GDPR Privacy Notice
The Board of Directors and executive management of Weave Cloud Solutions, LLC. located at 101 Crawfords Corner RD., Holmdel, NJ 07733, which is in the business of facilitating the transfer of documents amongst and between other business and organizations, are committed to preserving the confidentiality and integrity of electronic information assets in compliance with the European Union’s General Data Protection Regulation (GDPR) while in its custodial care. This Notice explains how GDPR affects you as a user, defines key terms, and answers questions regarding who is covered by GDPR, what GDPR requires, and how Weave Cloud Solutions operates within those requirements.
Weave Cloud Solutions’ Commitment to Data Protection
Weave Cloud Solutions is committed to fulfilling its responsibilities in relation to the collection, retention, use, and communication of personal data within the scope of the General Data Protection Regulation. In scope personal data will be processed only for lawful and appropriate purposes. Weave Cloud Solutions has implemented measures designed specifically to ensure the security of personal data and to prevent unauthorized or accidental access, erasure, or other misuse of personal data. Weave Cloud Solutions will also enable the exercising of data subject rights in an effective and transparent manner.
Definitions
| Term | Definition |
| GDPR | The European Union’s (EU) General Data Protection Regulation (EU 2016/679) |
| Weave Cloud Solutions Customer | A legal entity (excluding Weave Cloud Solutions or its affiliates) that has contracted with Weave Cloud Solutions to provide Services |
| Customer Data Subject | An identified or identifiable individual authorized by an Weave Cloud Solutions Customer to use the Services or to interact with Weave Cloud Solutions on behalf of the Weave Cloud Solutions Customer |
| Data Controller | An entity that determines the purposes and means of the Processing of Personal Data |
| Personal Data | Any information relating to an identified or identifiable natural person |
| Process(ing) | Any operation(s) performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction |
| Services | The products and services provided by Weave Cloud Solutions under a contractual agreement between Weave Cloud Solutions and the Weave Cloud Solutions Customer |
| Special Categories of Personal Data | Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the Processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Processing of Personal Data relating to criminal convictions and offenses may also have additional safeguards under Member State law. |
| Communicating Parties | Communicating Parties are an Weave Cloud Solutions Customer and at least an originator or recipient who establish communication through the Services, any of which may be a Customer Data Subject |
Notice Applicability
This GDPR Privacy Notice applies when:
- A Customer Data Subject instantiates Personal Data through the use of Weave Cloud Solutions’ Services within the European Union (EU) or the European Economic Area (EEA) in connection to a Weave Cloud Solutions Customer
- Weave Cloud Solutions otherwise Processes Personal Data of a Customer Data Subject who is in an EU or EEA country in connection to a Weave Cloud Solutions Customer
- Services provided by Weave Cloud Solutions are within the scope of GDPR
- Weave Cloud Solutions functions as a Data Controller when Processing the Personal Data of a Customer Data Subject
Weave Cloud Solutions maintains other policies and notices, including the Weave Cloud Solutions Terms of Use (available on its public website), that address data protection and use of the Services. Unless specifically stated otherwise, where another notice or policy conflicts with the purposes of this GDPR Privacy Notice, this Notice prevails with regards to a Customer Data Subject in the EU or EEA.
Categories of Customer Data Subjects Personal Data Processed
Weave Cloud Solutions generally Processes the following categories of data, which may include Personal Data of Customer Data Subjects:
- Contact Information: General contact information for administration purposes, which may include, but not limited to name, address, phone number, and email address
- Device Identification Information: Attributes that identifies a device from which (or to which) electronic communications are sent (or received); may include, but not limited to a network identifier (Internet Protocol IP address, phone number, etc.), serial number, capabilities, etc.
- Electronic Communications Metadata: Data processed in an electronic communications network for the purposes of transmitting, distributing, or exchanging electronic communications content (but not including electronic communications content); includes data used to trace and identify the source and destination of a communication, the date, time, duration, and type of communication
- Authentication Data: Username, password, authorization tokens, and similar data to authenticate users or devices in connection with use of the Services or access to information related to the Services
- Document Content Information: Document Content Information is the information contain within a document that is being transferred between all communicating parties
Reasons Weave Cloud Solutions Processes Customer Data Subjects’ Personal Data
Weave Cloud Solutions Processes Personal Data when a Customer Data Subject uses the Services or when an Weave Cloud Solutions Customer provides the Personal Data to Weave Cloud Solutions. During Weave Cloud Solutions Customer provisioning, Weave Cloud Solutions will generally Process Personal Data of Customer Data Subjects for the purposes of:
- Providing the Services to the Weave Cloud Solutions Customer
- Performing the obligations and exercising the rights with respect to the Services
- Complying with legal obligations
- Evaluating, supporting, and enhancing the performance, efficiency, and security of the Services
Weave Cloud Solutions Processes Personal Data of Customer Data Subjects only pursuant to appropriate lawful bases for Processing as necessary for:
- Performing Services to which the Customer Data Subject is a party;
- Complying with a legal obligation(s) to which Weave Cloud Solutions is subject; and/or
- Legitimate interests pursued by Weave Cloud Solutions, such as performing its contract obligations to, or exercising its legal or contract rights with the Weave Cloud Solutions Customer, or for improving services and network operations
In limited circumstances, Weave Cloud Solutions may Process Personal Data as necessary for:
- Protecting the vital interests of the Customer Data Subject or another natural person; and/or
- Performing a task carried out in the public interest
Customer Data Subjects acknowledge that the Document Content Information being transfer through the Services is under the sole discretion and control of the Communicating Parties. Weave Cloud Solutions acknowledge that the Document Content Information may contain “Special Categories” of Personal Data. Weave Cloud Solutions does not Process Customer Data Subject’s Document Content Information, whether it contains “Special Categories” of Personal Data or not, for any business purpose other than to facilitate the transfer of the Document Content Information between the Communicating Parties, unless specifically authorized by law, for example where the Customer Data Subject has given explicit consent; as necessary for carrying out obligations and exercising specific rights in the field of employment, social security, or social protection law; if compelled to do so by a court of law or lawfully requested to do so by a relevant governmental authority; and/or as necessary for the establishment, exercise, or defense of legal claims.
Access to Customer Data Subjects Personal Data
Personal Data about Customer Data Subjects will be disclosed, to the extent required for Service delivery, to appropriate and authorized recipients. Recipients may include: Weave Cloud Solutions personnel; third party service providers and subcontractors performing services for Weave Cloud Solutions in the delivery of the Services. Personal Data may also be provided to the Weave Cloud Solutions Customer and their agents.
Weave Cloud Solutions may disclose Personal Data if compelled to do so by a court of law or lawfully requested to do so by a relevant governmental authority using the appropriate means of request. Weave Cloud Solutions may disclose Personal Data if Weave Cloud Solutions determines it is necessary or appropriate to comply with the law or to protect or defend Weave Cloud Solutions’ rights, property or employees.
Location Where Customer Data Subjects Personal Data is Processed
Weave Cloud Solutions business activities are centralized within the United States of America. This centralization may result in the transfer of Personal Data to countries outside of the EEA. For example, a Customer Data Subject’s may be transferring information with a Weave Cloud Solutions Customer within the United States. A Customer Data Subject may request to review the safeguards Weave Cloud Solutions uses for cross border transfers.
Weave Cloud Solutions may additionally rely on other approved mechanisms for export of Personal Data from the EEA, such as a determination by the European Commission that the recipient country offers adequate protection of Personal Data or pursuant to established derogations for specific situations. Wherever Personal Data is Processed, Weave Cloud Solutions uses appropriate security measures consistent with GDPR requirements.
Deletion of Customer Data Subjects Personal Data
First and foremost, Weave Cloud Solutions maintains a zero data retention policy for all Document Content Information communicated through the Services, whether it belongs to a Customer Data Subject or not. Upon completion of a transfer of the Document Content Information between the Communicating Parties, Weave Cloud Solutions purges the Document Content Information from its system. Certain Personal Data will be retained as needed for business administration, tax, or legal purposes and as consistent with applicable law, including GDPR, such as Electronic Communications Metadata and Device Identification Information. While Personal Data is retained, Weave Cloud Solutions implements appropriate technical and organizational measures designed to make the Personal Data collected secure. Such measures include:
- Maintaining and protecting the security of computer storage and network equipment and using security procedures that require usernames and passwords to access sensitive data;
- Applying encryption, deidentification, or other appropriate security controls to protect Personal Data when stored or transmitted; and
- Limiting access to Personal Data to only those with jobs requiring such access
Customer Data Subject Rights regarding Processing of Personal Data
GDPR grants the Customer Data Subject certain rights regarding Processing of Personal Data. Weave Cloud Solutions is committed to honoring these rights and has established effective and transparent policies and procedures to do so. A Customer Data Subject’s rights with respect to his or her own Personal Data include:
- Right to Notice. This Notice detailing how Personal Data is Processed
- Right of Access. Customer Data Subject’s may obtain confirmation of whether Personal Data is being Processed and, if it is, request the Personal Data and additional information about the Processing of that data
- Right to Rectification. Customer Data Subjects may have inaccurate Personal Data corrected and have incomplete Personal Data made complete
- Right to Erasure. Customer Data Subjects may have Personal Data erased, in certain circumstances
- Right to Restriction of Processing. Customer Data Subjects may have additional Processing of Personal Data temporarily prohibited while the accuracy or Processing of Personal Data is contested
- Right to Data Portability. Customer Data Subjects may be able to receive Personal Data for the purpose of providing that Personal Data to another Controller
- Right to Object. A Customer Data Subject may object to Processing of Personal Data at any time and on grounds relating to his or her particular situation
- Right to Information Regarding Automated Individual Decision-Making. Weave Cloud Solutions Processing of Personal Data generally does not include automated decision-making that produces legal effects concerning the Customer Data Subject or similarly significantly affects the Customer Data Subject. In the event Weave Cloud Solutions implements such automated decision making, Weave Cloud Solutions will provide meaningful information about the logic involved and the significance and the envisaged consequences of such Processing for the Customer Data Subject
Whether and how a right applies will depend upon the lawful basis pursuant to which the data is Processed, the nature of the Personal Data, and Weave Cloud Solutions’ ability to determine that it holds Personal Data of interest. As the Personal Data is processed as part of Weave Cloud Solutions’ contract obligations to the Weave Cloud Solutions Customer, for authentication purposes Weave Cloud Solutions will coordinate responses to requests of Customer Data Subjects with the Weave Cloud Solutions Customer. Weave Cloud Solutions therefore recommends the Customer Data Subject directly contact the Weave Cloud Solutions Customer to initiate a rights request. Weave Cloud Solutions will work with the Weave Cloud Solutions Customer to determine the appropriate response to a request. Provision of Personal Data in response to a Customer Data Subject’s request shall not adversely affect the rights and freedoms of others.
Additional Information
A Customer Data Subject may choose to file a complaint with the relevant data protection regulator. Questions on this Notice may be sent to Weave Cloud Solutions’ Data Protection Officer at [email protected]. Please include “Customer data subject question” in the email’s subject line.