it will also be necessary to comply with the privacy laws as apply in each country.
As a Data Controller Launchcloud LLC stores information on servers within the EU and does not transfer any customer data outside of the EU.
3. CONFIDENTIAL INFORMATION
Launchcloud LLC will keep Confidential Information (which of course extends beyond Personal Data) it receives confidential and, except with the prior written consent of the disclosing party, and will:
not use or exploit the Confidential Information in any way except for the purposes for which it has been disclosed
not disclose or make available the Confidential Information in whole or in part to any third party, except as expressly permitted by the disclosing party
not copy, confirm in writing or otherwise record the Confidential Information except as strictly necessary for the purposes for which it has been disclosed and any such copies, confirmations or records shall remain the property of the disclosing party, and
apply the technical and organizational measures as Annexed to this Policy to Confidential Information.
Launchcloud LLC may only disclose the Confidential Information to those of our employees who need to know this Confidential Information for the purposes for which it has been disclosed, provided that:
we inform those employees of the confidential nature of the Confidential Information before disclosure
at all times, we are responsible for compliance of those employees with the obligations set out in this Policy and the technical and organizational measures, and
the employees receive the training required under the technical and organizational measures prior to such disclosure.
Launchcloud LLC may disclose Confidential Information to the extent such Confidential Information is required to be disclosed by law, by any governmental or other regulatory authority, or by a court or other authority of competent jurisdiction provided that, to the extent we are legally permitted to do so, we give the other party as much notice of this disclosure as possible.
Launchcloud LLC may, provided that we have reasonable grounds to believe that the disclosing party is involved in activity that may constitute a criminal offence under the Bribery Act 2010, disclose Confidential Information to the Serious Fraud Office without first notifying the disclosing party of such disclosure.
At the request of the disclosing party, Launchcloud LLC shall:
destroy, or at Launchcloud LLC’s discretion, return to the disclosing party all documents and materials (and any copies) containing, reflecting, incorporating, or based on the disclosing party’s Confidential Information
erase all the disclosing party’s Confidential Information from its computer systems or which is stored in electronic form (to the extent possible), andcertify in writing to the disclosing party that it has complied with the requirements of this clause, provided that Launchcloud LLC may retain documents and materials containing, reflecting, incorporating, or based on the Confidential Information to the extent required by law or any applicable governmental or regulatory authority and to the extent reasonable to permit Launchcloud LLC to keep evidence that it has performed its obligations under any agreement with the disclosing party.
4. CONTACTS AND RESPONSIBILITIES
In each of Launchcloud LLC’s offices and internal departments, we have appointed “Data Owners” who are locally responsible for ensuring that employees within their department or area receive appropriate training and are working in compliance with this Policy. The Data Owners undertake regular assessments of Data types and ensure that the right levels of protection are in place.
Launchcloud LLC has appointed an overall Data Protection Officer who is responsible for:
acting as a key point of contact for data protection queries and the reporting of breaches for all Data Owners, employees, customers and Data Subjects
monitoring and ensuring the compliance with this Policy across the whole of the Launchcloud LLC group worldwide and dealing with any disputes which may arise concerning Data Protection issues
conducting reviews of internal procedures to ensure that they continue to provide adequate protection of Data and Confidential Information
improve security awareness and communicate information relating to this Policy to employees
updating this Policy to reflect any changes in data protection laws
registering with government agencies (such as the UK Information Commissioner’s Office).
If you have any queries regarding this Policy or its Schedules please contact the Data Protection Officer at firstname.lastname@example.org.
5. AMENDMENTS TO THIS POLICY
This Policy and its Schedules will be updated from time to time by the Data Protection Officer to reflect any changes in legislation or in our methods or practices. The current issue of the Policy will be available from our website at www.launchcloud.com or from legal@launchcloudcom who are responsible for Data Protection issues.