Last revised: February 1, 2019
I. Identity of Automated Supply Chains Ltd.
For the purpose of the relevant data protection regulations, Automated Supply Chains Ltd. are the 'Data controller' of your information. We are located on the Third Floor, 207 Regent Street, W1B 3HH London, United Kingdom. We are registered in England and Wales under company number 08590745. If you have any questions about how we protect or use your data, please send an e-mail to us at firstname.lastname@example.org.
II. What information we collect
1. Information collected directly from you
Generally, you can visit Automated's website without entering any personal information. On certain pages, we may ask you for personal information to provide a service or carry out a transaction that you have requested. The personal information we collect may include:
- Contact details, such as your name, title, company/organization name, e-mail address, telephone numbers, and physical address;
- Information about your company, and job function;
- Your e-mail marketing preferences;
- Financial information (including credit card or account information);
- Information such as your nationality and country of residence that allows us to determine your eligibility under export control regulations to receive information;
- Information used to customize and facilitate your use of our website, including login and technical information;
- Inquiries about and orders for our services;
- Information that assists us in identifying the services that best meet your requirements;
- Event registration information; and
- Feedback from you about our website and our services in general.
You are not required to provide any of this information, but if you do not, we may not be able to provide you with the requested service or complete your transaction.
2. Information collected automatically
We collect information about your visit to our website, including what pages you view, the number of bytes transferred, the links you click, the materials you access, and other actions taken within Automated's website. On websites that you enter with a login, we may connect this information with your identity to determine your potential interests in our services. We also collect certain standard information that your browser sends to every website you visit, such as your Internet Protocol (IP) address, your browser type, capabilities and language, your operating system, the date and time you access the website, and the website from which you linked to our website in order to allow us to perform statistical measurements about our website.
III. What we use your information for
We will only use your information for the following purposes:
1. To enable us to provide you with access to all parts of the website and to use the Services and to enable you to download information and receive materials from Automated;
2. To produce reports, statistics and analysis of the types of people who access to Automated;
3. To contact you for your views on Automated;
4. To notify you occasionally about important changes and service announcements;
5. To administer, support, improve and develop Automated's Services;
6. To carry out our obligations arising from any contracts entered into between you and us.
We offer those who provide personal contact information a means to choose how we use the information provided. Marketing communications will include:
1. To contact you with newsletters and other marketing e-mail updates and advertisements regarding the Services;
2. To make you occasional offers of Automated's products or services or to make you aware of other products or services offered by Automated.
You may at any time opt-out of receiving marketing communications by sending us an e-mail at email@example.com. Opt-out will not apply where Automated sends you a notice regarding the status of service, upgrades to the platform, security alerts or any notice relevant to your service and account.
Automated may use trusted third parties to assist in the delivery, provision, analysis and improvement of Automated including but not limited to data storage, maintenance services, database management, analytics, payment processing, Customer Relationship Management services/systems and improvement to the service features. Automated is not liable for the quality or accuracy of any onward transfer of information.
We reserve the right to use the name and/or logo of the company you work for in publicity material, advertising or marketing collateral unless you specifically tell us otherwise. Your name, address details and all other personal information will remain confidential at all times.
IV. Legal basis
1. EU General Data Protection Regulation (GDPR)
The processing of your data is either based on your consent or in case the processing is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract, cf. GDPR art. 6(1)(a)-(b).
If the processing is based on your consent, you may at any time withdraw your consent by contacting us using the contact information in I. In order to enter into a contract regarding the purchase of Automated’s Service, you must provide us with the required personal data. If you do not to provide us with all the required information, it will not be possible to deliver the Service.
2. California Online Privacy Protection Act compliance
Because Automated values your privacy we have taken the necessary precautions to be in compliance with the California Online Privacy Protection Act. We therefore will not distribute any personal information to outside parties without your consent except as stated in clause VII. As part of the California Online Privacy Protection Act, all users of our website may make any changes to their information at any time by logging into their account and navigating to their 'My profile' page.
3. Children’s Online Privacy Protection Act compliance
Automated is in compliance with the requirements of the Children’s Online Privacy Protection Act. We will not intentionally collect any information from anyone under 13 years of age. We provide professional business services; our website, products and services are all directed at people who are at least 13 years old or older.
V. How we protect your information
Automated implements the following technical, physical and organizational measures to maintain the safety of your personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized use, unauthorized modification, disclosure or access and against all other unlawful forms of processing.
The Service utilizes the extensive features of the cloud environment to ensure high availability, like full redundancy, load balancing, automatic capacity scaling, continuous data backup and geo-replication along with a traffic manager for automatic geographical failover on datacenter level disasters. All failover mechanisms are fully automated.
No personal data is stored permanently outside Automated’s cloud platforms. The physical security is thereby maintained by Automated’s subcontractors. Our datacenters comply with industry standards such as ISO 27001 for physical security and availability, e.g. by using security staff around the clock, two-factor access control using biometric and card readers, barriers, fencing, security cameras and other measures.
To ensure integrity, all data transits are encrypted to align with best practices for protecting confidentiality and data integrity. E.g. all supplied credit card information is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our payment gateway provider’s database only to be accessible by those who are authorized to access such systems and who are required to keep the information confidential.
For data in transit, the Service uses industry-standard transport protocols between devices and datacenters and within datacenters themselves.
All personnel are subject to full confidentiality and any subcontractors and sub-processors are required to sign a confidentiality agreement if full confidentiality is not part of the main agreement between the parties.
Whenever personal data is accessed by authorized personnel the access is only possible over an encrypted connection. When accessing the data in a database, the IP number of the person accessing the data must also be pre-authorized to obtain access.
Any device being used to access personal data is login protected and has Automated’s corporate antivirus solution installed. If any personal data are temporarily stored on a device, the storage unit on the device must also be strongly encrypted.
On premise devices storing personal data temporarily is at all times, except when not being actively used or relocated under uninterrupted supervision, locked in a safe. Personal data are never stored on mobile media like USB sticks and DVDs.
Automated will at all times keep you informed about changes to the processes to protect data privacy and security, including practices and policies. You may at any time request information on where and how data is stored, secured and used. Automated will also provide the summaries of any independent audits of the Service.
All access to personal data is blocked by default, using a zero privileges policy. Access to personal data is restricted to individually authorized personnel. Automated’s Security and Privacy Officer issues authorizations and maintains a log of granted authorizations. Authorized personnel are granted a minimum access on a need-to-have basis.
6. The ability to intervene
Automated enables your rights of access, rectification, erasure, blocking and objection mainly by providing built-in functions for data handling in the Service and by offering the option to send instructions through Automated’s Customer Support.
Automated uses security reports to monitor access patterns and to proactively identify and mitigate potential threats. Administrative operations, including system access, are logged to provide an audit trail if unauthorized or accidental changes are made.
System performance and availability is monitored from both internal and external monitoring services.
8. Personal data breach notification
In the event that your data is compromised, Automated will notify you and competent supervisory authority(ies) within 72 hours by e-mail with information about the extent of the breach, affected data, any impact on the Service and Automated's action plan for measures to secure the data and limit any possible detrimental effect on the data subjects.
'Personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of the Service.
See Automated’s Cookie Declaration for information on the cookies we use.
VII. Disclosure of information to outside parties
Automated does not sell, trade or otherwise transfer to outside parties any personally identifiable information.
This does not include trusted third parties or subcontractors who assist us in operating our website, conducting our business, or servicing you. Such trusted parties may have access to personally identifiable information on a need-to-know basis and will be contractually obliged to keep your information confidential.
We may also release your information when we believe release is appropriate to comply with the law, enforce our site policies, or protect our or others’ rights, property, or safety. Furthermore, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.
1. Subcontractors/trusted third parties
Automated will monitor subcontractors’ and sub-processors’ maintenance of information security standards and audits to ensure that data protection requirements are fulfilled.
Any intended changes concerning the addition or replacement of subcontractors or sub-processors handling personal data will be announced to you with at least 30 days’ notice. You retain at all times the possibility to object to such changes or to terminate the contract with Automated.
2. Legally required disclosure
Automated will not disclose the customer’s data to law enforcement except when instructed by you or where it is required by law. When governments make a lawful demand for customer data from Automated, Automated strives to limit the disclosure. Automated will only release specific data mandated by the relevant legal demand.
If compelled to disclose your data, Automated will promptly notify you and provide a copy of the demand unless legally prohibited from doing so.
VIII. Where we store the information
No stored data will be transferred, backed up and/or recovered by Automated outside of the European Union.
1. Personal data location
All data are stored in databases and file repositories hosted in AWS datacenters in Frankfurt, Germany. All data are automatically replicated in real time to secondary hot failover databases and file repositories in Europe.
Databases are continuously backed up to enable restore to any point in time within a retention period of 35 days. Backups are stored on file storage at the same geographical location as the database.
2. Installation of software on customer’s system
No installation of software is required to use the Service. The login-protected Service is accessible through a standard web browser, automatically using an encrypted https-connection for all communications between your browser and Automated’s server to protect any data from being intercepted during network transfers.
IX. Access, data portability, migration, and transfer back assistance
You may at any time obtain confirmation from Automated as to whether or not personal data concerning you are being processed.
You may at any time order a complete data copy, which you may transmit to another controller of the data. Your data will be delivered within 10 working days by Automated as spreadsheet files in Microsoft Excel format. Logical relations between datasets will be preserved in form of unique identifiers. You are required to pay 1,000 EUR + any applicable taxes on delivery for each data copy order.
X. Request for rectification, restriction or erasure of the personal data
You may at any time obtain without undue delay rectification of inaccurate personal data concerning you, cf. clause V.6.
2. Restriction of processing personal data
You may at any time request Automated to restrict the processing of personal data when one of the following applies:
- If you contest the accuracy of the personal data, for a period enabling Automated to verify the accuracy of the personal data;
- If the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead; or
- If Automated no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims.
You may without undue delay request the erasure of personal data concerning you, and Automated shall erase the personal data without undue delay when one of the following applies:
- If the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- If you withdraw your consent on which the processing is based, and where there is no other legal ground for the processing;
- If you object to the processing in case the processing is for direct marketing purposes;
- If the personal data have been unlawfully processed; or
- If the personal data have to be erased for compliance with a legal obligation in EU or national law.
XI. Data retention
1. Data retention policy
Account data will due to tax regulations be retained for up to five full fiscal years from your cancellation of your Service account.
Configuration data and system generated data will be erased immediately when you cancel the Service account.
2. Data retention for compliance with legal requirements
You cannot require Automated to change any of the default retention periods, except for the reasons for erasure pursuant to clause X.3., but may suggest changes for compliance with specific sector laws and regulations.
3. Data restitution and/or deletion
No data except account data will be retained after the termination of the contract. You may request a data copy before termination. You must not cancel the Service account until the data copy has been delivered, as Automated otherwise will not be able to deliver the data copy.
Automated uses extensive range of built-in logging features and audits trails. Automated also logs all system updates, configuration changes and access to provide an audit trail if unauthorized or accidental changes are made.
You may request a data protection audit performed by an independent third party who is also accepted by Automated. You will pay 5,000 EUR plus applicable taxes for an audit request along with 200 EUR plus applicable taxes per hour Automated is spending in connection with the audit as well as any other costs related to the audit, including the auditor.
Automated will cooperate with you in order to ensure compliance with applicable data protection provisions, e.g. to enable you to effectively guarantee the exercise of data subjects’ rights (right of access, rectification, erasure, blocking, opposition), to manage incidents including forensic analysis in case of security breach.
You may at any time make a complaint with a supervisory authority regarding Automated’s collection and processing of your personal data. You may refer to the Information Commissioner’s Office in the United Kingdom.