Privacy Shield

DEFINITIONS.

“Personal Data” means data that personally identifies or may be used to personally identify a person, whether directly or indirectly in combination with other data.

“Customer” means a prospective, current, or former customer, or client of Work Cycle .

 

SCOPE.

Work Cycle  in the Privacy Shield applies to the Personal Data that Work Cycle  receives from and processes on behalf of Customers of Work Cycle located in the EU. Work Cycle acts as a sub-processor processor of the Personal Data we process on behalf of the Customers (who are data controllers with respect to the personal data we process on behalf of Work Cycle

 

PURPOSES OF DATA PROCESSING.

Work Cycle  provides its Customers with a project management tool designed to improve work processes and create an environment of transparency in the Customer's organization and facilitates a more efficient and intuitive way to manage teams and entire operations. Work Cycle  project management tool is made available to its Customers on a software as a service (SaaS) basis (the “Service”).

 

Work Cycle  will only process the Personal Data we receive from Work Cycle , for the purposes our Service to the respective Customer. To fulfill these purposes, We may access the data to provide or offer the Service, to correct and address technical or service problems, or to follow instructions of Our customer who submitted the data, or in response to contractual requirements.

 

ONWARD TRANSFERS OF PERSONAL DATA.

We will not transfer Personal Information originating in the EU to third parties unless such third parties have entered into an agreement in writing with us requiring them to provide at least the same level of privacy protection to your Personal Information as required by the Principles of the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We will only transfer Personal Information to cloud service providers who need the information in order to provide services to or perform activities on Our behalf. In cases of onward transfer to third parties of data of EU individuals received pursuant to the EU-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield, Work Cycle  is potentially liable.


 

RIGHT TO ACCESS, CHANGE OR DELETE PERSONAL DATA.

Data subjects have the right to access Personal Data about them, and in some cases to limit use and disclosure of their Personal Data. If you would like to request access to the Personal Data we have processed on behalf of one of the Customers, please contact support@Work Cycle and provide your name and contact information. Work Cycle  will refer your request to the Customer, and will support them as needed in responding to your request.


 

REQUIREMENT TO DISCLOSE.

Work Cycle  may be required in certain circumstances to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirement.


 

PRIVACY SHIELD INDEPENDENT RECOURSE MECHANISM.

In compliance with the Privacy Shield Principles, Work Cycle  commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Work Cycle  at: contact@WorkCycle.io o

 

Work Cycle  has further committed to refer unresolved privacy complaints under the EU-U.S. Privacy Shield Principles and the Swiss-U.S. Privacy Shield Principles to JAMS, a non-profit alternative dispute resolution provider located in the United States to assist with the complaint resolution process. If you do not receive timely acknowledgment of your complaint, or if your complaint is

 

U.S. FEDERAL TRADE COMMISSION ENFORCEMENT.

Work Cycle  is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) to ensure compliance with the EU-US Privacy Shield Principles and the Swiss-U.S. Privacy Shield Principles outlined in this notice.

 

ARBITRATION.

 

Under certain conditions, more fully described on the Privacy Shield website https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint , you may also be able to invoke binding arbitration when other dispute resolution procedures have been exhausted.

 

Work Cycle is GDPR ready

At Work Cycle, nothing to us is more important than the success of our customers and the protection of their personal data. With customers in nearly every country in the world, we adhere to the General Data Protection Regulation (GDPR). The GDPR expands the privacy rights granted to European individuals and requires certain companies that process the personal data of European individuals to comply with a new set of regulations. In particular, the GDPR may apply to companies that process the personal data of European individuals and have a presence in the EU (e.g. offices or establishments) and to companies that do not have any presence in the EU but target the European market (e.g. by offering goods or services to the European market) or monitor the behavior of European individuals. We’re here to help our customers in their efforts to comply with the GDPR.

 

What is GDPR?

In 2016, the European Union (EU) approved a new privacy regulation called the General Data Protection Regulation commonly known as the GDPR. It’s a mandatory ruling that applies to all companies that collect the data and information of EU individuals and meet certain territorial requirements. The GDPR is designed to strengthen the security and protection of personal data in the EU, as well as provide businesses with a structured framework on how to collect, process, use, and share personal data. Under the GDPR, the concept of “personal data” is very broad, and covers almost any information relating to a specific individual.

 

When are these regulations starting to be enforced?

All companies collecting or processing the personal data of EU individuals must be GDPR compliant by May 25, 2018.

 

Controllers and Processors

The GDPR defines and distingue between two types of parties and responsibilities when it comes to collecting and processing personal data: data controllers and data processors. A data controller determines the purposes and ways that personal data is processed, while a data processor is a party that process data on behalf of the controller. That means that the controller could be any company or organization. A processor could be a SaaS, IT or other company that is actually processing the data on behalf of the controller. Work Cycle is a Data Processor. Work Cycle customers (the organizations who use Work Cycle) are Data Controllers. The controller is responsible to make sure that all processors with whom it deals will be GDPR compliant and the processors themselves must keep records of their processing activities.

 

What steps were taken by Work Cycle following the GDPR requirements?

We welcome the arrival of GDPR and view the regulations as raising the bar for data protection, security, and compliance. We will continue to be committed to our customers and users to help them comply with the GDPR while using Work Cycle as their data processor.

 

We worked with our engineering, product, security and legal teams to make both our product and our legal terms in line with the GPDR and will continue to ensure they keep in line continuously. As part of Work Cycle GDPR readiness project we’ve taken the following steps:

  • Reviewed and strength our security infrastructure and practices, data encryption in transit and at rest, backup, logs and security alerts.

  • A risk assessment and data mapping process were made to make sure any data that may be stored or processed is processed and managed according to the GDPR instructions.

  • We delete or anonymize analytics data of users after user’s deletion

  • Had an external audit made by E&Y to receive a SOC 2 Type II security certification from the American Institute of Certified Public Accountants (AICPA)

  • Received an internationally recognized security certification for ISO 27001 ISMS (information security management system) and ISO 27018 (for protecting personal data in the cloud).

  • We’ve self-certified under the E.U.-U.S. Privacy Shield frameworks to comply with data protection requirements when transferring personal data to Work Cycle US subsidiary.

  • We’ve made sure we have the appropriate contractual terms in place, to perfume our role as a data processor for our customers while complying with the GDPR.

  • We’ve put on place all the internal procedures, processes and controls and recurring training sessions for the team, to ensure our on-going compliance with the GDPR

  • We’ve revised our Terms of Use and Privacy Policy to support the GDPR requirements.

  • Performed security and privacy assessment to our sub-processors to ensure they are all complying with the GDPR requirements.

  • We’ve appoint a Data Protection Office (DPO) and a representative in the EU.

  • We’ve developed and we’re making available these days product features that allows organization to deal with data deletion:

    • Delete users profile: Admin can now delete users’ personal data from the system (in their own initiative or as per user’s request), this will allow the organization to meet the GPDR requirements. This will delete the user name, phone, email, picture, address, title, social networks references, and other customer fields if provided. Deleting user will not delete the user posts or uploaded files – which will remain available for the organisation, under an anonymous name, as defined by the organization.

    • Delete account: While canceling an account, admin can decide if they want to keep the organization information (including personal data) for future use or delete it permanently.

We’ll continue to monitor the guidance around GDPR compliance and will ensure that our product and processes are complying with those guidance when they become effective.

We’ve also created a “Legal, Security & Privacy” portal where you can learn more about Work Cycle security and privacy practices, certifications, legal terms, policies and procedures.

 

Does Work Cycle offer a Data Processing Agreement (DPA)?

Yes. You can view our Data Processing Agreement/addendum (DPA) online. If you need a signed copy of the DPA, you can download it, send a signed copy to legal@Work Cycle and we’ll provide you a countersigned copy.

 

Does Work Cycle has a Data Protection Officer (DPO) appointed?

Yes. We have appointed Privacy veteran Aner Rabinovitz as our Data Protection Officer, for monitoring and advising on Work Cycle's ongoing Privacy compliance, and serving as a point of contact on Privacy matters for data subjects and supervisory authorities. Aner may be reached at dpo@Work Cycle

 

Does the GDPR prevent a company from storing data outside of the EU?

Nothing in the GDPR prevents businesses from storing data outside of the EU, provided that the data processors adhere to the necessary regulations and protections. At Work Cycle, we store our data with Amazon Web Service (AWS), which is based in the US. Like Work Cycle, AWS has announced that it is GDPR ready.

Where can I learn more about GDPR?

Additional information is available on the official GDPR website of the European Union.

I have more questions. Who should I contact?

If you have any additional questions about the GDPR you are welcome to contact us contact@Work Cycle.io