Privacy in the Cloud - United States
11.1 Scope. You acknowledge that You use the Service under a shared responsibility model. This clause 11 defines the responsibilities and assurances between You and XLeap regarding Privacy.
11.2 Types of Information Collected. The Service collects a minimum set of Personally Identifiable Information (PII) on Users of the Service, the contributions of Users and circumstantial information as follows:
11.2.1 Personally Identifiable Information (PII). The Service collects Personally Identifiable Information solely for the purpose of authenticating Users at login and their identification in the Session. This PII is limited to (a) first name and surname, (b) email address and (c) organization or department. For the purpose of maintaining User accounts via a centralized directory or single sign on, this information can be extended by a unique identifier such as a personnel number.
11.2.2 Contributions of Users. Contributions are ideas, comments, ratings, and file uploads by Participants as well as Session structures such as agendas and questions by which Hosts organize the Session and guide the work of Participants in the Session.
11.2.3 Circumstantial information. This is information logged for security auditing purposes such as the IP address from which Users connect or which records were created, accessed, or changed. XLeap screens and analyzes these logs solely for the purpose of securing the deployment and protecting the information therein. XLeap deletes logs after 90 days.
11.3 XLeap’s obligations and responsibilities. XLeap implements and maintains technical and organizational measures to adequately protect Your data in accordance with and satisfying the requirements of national and international Privacy laws and regulations.
11.3.1 Processing. The Service processes Personally Identifiable Information and contributions of Users only in so far as it provides the technical functionality by which Your Users enter, change, and delete such information. For the avoidance of doubt, the Service is an automated software service which is controlled by You. In support of the Service, XLeap creates, restores, and deletes backup copies of the Center database, creates, stores, and deletes Audit logs and records licensing information in the Subscription Store.
11.3.2 Storage. Information collected by the Service is stored in encrypted format only in the agreed geography from where information will be transmitted to Users directly in encrypted format. For the avoidance of doubt: XLeap will not store Your PII or any other Content of your Center outside the agreed location. By default, XLeap will host the Centers of U.S. customers in U.S. data centers. If You instruct XLeap to host Your Center outside the United States, the assurances of this clause 11 survive except for assurances regarding U.S. jurisdiction at the point of storage.
11.3.3 Disclosure of collected information. XLeap will not disclose or transmit Information that has been collected by the Service to anyone, unless required by law following due legal process.
11.3.4 Sub-processing. The Service rests on the infrastructure services of Amazon (AWS) who acts as a sub-processor under XLeap’s control. XLeap will inform You of any changes of sub-processors.
11.3.5 Personnel. XLeap warrants that personnel entrusted with processing Your data has been vetted and instructed on the protection of privacy and the principle of data secrecy.
11.3.6 Encryption. XLeap warrants that information is stored and transmitted to Users only in encrypted format.
11.3.7 Use by XLeap. XLeap makes no use of information collected by the Service other than to keep track of the personal licensing and unlicensing of individuals as Host and to provide information to these Users regarding their new or changed role. For the avoidance of doubt: XLeap does not profile use patterns, User contributions or PII or related information for any purpose and will prevent any third party from doing so.
11.3.8 Other systems. Information collected by Your use of the Service is held (a) in a dedicated Center instance with dedicated database, (b) backups of that database and (c) the Subscription Store which holds the names and email addresses only of licensed Hosts, Subscription Administrators and Licensors. XLeap maintains licensing information as part of its business records in compliance with legal requirements and good commercial practice.
11.3.9 Deletion. XLeap deletes Your Center and its database including all backup copies automatically at the end of the Grace Period or on Your written order. XLeap will also delete backup copies of Your Center on your written order should this be required for You to comply with deletion requests. For the avoidance of doubt: after such deletion, no copies of Your Content shall survive, and You accept that such Content cannot be subsequently restored.
11.3.10 Use statistics. To improve its product, XLeap keeps anonymous statistics on the use of system components. These statistics do not allow for disaggregation to the level of individual Users or groups of Users.
11.3.11 Notification of breaches. XLeap will inform You without undue delay of any material breach of the regulations for the protection of Your Personally Identifiable Information, committed by XLeap, its personnel or third parties. XLeap shall implement the measures necessary to secure the PII and to mitigate potential adverse effects on the concerned individuals and shall agree upon the same with You without undue delay. XLeap shall support You in fulfilling Your disclosure obligations regarding such breaches.
11.3.12 Inquiries by individuals. XLeap will assist You in answering an individual’s inquiry related to Your collection, processing, or use of that individual’s PII by Your Use of the Service at your written request.
11.4 Your obligations. While XLeap is responsible for the technical security, availability, confidentiality, and functionality of the Service it falls on You to assure that the Service is used in compliance with the principles of data secrecy and the Privacy laws and regulations that apply to you. This obligation includes but is not limited to the following sub-clauses of this clause 11.4:
11.4.1 Collection of Information. You will collect Personally Identifiable Information as defined in clause 11.2.1 only with the User’s consent and/or where You have a legitimate interest or legal basis to do so.
11.4.2 Authentication. You will set and enforce adequate authentication requirements and a separation of roles to protect the PII and contributions of Your Users.
11.4.3 Data economy. You acknowledge that the Service is not a repository for the results and the minutes of Sessions and will instruct Your Administrators and Hosts to delete Personally Identifiable Information after it has served its purpose and apply the principles of data secrecy and economy through the Service’s automated procedures to remove inactive User accounts and old unused Sessions which may hold Participant lists.
11.4.4 Irregularities. You will instruct Your Administrators that any attempt to circumvent the Service’s protective measures and controls regarding the bulk extraction, profiling or transfer of Personally Identifiable Information is a severe violation of this Agreement and may be a crime.
Definitions of the Terms & Conditions (Extract)
“Center” means the technical environment in which Sessions are planned, executed and stored and for which a Center Subscription must be purchased.
“Content” means all audio, video, multimedia, data, text, images, documents, computer programs, and any other information or materials uploaded or created by or on behalf of You with Your use of the Service.
“Grace Period” is the term measured in weeks or months for which a Center is preserved for renewal after the Center Subscription has expired.
“Personally Identifiable Information” is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
“PII” is an abbreviation for Personally Identifiable Information.
“XLeap” means XLeap Inc, 440 Monticello Ave, Ste 1875, Norfolk, VA 23510. Where applicable “XLeap” includes XLeap GmbH, Efftingestrasse 28, 22041 Hamburg, Germany, XLeap Inc’s parent company to whom it delegates the technical provisioning of the Software Service.
XLeap® is also a registered Trademark of XLeap Inc.
* The 'Terms and Conditions for the XLeap Software Service - United States' apply to products XLeap Center and Managed Server. The ‘Terms and Conditions for Personal XLeap Subscriptions – United States’ differ regarding the details of technical implementation.