Updated: September 28th, 2023
Provation Software, Inc. (“Provation” or “we” or “our”) has developed this Application Privacy Policy to demonstrate our commitment to our current, past and prospective customers and any other user of any of our services for the purposes of carrying out business. This Application privacy policy is designed to inform you about the types of information that we may collect or process. Provation data processors are obliged to comply with this policy when processing data on behalf of our customers.
The terms and conditions of this Application Privacy Policy apply only to the extent that they are compliant with the applicable laws, including current and future European Union regulations (GDPR) and HIPAA, governing the processing of personal data on behalf of our customers.
This policy will be reviewed annually and updated as needed by Provation’s Chief Information Security Office (CISO) and/or Provation’s General Counsel to reflect any changes in legislation or in Provation’s methods or practices.
Provation’s CISO is responsible for ensuring compliance with this policy. Any questions about the operation of this policy or any concerns that the policy has not been followed should be referred in the first instance to Provation’s CISO.
All Provation colleagues have a responsibility to comply with this policy and are required to complete appropriate training to ensure compliance with this policy.
Information We Collect or Process on behalf of our customers.
Data is defined as Provation held personal information concerning all living identifiable individuals. Individuals have legal rights in relation to their personal information.
Personal information is defined as data relating to a living individual who can be identified, directly or indirectly, from that data (or from that data and other information in our possession). Personal data can be factual (for example, a name, address or data of birth) or it can be an opinion about that person, their actions and behavior.
Data controllers at Provation determine the purposes for which, and in the manner in which, any personal data is processed. They are responsible for establishing practices and policies in line with the current regulations. Data users are those colleagues and contractors whose work involves processing personal data. Data users must protect the data they handle in accordance with this data protection policy and any applicable data security procedures at all times.
Provation is considered a data processor on behalf of our customers. Provation performs activities by obtaining, recording, or holding the data, carrying out any operation or set of operations on the data including organizing, amending, retrieving, using disclosing, erasing or destroying it.
How We Use Information
- Personal Information
We use Personal Information (unless otherwise restricted by law), for the following purposes:
Research, Development and Internal Purposes. We may use Personal Information for internal purposes such as system administration, risk analytics, compliance, auditing, and data analysis. We may use Personal Information for internal research and development purposes, to create new products and services. All data use is performed in accordance with applicable laws, regulations, and customer contracts.
Customer Support. If you contact us for customer support, we may ask you to provide Personal Information to verify your identity and other information about your computer, mobile phone, tablet or other device and about the issue you are trying to resolve. This information may be necessary to help us address the issue you are experiencing. We may record your requests and our responses for quality control purposes.
Legal Obligations. We may disclose your Personal Information as we believe necessary or appropriate: (i) under applicable law, including laws outside your country of residence, (ii) to comply with legal process, either within or outside your country of residence, (iii) to respond to requests from public and government authorities, including public and government authorities outside your country of residence, for national security and/or law enforcement purposes, (iv) to enforce our terms and conditions, and (v) to allow us to pursue available remedies or limit the damages that we may sustain.
- Other Information
We may use, transfer, and disclose Other Information we collect for any purpose, except where applicable law requires otherwise. If we are required to treat Other Information as Personal Information under applicable law, then we will only use it in the same way that we are permitted to use and disclose Personal Information.
How We Share Information
- Personal Information
We share Personal Information to further our business operations and as described below. We may share Personal Information with the following third parties:
Legally Required Sharing. We may disclose information about you (i) if we believe, in good faith, that we are required to do so by law or legal process, (ii) to law enforcement authorities or other government officials, or (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual fraudulent or illegal activity.
Business Transfers. We reserve the right to transfer Personal Information to a purchaser or successor entity in the event of a sale or any other corporate transaction involving some or all of our business.
- Other Information
We may share Other Information we collect for any purpose unless prohibited by law. We may share aggregated, anonymous Other Information, such as aggregated statistics, usage information and demographic data with third parties, including advisors and advertisers. When we provide this Other Information, we perform appropriate procedures so that the data does not identify a unique individual.
Security Measures
Provation takes the security of your data seriously and have internal policies and controls that follow industry best practices to ensure that you data is not lost, accidentally destroyed, misused or disclosed and is not accessed except by its employees in the performance of their duties.
When Provation engages third parties to process personal data on its behalf, they do so on the basis of written instructions, are under of a duty of confidentiality and are obliged to implement appropriate technical and company measures to ensure the security of data.
We have implemented numerous security features designed to help protect your Personal Information from accidental loss and from unauthorized access, use, or disclosure.. We cannot guarantee that unauthorized persons will always be unable to defeat our security measures.
Example security procedures that Provation follows include:
- Physical security controls for our office
- Media disposal per industry best practices for paper and digital media destruction
- Provation maintains security incident management policies and procedures. Unauthorized disclosure of data will be subject to Data protection laws and regulations for notifying affected parties.
- Technical Safeguards that Provation has in place to ensure data protection include anti-virus, intrusion detection, multi-factor authentication and encryption.
- Data segregation by operating in a multitenant architecture that is designed to segregate and restrict customer data from customer to customer and separate from Provation data. This is done by creating customer specific unique ID’s and user role-based access privileges.
- Provation adds additional data segregation by providing separate environments for different functions such as testing and production.
Data Storage
We may store and process your Personal Information in systems located outside of your home country. Regardless of where storage and processing occur, we take appropriate steps to ensure your information is protected, consistent with the principles set forth under this Privacy Policy.
Retention and Deletion
We keep your Personal Information: (i) for as long as needed to provide you with our products or services, (ii) as needed for the purposes outlined in this Privacy Policy, (iii) as necessary to comply with our legal obligations (such as to honor opt-outs), resolve disputes, and enforce our agreements, and (iv) to the extent permitted by law.
International Transfer
Please note that, unless otherwise prohibited, Personal Information may be transferred, accessed and stored globally as necessary for the uses and disclosures stated above in accordance with this Privacy Policy. By providing your Personal Information you give express consent to transfer your Personal Information to our affiliates globally and to third party entities that provide services to us.
Breach notification
Provation follows the guidelines set by HIPAA and contractual agreements with our customers.
Your Rights Regarding Your Information
- Opt-Out Right
Although we have a right to use your Personal Information to provide you with the information and services you acquire from us, including if you register as a user for our services and/or to pay for our services, you may opt out of having your Personal Information (i) collected by us if you do not elect to register with a user account to acquire or pay for our services, (ii) used by us for certain secondary purposes, or (iii) used by us to send you promotional (i.e. marketing) correspondences, by contacting us as specified in the How to Contact Us section below; Please note that if we have a lawful business purpose to use your Personal Information or if we are required by applicable law to retain your Personal Information, then your right to opt-out of our use may be limited.
- Transfer: Acquire
Depending on the law applicable to you (for example a resident of California under the California Consumer Protection Act (“CCPA”) or a resident of the European Union under the General Data Protection Regulation), you may have the right to request that we send you or a third party a copy of your Personal Information you provided to us in a structured, commonly used and machine-readable format, enabling you to transfer such information to another party (e.g. data controller). Where technically feasible, we will handle such transfer directly to the third party you specify. To submit such a request, contact us as specified in the How to Contact Us section below.
In certain countries, including all the Member-States of the European Union, you can lodge a complaint with a supervisory authority if you believe your Personal Information has been unlawfully processed.
The access and correction provisions of this Privacy Policy only apply to Personal Information collected from you through the Website.
- If Shared
Depending on the law applicable to you (for example as a resident of California under the CCPA), you may have the right to request from us a list of the third parties with whom we have shared certain Personal Information, as defined under California Civil Code Section 1798.90(e) during the preceding year for third party direct marketing purposes. We will respond to one request per California resident per calendar year, in accordance with California Civil Code Section 1798.83. To submit such a request, contact us as specified in the How to Contact Us section below.
- Deletion of Erasure
Depending on the law applicable to you (for example a resident of California under the CCPA or a resident of the European Union under the General Data Protection Regulation), you may have the right to ask that we delete or erase your Personal Information from our Website. Please note that this right may be limited to the extent that we are required to retain such information to meet our business and legal requirements; we will comply with applicable law for such a request. To submit such a request, contact us as specified in the How to Contact Us section below.
- Our Right To Change This Privacy Policy
We reserve the right to change this Privacy Policy at any time by posting a new or revised statement. This Privacy Policy was last revised as specified in the date listed at the top of this Privacy Policy.
California Consumer Privacy Act (“CCPA”)
Provation is subject to the CCPA as modified by the California Privacy Rights Act (“CPRA”) and is required to provide privacy notices to California residents (“Consumers”) whose Personal Information we may collect. These notices must include information about the categories of Personal Information collected and also describe the rights Consumers have with respect to their Personal Information including:
- The right to know about the personal information a business collects about them and how it is used and shared;
- The right to delete personal information collected from them (with some exceptions);
- The right to opt-out of the sale or sharing of their personal information; and
- The right to non-discrimination for exercising their CCPA rights.
- The right to correct inaccurate personal information that a business has about them; and
- The right to limit use and disclosure of sensitive personal information collected about them.
While other US states have comprehensive privacy laws like the CCPA, as of this Privacy Policy revision date, none of those laws apply to Personal Information collected in the commercial/B2B and employment contexts.
CCPA requires privacy notices describing what Personal Information a business collects, the purposes for the collection, and information about disclosures of Personal Information. Additionally, a privacy notice must also inform Consumers of the rights they have with respect to their Personal Information and how to exercise them.
The CCPA requires privacy notices to be reviewed and updated every 12 months.