The regulation mandates the use of operational and technological controls for protection against data violation and grants new rights for individuals in the treatment of their data. The updates will automatically come into effect for all existing customers and users on May 25th, 2018.
Does everyone need to be GDPR compliant? Only organizations dealing with EU Citizen and Resident data. If this is not you, GDPR does not apply.
When does it go into effect? May 25, 2018
Will this affect my experience using the Asset Panda Platform? No, you should not experience any change in how you use Asset Panda and our platform will continue to provide you with the experience you’ve come to know and trust.
Please feel free to contact us at [email protected] if you have any questions or feedback. We will review all feedback and will take action as appropriate. Please keep in mind that we may not respond to these requests individually.
Consent
To withdraw consent from communications and related activities, please go into your account setting and change your communication options or click on the unsubscribe link in our communication emails. Alternatively, reach out to [email protected] to withdraw your consent.
To withdraw consent from processing, please delete your data in the platform, cancel your account, or reach out to [email protected].
Data Controller Terms
Collection of Data
We collect the following categories of Personal Data about you when you use or otherwise interact with our Products:
- Name
- Email address
- Telephone number
- Job Title
- Physical Address
- Payment information
- IP addresses and other information collected passively
- Device identifiers
We collect and/or process your data in connection with the below activities:
- Account creation, including Trial Accounts
- Use of certain Product features
- Generating reports based on information collected from use of our Products
- Requesting service and support for our Products and providing such support
- Placing transactions or orders
- Participating in an online survey
- Billing and collecting payments for our Products
- Registering for newsletter subscriptions (this may involve third party tools such as HubSpot or MailChimp)
- Customizing the advertising and content you see, both on our website and the standard social content sites (e.g. Facebook, Twitter, and Google)
Asset Panda Processing of your Controlled and Processed Data
We will use your data only in accordance with our Terms of Use, Privacy Policy, and this GDPR Information Page. If you do not wish us to continue using your Personal Data in this manner, you can request that your account be deleted by deleting your account or contacting us at [email protected].
Asset Panda complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) as set forth by the U.S. Department of Commerce. Asset Panda has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/
Asset Panda has the responsibility for the processing of Personal Data it receives under the Data Privacy Framework (DPF) Principles and subsequently transfers to a third party acting as an agent on Asset Panda’s behalf. Asset Panda shall remain liable under the DPF Principles if its agent processes such Personal Data in a manner inconsistent with the DPF Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
The following is a list of the Sub-processors used by Asset Panda to Process Personal Data on behalf of Customers pursuant to a Service, as described in the Terms of Use and Privacy Policy.
Entity Name | Service(s) | Entity Country | Nature of Processing |
Amazon | Cloud Hosting Provider | United States | Cloud infrastructure, storage, services |
Cloud Convert | File Conversion | Germany | Convert documents between different file formats |
Mongo DB | Database | United States | Database services |
ScandIT | Barcode Scanning | United States | Mobile app barcode scanning |
WebKorps | Outsourcing Partner | India | Dev/Ops |
In compliance with the EU-U.S. DPF, Asset Panda commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.
If a complaint cannot be resolved through the above channel, an individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms, provided that notice has been delivered to Asset Panda and following the procedures and subject to conditions set forth in Data Privacy Framework Annex I. In compliance with the EU-U.S. DPF, Asset Panda commits to cooperate and comply with, as applicable, the advice of the panel established by the EU data protection authorities (DPAs) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF. For additional information visit https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction.
We will only process your data if we have a lawful basis for doing so. Lawful bases for processing include consent, contractual necessity (i.e. processing that is necessary for the performance of a contract with you, such as your user agreement with us that allows us to provide you with the Products) and our “legitimate interests” or the legitimate interest of others (e.g. our users) such as:
- Personalizing, improving or operating our Products and business
- Better understanding your needs and interests
- Fulfilling requests you make related to the Products
- Providing you with information and offers from us
- Complying with our legal obligations, resolving disputes with users, enforcing our agreements
- Protecting, investigating and deterring against fraudulent, harmful, unauthorized or illegal activity
We process data for purposes such as:
- To process your orders and deliver the Products that you have ordered
- To provide reports based on information collected from use of our Products
- To keep you up to date on the latest Product announcements, software updates, software upgrades, system enhancements, special offers, and other information
- To provide support and assistance for our Products
- To provide the ability to create an account and have access to our Products
- To provide the ability to contact you and provide you with shipping and billing information
- To provide customer feedback and support
- To the extent, you choose to participate, to conduct questionnaires and surveys in order to provide better products and services to our customers and end users
- To personalize marketing communications (this may involve third-party tools such as HubSpot or MailChimp) and website content, both on our website and the standard social content sites (e.g. Facebook, Twitter, and Google), based on your preferences, such as in response to your request for specific information on products and services that may be of interest
- To meet contract or legal obligations
Data Processor Terms
Client data within the Asset Panda Platform will be processed for the following purposes:
- Data Storage and Retrieval by the Client
- Customer Trouble Shooting Help by Asset Panda’s Implementation and Sales Team, and
- Technical Troubleshooting by Asset Panda’s Development Team
Types of Data Processed
Please view the Terms of Use and Privacy Policy for the different types of data we gather with the explicit permission or request of Clients and Users.
U.S. Regulatory Oversight
Asset Panda is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). Under Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45), an organization's failure to abide by commitments to implement the DPF Principles may be challenged as deceptive by the FTC. The FTC has the power to prohibit such misrepresentations through administrative orders or by seeking court orders.
Technical and Organizational Security Measures
Please request the Report on Security Posture at [email protected] to view a description of the security measures. This is sensitive information that requires certain permissions to view.
Rights of Controllers
Controllers have the following rights:
- Must give consent to any new type processing done outside of original consent
- Must give consent if any entity other than Asset Panda is going to perform sub-processing outside of original consent
- Will have the choice of having personal data deleted or returned at the end of provision of services
- Will be assisted by the processor, insofar as possible, to fulfill controller obligations in response to requests for exercising data subject rights as well as compliance with Articles 32 to 36 of the GDPR
- To be informed of data breach without undue delay
Data Retention
After the termination of services, the client may request to have data within the platform returned and/or deleted. Asset Panda will provide support to the client in downloading and deleting the data (all clients have the ability to delete data and download data in multiple formats, such as Excel and pdf, and are given clear guidance during onboarding for how to do so). If the client decides to delete the data from the platform, it will be automatically deleted from the platform and after 30 be cycled (deleted) from all backups.
Data inside of the Asset Panda platform will be kept after termination of services in case the client would like to continue using Asset Panda services. The client can at any time delete data from the platform or request data to be deleted. If the client deletes the data, it will be fully cycled out of the Asset Panda environment in 30 days. If the client requests deletion by Asset Panda staff the time to deletion will vary depending on technical and resource bandwidth for deletion.
Confidentiality
All personnel that interacts with client data are required to sign an NDA.
Sub-Processing
All data processing within the platform is performed by Asset Panda with the exception of file conversions which are performed by Cloud Convert. This processing by Cloud Convert and all additional processing is performed only at the explicit choice of the Client (e.g., if the Client chooses to send their Asset Panda data to another service provider through the use of API or opts to use the conversion mechanism).
Cloud Convert will only process data in the case that the client utilizes the file conversion function within Asset Panda. Additionally, Cloud Convert is GDPR compliant, only stores data for 24 hours at a maximum, and has a processing contract in place with Asset Panda pursuant to the sub-processing requirements of GDPR. In the case that a new sub-processor is required, Asset Panda will first ask for consent from the client.
Processing Location
The vast majority of processing is done in the United States and Europe in some rare instances.
Processing Permission
Data is processed in accordance with the Terms of Use, Privacy Policy, applicable laws, and the processes outlined on this page that were originally accepted by the Client. No additional processing is performed, but Asset Panda would ask the Client for consent before proceeding if it needs to be performed for any reason.
Breach Notification
Asset Panda’s Breach Notification policy is as follows:
“If processed data (i.e., data within the Asset Panda application) related to European Union citizens is breached, Asset Panda shall notify the controller (i.e., client), without undue delay after becoming aware of a personal data breach. Asset Panda is not required to notify the affected individuals whose data is within the application itself – that is the responsibility of the Controller of the data (i.e., the client who stored the data in the platform).
Asset Panda must document any personal data breaches related to European Union citizens, comprising the facts relating to the personal data breach, its effects, and the remedial action taken. This documentation will enable the supervisory authority to verify compliance with GDPR.”
Data Subject Rights
For data that is Controlled, Asset Panda will comply fully with each of these Rights. For data that is Processed, Asset Panda will assist the Controller (i.e., Client), insofar as possible, fulfill the Controller’s obligations in responding to requests for exercising data subject’s rights and in pursuit of Article 32 to 36 (as mandated in Article 30 of GDPR – Responsibilities of Processors).
To exercise any of your data subject rights, please contact the Organization who controls your data or [email protected]. Below are the Rights of Data Subjects:
Right to be Informed (Article 13)
At the time of collection of personal data from the data subject, the controller must provide the data subject with the information outlined by GDPR.
Right of Access (Article 15)
Data subjects have the right to obtain from the controller: confirmation as to whether personal data concerning him or her are being processed, a copy of all personal data, and additional information outlined by GDPR.
Right of Rectification (Article 16)
Data subject has the right to obtain the rectification of inaccurate personal data from the controller without “undue delay.”
Right of Erasure (Article 17)
The data subject has the right to obtain the erasure of personal data without undue delay from the controller.
Right to Restrict Processing (Article 18)
Data subject shall have the right to obtain restriction of processing from the controller.
Right to Data Portability (Article 20)
Data subject has the right to receive personal data concerning them in a GDPR-compliant format and has the right to have the data transmitted to another controller.
Right to Object (Article 21)
Data subject has the right to object at any time to the processing of personal data under certain situations outlined by GDPR.
Right in Relation to Automated Decision Making and Profiling (Article 22)
Data subject has the right not to be subject to a decision based solely on automated processing, including profiling.
Basic Data Controller and Processor Information
Name: Asset Panda, LLC
Contact Information
Phone: 855-898-6058
Email: [email protected]
Address: 5729 Lebanon Road, Ste 144-269, Frisco, Texas 75034
In compliance with the EU-U.S. DPF, Asset Panda commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF should first contact Asset Panda via the contact information above.
For GDPR related data (i.e. personal data of EU citizens or residents), the Terms of Use and in the Privacy Policy will be superseded by the terms on this GDPR page.