Imprivata Data Privacy Framework Policy

Imprivata Data Privacy Framework Policy

This Data Privacy Framework Policy (“Policy”) applies to Imprivata, Inc., Ground Control, Inc., FairWarning, LLC, and SecureLink, Inc., which have all been integrated into Imprivata, Inc. This Policy was last updated on December 27, 2023 and supplements the Imprivata Privacy Policy (“Imprivata Policy”).

What does this Policy cover?

Imprivata complies with the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework (collectively, the “Data Privacy Framework”) as outlined by U.S. Department of Commerce regarding the collection, use, and retention of Personal Data (as defined below) that is transferred from European Union member countries, the UK, and Switzerland to the United States. If there is any conflict between the policies outlined in this Policy and the Data Privacy Framework Principles, the Data Privacy Framework Principles will govern. To learn more about the Data Privacy Framework, and to view its certification page, please visit https://www.dataprivacyframework.gov/.

As the Data Privacy Framework only applies to Personal Data transferred from European Union member countries, the UK, and Switzerland, this Policy only applies to Personal Data transferred from European Union member countries, UK, and Switzerland to Imprivata’s operations in the United States.

All employees of Imprivata that have access to Personal Data covered by this Policy are responsible for conducting themselves in accordance with this Policy. Personal Data covered by this Policy shall not be collected, used, or disclosed in a manner contrary to this Policy without proper written permission from Imprivata’s legal department.

What terms do I need to know to understand this policy?

“Data subject” means an identifiable natural person who can be identified, directly or indirectly, by Personal Data supplied to Imprivata.

“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”).

“Sensitive Personal Data” mean Personal Data regarding a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, biometric or genetic data used to uniquely identify a data subject, physical or mental health, criminal record, or sexual orientation or life.

How does Imprivata comply with Data Privacy Framework?

Imprivata commits to subject all Personal Data covered by this Policy to the Data Privacy Framework Principles in accordance with the respective Data Privacy Framework. Information about each of the Data Privacy Framework Principles, and how Imprivata complies with each, can be found below.

Notice

Imprivata notifies Data Subjects covered by this Policy about its data practices regarding Personal Data received in the U.S. from European Union member countries, the UK, and Switzerland in reliance on the respective Data Privacy Framework. The information Imprivata provides to Data Subjects (as set forth in the Imprivata Policy) includes the types of Personal Data Imprivata collects about them, the purposes for which Imprivata collects and uses such Personal Data, the types of third parties to which Imprivata discloses such Personal Data and the purposes for which Imprivata does so, the rights of Data Subjects to access their Personal Data, the choices and means that Imprivata offers for limiting its use and disclosure of such Personal Data, how its obligations under the Data Privacy Framework are enforced, and how Data Subjects can contact Imprivata with any inquiries or complaints.

Choice

If Personal Data is (a) disclosed to a third party not identified at the time of data collection or (b) used for a purpose other than that which it was originally collected for, Imprivata will provide Data Subjects with an opportunity to choose whether to have their Personal Data so disclosed or used. Imprivata’s employees are responsible for providing proper notification to Data Subjects when they have the right to opt out of such disclosures or uses. To request to exercise these choices, a Data Subject should contact Imprivata at: privacycommittee@imprivata.com.

Accountability for Onward Transfer

In the event that Imprivata transfers Personal Data covered by this Policy to a third party acting as a controller, Imprivata will do so only if the third party has provided Imprivata with contractual assurances that it will (a) process the Personal Data for limited and specified purposes consistent with the consent provided by the Data Subject; (b) provide the same level of protection as is required by the Data Privacy Framework Principles; and (c) notify Imprivata if they can no longer meet this obligation.

As more fully set forth in the Imprivata Policy, in the conduct of Imprivata’s business operations, Imprivata may share Personal Data with attorneys, consultants, human resources providers, payroll providers, and other service providers contracted to provide services for the activities, delivery, and management of Imprivata products and services.

Imprivata may disclose Personal Data to approved third party data processors retained or contracted by Imprivata such as business partners and subcontractors, including, without limitation, affiliates, vendors, service providers and suppliers. Imprivata may share certain Personal Data with third parties who conduct marketing studies and data analytics, including those that provide tools or code which facilitates its review and management of its web site and services, such as Google Analytics or similar software products from other providers.

Except to the extent agreed by you, Imprivata may be required to share Personal Data as required or permitted by law, regulation, legal process, court order, bankruptcy or other legal requirement, or when Imprivata believes in its sole discretion that disclosure is necessary or appropriate, to respond to an emergency or to protect its rights, protect your safety or the safety of others, investigate fraud, comply with a judicial proceeding or subpoenas, court order, law-enforcement or government request, including without limitation to meet national security or law enforcement requirements, or other legal process and to enforce its agreements, policies and terms of use. Other than the aforementioned exceptions, the use and disclosure of all transferred Personal Data will be subject to this Policy.

In the event that Imprivata transfers Personal Data covered by this Policy to a third party acting as an agent, Imprivata will do so only if the third party has provided Imprivata with contractual assurances that it will (a) transfer the Personal Data for limited and specified purposes; (b) provide the same level of protection that is required by the Data Privacy Framework Principles; (c) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with Imprivata's obligations under the Data Privacy Framework Principles; (d) and require the agent to notify Imprivata if it makes a determination that it can no longer meet its obligations to provide the same level of protection as required by the Data Privacy Framework Principles. If Imprivata receives such a notice, Imprivata will (a) take reasonable and appropriate steps to stop and remediate any authorized processing and (b) provide a summary or copy of the relevant privacy provisions of its contract with that agent to the U.S. Department of Commerce, if requested.

Imprivata remains liable under the Data Privacy Framework Principles if an agent processes Personal Data covered by this Policy in a manner inconsistent with the Principles, except where Imprivata is not responsible for the event giving rise to the damage. Additionally, Imprivata may be required to disclose Personal Data in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

Security

Imprivata takes reasonable and appropriate measures to protect Personal Data covered by this Policy from loss, misuse, unauthorized access, disclosure, alteration and destruction. While Imprivata cannot guarantee the security of Personal Data, Imprivata is committed to safeguarding all Personal Data received from the EU, UK, and Switzerland.

Data Integrity and Purpose Limitations

Imprivata only collects Personal Data covered by this Policy that is relevant for the purposes of processing, as set forth in the Imprivata Policy. Imprivata does not process Personal Data that is incompatible with the purposes for which it was collected or authorized by the Data Subject. Additionally, Imprivata takes reasonable steps to ensure that any Personal Data that is collected is relevant to its intended use, accurate, complete and current.

Imprivata retains Personal Data in a form identifying or making identifiable a Data Subject only for as long as it serves a purpose of processing, which includes the performance of Services, obligations to comply with professional standards and legitimate business purposes. Imprivata will only request the minimum amount of Personal Data required to carry out these purposes and will adhere to the Data Privacy Framework Principles for as long as Imprivata retains Personal Data.

Access

All Data Subjects have the right to access the Personal Data covered by this policy that Imprivata holds about them. Additionally, if Personal Data is inaccurate or has been processed in violation with the Data Privacy Framework, Data Subjects have the right to access their Personal Data to correct it, amend it or delete it.

To request access to, or correction, amendment or deletion of, Personal Data, a Data Subject should contact Imprivata at: privacycommittee@imprivata.com.

In compliance with the Data Privacy Framework, Imprivata commits to cooperate and comply respectively with the advice of the panel established by the European Union data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Data Privacy Framework complaints concerning data received in reliance on the Data Privacy Framework. If you do not receive timely acknowledgment of a complaint, or if Imprivata does not satisfactorily address your compliant, please visit the Data Privacy Framework website linked above for more information about how to contact your local DPA, the ICO, or the FDPIC.

In addition to the above dispute resolution mechanisms, Data Subjects may be able to invoke binding arbitration before the Data Privacy Framework Panel to be created by the U.S. Department of Commerce and the European Commission, under certain conditions.

Imprivata agrees to periodically review and verify its compliance with the Data Privacy Framework Principles, and to remedy any issues that arise out of failure to comply with the Data Privacy Framework Principles. Imprivata acknowledges that failure to provide an annual self-certification to the U.S. Department of Commerce will remove Imprivata from the Department’s list of Data Privacy Framework participants.

What happens if Imprivata changes this Policy?

Imprivata may modify this Policy from time to time, consistent with changes to the requirements of the Data Privacy Framework Principles, or changes within its organization. If Imprivata changes this Policy, Imprivata will provide Data Subjects appropriate notice regarding such modifications by highlighting the change on its Site, or by emailing Data Subjects’ email addresses of record.

How can I contact Imprivata about this Policy?

Should you have any questions or concerns about this Policy or need to update certain Personal Data, please contact Imprivata at privacycommittee@imprivata.com.