Skip to content

Privacy Center

Our Privacy center is aimed at making it easy to find out about how we share and use your data, the obligations you accept on use of our products and services, and a central location for other legal information.

Because we are a large organization and use personal data in lots of different ways, we have split up this information into several different privacy and legal notices to make it easier for you to find what you are looking for.

Policy Description
Privacy Notice

An overview of how we use information and share information of our clients, website visitors, and targets of due diligence.

Privacy Shield Policy

An overview of how we collect, use, and disclose certain personally identifiable information that we receive in the US from the European Union (“EU”), the United Kingdom (“UK”), and Switzerland.

Human Resources & Job Applicant Privacy Policy

An overview of how we use information and share information of people we work with and those that apply to work with us.

Data Processing Agreement

An addendum to the contractual agreement for services between Exiger and customer, explaining our respective roles and the nature and subject matter of processing. This includes the EU Standard Contractual Clauses (“SCC”).

Privacy Notice

This privacy notice describes how we, Exiger LLC, and our subsidiaries and affiliates from time to time (“Exiger,” “we,” “us,” “our”), process, maintain, use and share information about individuals (each a “User,” “you,” “your”) who use our website (www.exiger.com) and related features (collectively, the “Site”) or who we communicate or interact with. Exiger complies with various privacy laws globally including, but not limited to, the European Union General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”).

This notice sets out:

  1. Information we collect about you
  2. Cookies and other technologies
  3. How we use your information
  4. Our promotional updates and communications
  5. Who we give your information to
  6. Where we store your information
  7. How we protect your information
  8. How long we keep your information
  9. Links to Third Party Sites
  10. Child Safety
  11. Provision of Professional Services
  12. Your rights
  13. Changes to this notice
  14. Contact us

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

By engaging with our Site, you acknowledge you have read and understood this privacy notice.

For the purposes of the applicable data protection law, the Data Protection Officer is: Clewin McPherson,

Senior Vice President-Global Operations

+1 (212) 455-9400

data.protection@exiger.com

1. INFORMATION WE COLLECT ABOUT YOU

We will collect and process the following personal data from you:

  • Information you give us
    • This is information about you that you give us directly when you interact with us. This is information about you that you give us by filling in forms on our site or by corresponding with us by phone, e-mail or otherwise. It includes information you provide when you use our site, subscribe to our service, search for a product, submit a query, and when you report a problem with our site.
    • The information you give us may include demographic information, such as your name, job title, company name, country, e-mail address and phone number.
    • If you register for an event we organize, you may submit additional information including your interest in compliance topics and products.
    • If you respond to an advertised job vacancy or make a general inquiry regarding employment opportunities with us, you may submit various employment details about yourself, including a CV, resumé or other details of your educational and employment history. For further information on recruitment, please review Exiger’s Human Resources & Job Applicant Privacy Notice.
  • Information we collect about you from your use of our site: We will automatically collect technical information from you each time you visit our site. This includes:
    • The Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
  • Information we receive from other sources. This is information we receive about you:
    • If you use any of the other websites or apps we operate or the other services we provide.
    • From third-parties we work closely with (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, and search information providers). We will notify you when we receive information about you from them and the purposes for which we intend to use that information.

2. COOKIES AND OTHER TECHNOLOGIES

Our site uses cookies and/or other similar technologies to collect and store certain information. These typically involve pieces of information or code that a website transfers to, or accesses from, your computer hard drive or mobile device to store and sometimes track information about you. Cookies and similar technologies enable you to be remembered when using that computer or device to interact with websites and online services, and can be used to manage a range of features and content as well as storing searches and presenting personalized content.

Our site uses cookies and similar technologies to distinguish you from other users of our site. This helps us to provide you with a good experience when you browse our site and also allows us to improve our site. 

A number of cookies and similar technologies we use last only for the duration of your web session and expire when you close your browser. Others are used to remember you when you return to the site and will last for longer.

We use these cookies and other technologies on the basis that they are necessary for the performance of a contract with you, or because using them is in our legitimate interests (where we have considered that these are not overridden by your rights), and, in some cases, where required by law, where you have consented to their use.

Most web browsers automatically accept cookies and similar technologies, but if you prefer, you can change your browser to prevent that. Your help screen or manual will tell you how to do this. If you disable cookies to our site, however, you may not be able to take full advantage of our site. 

3. HOW WE USE YOUR INFORMATION

We use information held about you in the following ways:

  • Information you give to us:
    • We will use this information to:
      • Take steps in order to enter into any contract or carry out our obligations arising from any existing contract entered into between you and us.
      • Provide you with information about our goods or services we feel may interest you, if you have given your consent to receiving marketing material from us at the point we collected your information, where required by law or otherwise in our legitimate interests (provided these interests do not override your right to object to such communications).
      • Ensure in our legitimate interests that:
        • Content from our site is presented in the most effective manner for you and for your computer.
        • We provide you with the information, products and services that you request from us.
  • Information we collect about you from your use of our site
    • We will use this information in our legitimate interests, where we have considered these are not overridden by your rights:
      • To administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes.
      • To keep our site safe and secure.
      • For measuring or understanding the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you.
      • To improve our site to ensure that content is presented in the most effective manner for you and for your computer.
      • To allow you to participate in interactive features of our service, when you choose to do so.
  • Information we receive from other sources
    • We may combine this information with information you give to us and information we collect about you in our legitimate interests (where we have considered that these are not overridden by your rights). We will use this information and the combined information for the purposes set out above (depending on the types of information we receive).

4. OUR PROMOTIONAL UPDATES AND COMMUNICATIONS

Where permitted in our legitimate interest or with your prior consent where required by law, we will use your personal information for marketing analysis and to provide you with promotional update communications by email and social media platforms about our products/services.

You can object to further marketing at any time by selecting the “unsubscribe” link at the end of all our marketing and promotional update communications to you, or by sending us an email at privacy@exiger.com.

5. WHO WE GIVE YOUR INFORMATION TO

We may give your information to any member of our group:

We may also give your information to selected third parties:

  • We may give your information to any of our subsidiaries, our ultimate holding company and its subsidiaries, who support our processing of personal data under this notice. If any of these parties are using your information for direct marketing purposes, we will only transfer the information to them for that purpose with your prior consent.

We may also give your information to selected third parties:

  • Organizations who process your personal data on our behalf and in accordance with our instructions and the Data Protection Law. This includes in supporting the services we offer through the site in particular those providing website and data hosting services, providing fulfilment services, distributing any communications we send, supporting or updating marketing lists, facilitating feedback on our services and providing IT support services from time to time. These organizations (which may include third party suppliers, agents, sub-contractors and/or other companies in our group) will only use your information to the extent necessary to perform their support functions.
  • Advertisers and advertising networks that require the data to select and serve relevant adverts to you and others. We do not disclose information about identifiable individuals to our advertisers, but we will provide them with aggregate information about our users. We may also use such aggregate information to help advertisers reach the kind of audience they want to target. We may make use of the personal data we have collected from you to enable us to comply with our advertisers’ wishes by displaying their advertisement to that target audience and subject to the cookie section of this notice.
  • Analytics and search engine providers that assist us in the improvement and optimization of our site and subject to the cookie section of this notice (this will not identify you as an individual).
  • Business partners who jointly with us provide services to you and with whom we have entered into agreements in relation to the processing of your personal data.

We will disclose your personal information to third parties:

  • In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets subject to the terms of this privacy notice.
  • If Exiger LLC or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
  • If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of supply terms and other agreements with you; or to protect the rights, property, or safety of Exiger LLC, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction and to prevent cybercrime.

When you visit our website, we use the following third parties to process your information:

CompanyProcessing TypeLearn More
Google, Inc.Analytics, Advertising“How Google uses data when you use our partners’ sites or apps”, located at www.google.com/policies/privacy/partners/
New RelicTelemetry, Performancehttps://newrelic.com/termsandconditions/services-notices
HotJarBehavior Analyticshttps://www.hotjar.com/privacy/
HubSpotCustomer Relationship Management, Marketing, and Saleshttps://legal.hubspot.com/product-privacy-policy
LinkedInAdvertisinghttps://www.linkedin.com/legal/privacy-policy

6. WHERE WE STORE YOUR INFORMATION

We are headquartered in the United States of America with offices and servers in Canada, among other places. Therefore, we may transfer, process, and/or store your personal information in the United States and Canada. When we transfer personal information to any destination outside the European Union (EU), the European Economic Area (EEA) or the United Kingdom (UK), we will take all steps reasonably necessary to ensure that your data is subject to appropriate safeguards, such as relying on a recognized legal adequacy mechanism, and that it is treated securely and in accordance with this privacy notice.

The European Commission has recognized that Canada and United Kingdom have data privacy laws providing an adequate level of protection. For transfers to the US and/or countries viewed as inadequate, we have taken appropriate safeguards to require that your Personal Data will remain protected in accordance with this Privacy Notice and as required by applicable data protection law. These include implementing an adequate method of transfer, such as the European Commission’s Standard Contractual Clauses, for transfers of Personal Data with our third-party service providers and partners, further details of which can be provided upon request.

In addition, Exiger continues to comply with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States, as discussed in Exiger’s Privacy Shield Policy.  

7. HOW WE PROTECT YOUR INFORMATION

Exiger will use appropriate technical and organizational security measures to try to protect your personal data from loss, misuse, alteration, or destruction. Please be aware that the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.

8. HOW LONG WE KEEP YOUR INFORMATION

Exiger will retain personal data for a reasonable period, taking into account legitimate business needs to capture and retain such information. Information will also be retained for a period necessary to comply with applicable local, state, federal, or country specific regulations and requirements.

We may also retain aggregate information without time limits for research purposes and to help us develop and improve our services. You cannot be identified from aggregate information retained or used for these purposes.

9. LINKS TO THIRD PARTY SITES

Our site may, from time to time, contain links to external sites. Once you click on any of those links you will be leaving our website and will be directed to another website; the Exiger privacy notice will no longer apply. We are not responsible for the privacy notices, policies, the content, or security practices of such sites.

10. CHILD SAFETY

Protecting the safety of children when they use the Internet is important to Exiger. Our services and this Site are intended for use by adults, primarily in their business or professional capacities. Our services are not directed to children; we do not target or knowingly collect information from children under the age of 13.

11. PROVISION OF PROFESSIONAL SERVICES

Exiger will also often receive personal information in the course of providing professional services – ordinarily when we provide services to private individuals, employers, businesses with personal customers, and public-sector clients with constituents. Our engagement letter and terms of business govern our relationship with clients, including what we may do with personal data that is provided to us. Exiger provides many different types of services and its role may not always be visible to the individuals who are data subjects. Exiger processes personal information on data subjects according to the instructions of its Clients and relies upon its Clients to ensure processing is supported by an adequate legal basis and only in accordance with applicable laws.

12. YOUR RIGHTS

We will honor your rights under applicable data protection laws. You may have the following rights under European laws, and may have similar rights under the laws of other countries.

  • Right of subject access: You have the right to make a written request for details of your personal information and to be provided with a copy of your personal data held by us.
  • Right to rectification: You have the right to have inaccurate information about you to be corrected or removed.
  • Right to erasure: You have the right to have certain personal information about you erased. We will comply with your request unless there is an overriding legitimate ground for retaining the information.
  • Right to restriction of processing: You have the right to request that we restrict the processing of your personal data (while we verify or investigate your concerns with this information, for example).
  • Right to object: You have the right to object to the further processing of your personal data, including the right to object to marketing (as mentioned in “Our promotional updates and communications” section).
  • Right to data portability: You have the right to request that your provided personal data be transferred to you or to a third party in machine-readable format.
  • Right to withdraw consent: Where the processing of your personal information by us is based on consent, you have the right to withdraw that consent without detriment at any time by contacting us. If you withdraw your consent, this will not affect the lawfulness of our use of your personal information prior to the withdrawal of your consent.

You can also exercise the rights listed above at any time by contacting our Data Protection Officer:

Clewin McPherson,

Senior Vice President-Global Operations

data.protection@exiger.com

For data subjects located in the EU: if we are not able to satisfactorily resolve your questions, concerns, or complaints, or if you believe that the processing of your personal data infringes on your rights under applicable data protection laws, you have the right, without prejudice to any other administrative or judicial remedies, to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. Contact information of the supervisory authorities may be found here: https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm

For data subjects in the UK, the Information Commissioner is the supervisory authority in the UK and can provide further information about your rights and our obligations in relation to your personal data, as well as deal with any complaints that you have about our processing of your personal data. Contact information for the UK Information Commissioner can be found here: https://ico.org.uk/

13. CHANGES TO THIS NOTICE

Exiger keeps this notice under regular review and may modify it from time to time at our discretion. Any changes we make will be posted on this page. This notice was last updated on February 18, 2021.

14. CONTACT US

If you have questions, comments, or complaints about our handling or protection of your personal data or this privacy notice, you may send a message by email to data.protection@exiger.com or may contact our Data Protection Officer:

Clewin McPherson,

Senior Vice President-Global Operations

+1 (212) 455-9400

data.protection@exiger.com

Legal Center

Policy Description
Terms & Conditions

An outline of the responsibilities, liability, and agreement when using our products and services.

Human Rights & Modern Slavery Statement

A summary of our analysis of our risk and our commitment to prevent modern slavery.

Terms & Conditions

Exiger LLC provides information on our website (the “Site”) subject to the following terms and conditions (the “Terms of Use”). The terms “we,” “our,” “us,” and “Exiger” refer to Exiger LLC. The term “you” refers to each individual user of this site and, if applicable to your use, your employer or firm. By accessing or using the site, you are acknowledging that you have read, understand, and agree, without limitation or qualification to be bound by these Terms of Use and our Privacy Notice. If you disagree with these Terms of Use and our Privacy Notice (as amended from time to time) or are dissatisfied with this Site, your only remedy is to discontinue using this Site.

DO NOT USE THIS WEB SITE IF YOU DO NOT AGREE WITH THESE TERMS. Exiger reserves the right, in its sole discretion, to modify, alter or otherwise update this Agreement, or to change or delete any features of this Web Site, at any time, with or without prior notice to you. Such modifications, alterations, and updates of this Agreement shall be effective immediately upon posting upon the Web Site. You agree to be bound by such modified, altered and updated terms if you access or use this Web Site after Exiger has posted notice of modifications, alterations or updates. IF YOU DO NOT AGREE WITH ANY OF THE MODIFIED, ALTERED OR UPDATED TERMS, THEN YOU SHOULD NOT USE THIS WEB SITE AFTER SUCH MODIFICATIONS, ALTERATIONS OR UPDATES HAVE BEEN POSTED.

This Web Site may permit you to link to other web sites that may or may not be affiliated with this Web Site and/or with Exiger. These other linked web sites, including the web sites of Exiger’s affiliated companies, as well as the web sites of Exiger’s third party service providers, or partners, (collectively the “Third Parties”), may have different terms of use that are not the same as in this Agreement. Your access to and use of such linked web sites through links provided on this Web Site are not governed by this Agreement, but instead are governed by the terms of use and policies of those web sites, and Exiger disclaims any and all responsibility for your access to and use of such linked web sites.

PRIVACY

Personal Information, as defined in Exiger’s Privacy Notice, and other information about you that you may submit or provide to Exiger through this Web Site is subject to Exiger’s Privacy Notice, which can be found at www.exiger.com/privacy-and-legal-center/#privacy-notice and is incorporated into this Agreement. In addition, by using this Web Site you expressly consent to Exiger collecting Personal Information and other information about you, as more fully provided in Exiger’s Privacy Notice.

USE OF THIS WEB SITE AND INTELLECTUAL PROPERTY RIGHTS

Exiger controls and (either itself and/or through its third party hosts) operates this Web Site. All content on this Web Site, including, but not limited to, text, images, illustrations, graphics, logos, digital downloads, data, software, headers, icons, scripts, audio clips, and video clips, is the property of Exiger or its Third Parties, and is protected by copyrights, trademarks, service marks, and/or other intellectual property rights (which are governed by and subject to United States and international copyright laws and treaty provisions, privacy and publicity laws, and communication regulations and statutes). The content is owned and controlled by Exiger, its affiliated or related entities, or the Third Parties that have licensed or otherwise made available their content or the right to market their products and/or services to Exiger.

You may not use any registered or unregistered trademarks, service marks, copyrighted materials or other proprietary information or intellectual property appearing on this Web Site, including, but not limited to, any logos, images or characters, meta tags or similar code, or hidden text or elements containing such information or property, without the express written consent of the owner of the mark or copyright. You may not frame any trademarks, service marks, copyrights, logos, images, text, or other proprietary information or intellectual property of Exiger, or otherwise incorporate into another web site any of the content or other materials on this Web Site, without Exiger’s express prior written consent. You may not deep link to any page or portion of this Web Site without Exiger’s prior written consent.

Violation of trademark and copyright laws (“Infringement”) may result in significant civil liability or criminal penalties under United States and/or international copyright and trademark laws. You recognize that any reproduction or use of content, copyrights, trademarks, service marks, or other intellectual property on this Web Site, except as authorized by this Agreement, is considered intentional Infringement.

USER’S RESPONSIBILITIES

You warrant and represent to Exiger that you will not use this Web Site for any purpose that is unlawful, illegal or prohibited by this Agreement, including, without limitation, the sending, posting, transmitting, displaying, distributing, or knowingly receiving of or searching for any threatening, harassing, libelous, defamatory, obscene, scandalous, inflammatory, sexually oriented, pornographic, or profane material, content or images, or other images, content or messages that might be considered lewd, lascivious, excessively violent or otherwise offensive. If you violate any of these responsibilities, your permission to use this Web Site immediately terminates without the necessity of any notice by us to you. Exiger, at its sole discretion, retains the right to deny access to this Web Site to anyone for any reason, including for violation of this Agreement.

You agree that any information that you provide will be true, accurate, current and complete. If you provide any information that is untrue, inaccurate, not current or incomplete (or Exiger has reasonable grounds to suspect that such information is untrue, inaccurate, not current or incomplete), Exiger has the right to suspend or terminate your access and activity relating to, and to refuse any and all current or future use of, this Web Site.

PROHIBITED ACTIVITIES

You are specifically prohibited from any use of this Web Site, and you agree not to use or permit others to use this Web Site, without limitation, for any of the following:

(a) take any action that imposes an unreasonable or disproportionately large load on, or waste of valuable time for, the Web Site’s infrastructure or resources, including, but not limited to, sending or promoting the distribution of “spam,” “junk mail,” chain letters, or other such unsolicited or unlawful mass e-mailing techniques;

(b) disclose to, or share with, any unauthorized third parties the IDs, assigned confirmation numbers and/or passwords, or use the IDs, assigned confirmation numbers and/or passwords for any unauthorized purpose, or otherwise allow or facilitate others to gain access to Exiger’s information technology systems, environments, networks, files, data or accounts through the use of the IDs, assigned confirmation numbers and/or passwords;

(c) access or attempt to access Exiger’s information technology systems, environments, networks, files, data or accounts to which express authorization has not been obtained (including access to data not intended for You), or log into a server or account that you are not authorized to access;

(d) attempt to decipher, decompile, disassemble, modify, remove or reverse engineer any of the software or HTML code comprising or in any way making up a part of this Web Site;

(e) interfere with, disrupt, disable or damage (or attempt to interfere with, disrupt, disable or damage), in an unauthorized manner, the use or operation of this Web Site or Exiger’s, its affiliated or related entities’ or the Third Party’s systems, equipment or applications, or service to any user, host, or network, including by use of any programs, scripts, commands, viruses, worms, web bugs, harmful code, Trojan horses, other contaminants, or otherwise. This includes “denial of service” attacks, “flooding” of networks, deliberate attempts to overload a service or to burden excessively a service’s resources, attempts to “crash” a host, and/or modifying or rerouting any content or services provided at this Web Site;

(f) attempt to circumvent or subvert system or network security (i.e., authentication) mechanisms, or probe the security of any system, network, or account, associated or used in conjunction with this Web Site;

(g) upload, post, e-mail or otherwise transmit any information, content, or proprietary rights that you do not have a right to transmit under this Agreement, any law or other contractual or fiduciary relationships; and/or

(h) use any robot, spider, intelligent agent, meta-searching, other automatic device, or manual process to search, monitor or copy Exiger’s Web Site pages or the content.

NO WARRANTIES

ALL CONTENT, PRODUCTS AND SERVICES ON THIS WEB SITE, UNLESS OTHERWISE EXPRESSLY STATED IN WRITING BY EXIGER, ARE PROVIDED “AS IS” AND WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED. OTHER THAN THOSE WARRANTIES WHICH, UNDER THE U.S. LAWS APPLICABLE TO THESE TERMS, ARE IMPLIED BY LAW AND ARE INCAPABLE OF EXCLUSION, RESTRICTION, OR MODIFICATION, EXIGER DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

NEITHER EXIGER, ITS AFFILIATED OR RELATED ENTITIES, NOR THE THIRD PARTIES, NOR ANY PERSON INVOLVED IN THE CREATION, PRODUCTION, HOSTING AND/OR DISTRIBUTION OF THIS WEB SITE, WARRANT THAT THE FUNCTIONS, FEATURES OR SERVICES CONTAINED IN THIS WEB SITE WILL BE UNINTERRUPTED OR ERROR-FREE, THAT DEFECTS WILL BE CORRECTED, OR THAT THE SERVER THAT MAKES THE CONTENT AVAILABLE WILL BE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS. THE CONTENT THAT YOU ACCESS ON THIS WEB SITE IS PROVIDED SOLELY FOR YOUR CONVENIENCE AND INFORMATION. EXIGER DOES NOT WARRANT OR MAKE ANY REPRESENTATIONS REGARDING THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF THIS WEB SITE, OR AS TO THE RELIABILITY, ACCURACY OR CURRENCY OF ANY CONTENT, SERVICE, AND/OR MERCHANDISE PROVIDED OR ACQUIRED PURSUANT TO YOUR USE OF THIS WEB SITE.

YOUR USE OF THIS WEB SITE IS AT YOUR OWN RISK. YOU (AND NOT EXIGER) ASSUME THE ENTIRE COST OF ALL NECESSARY SERVICING (INCLUDING, WITHOUT LIMITATION, YOUR INTERNET CONNECTION) AND REPAIR OR CORRECTION OF YOUR COMPUTER, NETWORK AND/OR SYSTEM.

LIMITATION OF LIABILITY

IN NO EVENT SHALL EXIGER, ITS AFFILIATED OR RELATED ENTITIES OR THIRD PARTIES, NOR ANY OF ITS OR THEIR RESPECTIVE OFFICERS, DIRECTORS, EMPLOYEES OR AGENTS, OR ANY PERSON OR ENTITY INVOLVED IN THE CREATION, PRODUCTION, DISTRIBUTION AND HOSTING OF THIS WEB SITE, BE LIABLE FOR ANY DIRECT, ACTUAL, INDIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE OR EXEMPLARY DAMAGES, OF ANY KIND, WHETHER ARISING UNDER CONTRACT, WARRANTY, OR TORT (INCLUDING NEGLIGENCE) OR ANY OTHER THEORY OF LIABILITY, REGARDLESS OF WHETHER EXIGER (OR ITS AFFILIATED OR RELATED ENTITIES OR PROVIDERS) KNEW OR SHOULD HAVE KNOWN OF THE POSSIBILITY OF SUCH DAMAGES, INCLUDING, WITHOUT LIMITATION, FROM THE USE OR ATTEMPTED USE OF THIS WEB SITE OR ANY OTHER LINKED SITE.

GOVERNING LAW AND JURISDICTION

By accessing this Web Site, you agree that this Agreement and your use of the Web Site shall be governed in all respect by the laws of the State of New York, without regard to any conflict of laws provisions, and shall not be governed by the United Nations Convention on the International Sale of Goods. You further agree to submit to the exclusive jurisdiction and venue in the state and federal courts located in the State of New York for all disputes, cases and controversies regarding this Web Site, your use of this Web Site, and any matter arising out of or related to this Agreement.

INDEMNIFICATION

Exiger reserves the right to report any wrongdoing, if and when it becomes aware of it, to any applicable government or law enforcement agencies. You agree to indemnify, defend and hold Exiger, its and their officers, directors, employees, affiliated or related entities, Third Parties, agents, licensors, and suppliers, harmless from and against any and all claims, demands, actions, costs, liabilities, losses and damages of any kind (including attorneys’ fees) resulting from your use of this Web Site, your breach of any provision of this Agreement and/or any negligent acts, omissions or intentional wrongdoing by you.

GENERAL PROVISIONS

Exiger’s failure to act with respect to a breach by you or others does not waive Exiger’s right to act with respect to subsequent or similar breaches. If any provision of this Agreement is held to be invalid or unenforceable, such provision will be struck and the remaining provisions enforced. Headings are for reference purposes only. You and Exiger are dealing at arms’ length, creating a commercial relationship. Exiger is not your agent, representative or fiduciary. The provisions and conditions of this Agreement, and each obligation referenced herein, represent the entire Agreement between Exiger (including the Third Parties), its affiliated or related entities, and you, and supersede any prior agreements or understandings not incorporated herein. In the event that any inconsistencies exist between this Agreement and any future published terms of use or understanding, the last published Agreement shall prevail.

EXIGER RESERVES ANY RIGHTS NOT EXPRESSLY GRANTED OR STATED IN THESE TERMS.

Privacy Shield Policy

This Privacy Shield Policy (“Policy”) describes how Exiger LLC and its subsidiaries and affiliates in the United States (“US”) (“Exiger,” “Company,” “we,” or “us”) collect, use, and disclose certain personally identifiable information that we receive in the US from the European Union (“EU”), the United Kingdom (“UK”), and Switzerland (“Personal Data”). This Policy applies to the following US affiliated entities: Exiger LLC, Exiger Diligence, Inc. and Convergent Solutions, Inc. This Policy supplements our Privacy Notice located at http://www.exiger.com/privacy, and unless specifically defined in this Policy, the terms in this Policy have the same meaning as the Privacy Notice.

Exiger continues to comply with the EU-US Privacy Shield and Swiss-US Privacy Shield Frameworks as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member states, the United Kingdom, and Switzerland. Exiger has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the policies in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov.

In addition, for transfers to the US and/or countries viewed as inadequate, we have taken appropriate safeguards to require that Personal Data will remain protected in accordance with this Privacy Shield Policy and as required by applicable data protection law. These include implementing an adequate method of transfer, such as the European Commission’s Standard Contractual Clauses, for transfers of Personal Data with our third-party service providers and partners, further details of which can be provided upon request.

For purposes of enforcing compliance with the Privacy Shield, Exiger is subject to the investigatory and enforcement authority of the US Federal Trade Commission. For more information about the Privacy Shield, see the US Department of Commerce’s Privacy Shield website located at: https://www.privacyshield.gov. To review Exiger’s representation on the Privacy Shield list, see the US Department of Commerce’s Privacy Shield self-certification list located at: https://www.privacyshield.gov/list.

Personal Data Collection and Use

Exiger advises financial institutions and multinational corporations concerning regulatory and financial crimes risk and compliance and provides a range of related investigative, due diligence, consulting, risk management and compliance services. When Exiger processes data received from a client or prospective client (“Client Data”), Exiger does so only pursuant to the client’s or prospective client’s instructions and prior authorization.

Client Data may include Personal Data. We may receive the following categories of Personal Data in the US: name, residence and business address, national/tax identification number, email addresses, date of birth, and/or scans of relevant identification cards/documents. We process Personal Data for the following purposes: advising financial institutions and multinational corporations concerning regulatory and financial crimes risk and compliance and providing a range of related investigative, due diligence, consulting, risk management and compliance services.

Exiger will only process Personal Data in ways that are compatible with the purpose that Exiger collected it for, or for purposes the individual later authorizes. Before we use your Personal Data for a purpose that is materially different than the purpose we collected it for or that you later authorized, we will provide you with the opportunity to opt out. Exiger maintains reasonable procedures to help ensure that Personal Data is reliable for its intended use, accurate, complete, and current.

If we collect sensitive Personal Data, we will obtain your opt-in consent where the Privacy Shield requires, including if we disclose your sensitive Personal Data to third parties, or before we use your sensitive Personal Data for a different purpose than we collected it for or than you later authorized.

Exiger processes only the Personal Data that its clients or prospective clients have chosen to share with Exiger. Exiger has no direct or contractual relationship with the subject of this Personal Data (the “Data Subject”). As a result, when Client Data includes Personal Data, the client is solely responsible for satisfying all legal obligations owed directly to the Data Subject under applicable data protection laws.

It is the Exiger client’s or prospective client’s responsibility to ensure that Personal Data it collected can be legally collected in the country of origin. The client or prospective client is also responsible for providing to the Data Subject any notices required by applicable law, for obtaining consent where legally required, and for responding appropriately to the Data Subject’s request to exercise his or her rights under applicable data protection law with respect to Personal Data.

Exiger is not responsible for its client’s or prospective client’s privacy policies or practices or for the client’s or prospective client’s compliance with them. Exiger does not review, comment upon, or monitor its client’s or prospective client’s privacy policies or the client’s or prospective client’s compliance with such policies. Exiger also does not review instructions or authorizations to Exiger to determine whether the instructions or authorizations are in compliance with, or conflict with, the terms of a client’s or prospective client’s published privacy policy or of any notice provided to Data Subjects.

Under the data protections law of the EU member states, the UK, and Switzerland, a “Controller” is an organization that determines the purposes for which and the manner in which Personal Data are to be processed. A “Processor” processes Personal Data on behalf of a Controller, and only in accordance with the Controller’s instructions. Exiger acts as a Processor when it advises a client with respect to matters involving Client Data that includes Personal Data.

Data Transfers to Third Parties

Third-Party Agents or Service Providers. We may transfer Personal Data to our third-party agents or service providers who perform functions on our behalf, including contractors who provide due diligence services. We enter into written agreements with those third-party agents and service providers requiring them to provide the same level of protection the Privacy Shield requires and limiting their use of the data to the specified services provided on our behalf. We take reasonable and appropriate steps to ensure that third-party agents and service providers process Personal Data in accordance with our Privacy Shield obligations and to stop and remediate any unauthorized processing. In cases of onward transfer to third parties of data of individuals in the EU, UK, or Switzerland received pursuant to the EU-US or Swiss-US Privacy Shields, Exiger is potentially liable.

Transfers to Exiger Affiliates.  If we transfer your Personal Data to one of our affiliated entities within our corporate group, we will take steps to ensure that your Personal Data is protected with the same level of protection the Privacy Shield requires.

Disclosures for National Security or Law Enforcement. Under certain circumstances, we may be required to disclose your Personal Data in response to valid requests by public authorities, including to meet national security or law enforcement requirements.

Security

Exiger maintains reasonable and appropriate security measures to protect Personal Data from loss, misuse, unauthorized access, disclosure, alteration, or destruction in accordance with the Privacy Shield.

Access Rights

You have the right to obtain our confirmation of whether we maintain personal information relating to you. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data, should direct his query to privacy@exiger.com.  If requested to remove data, we will respond within a reasonable timeframe.

Your right to access your Personal Data may be restricted in exceptional circumstances, including, but not limited to, when the burden or expense of providing this access would be disproportionate to the risks to your privacy in the case in question, or when the rights of persons other than you would be violated by the provision of such access. If we determine that your access should be restricted in a particular instance, we will provide you with an explanation of our determination and respond to any inquiries you may have.

Data Retention

Exiger takes reasonable and appropriate measures to comply with the requirement under Privacy Shield to retain Personal Data in identifiable form only for as long as it serves a purpose of processing. Specifically, Personal Data will be retained in accordance with our business purposes and our obligations to comply with legal requirements and professional standards, unless a longer retention period is otherwise permitted by law and its retention adheres to the Privacy Shield Principles.

Questions or Complaints

In compliance with the EU-US Privacy Shield Principles and Swiss-US Privacy Shield Principles, Exiger commits to resolve complaints about your privacy and our collection or use of your personal information. Individuals in European Union member states, the United Kingdom, or Switzerland with inquiries or complaints regarding this privacy policy should first contact Exiger at:  privacy@exiger.com.

Exiger has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles and Swiss-US Privacy Shield Principles to BBB EU Privacy Shield, a non-profit alternative dispute resolution provider located in the United States and operated by BBB National Programs, Inc. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/privacy-shield-complaints for more information and to file a complaint.

Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.

Binding Arbitration

You may have the option to select binding arbitration for the resolution of your complaint under certain circumstances, provided you have taken the following steps: (1) raised your compliant directly with Exiger and provided us the opportunity to resolve the issue; (2) made use of the independent dispute resolution mechanism identified above; and (3) raised the issue through the relevant data protection authority and allowed the US Department of Commerce an opportunity to resolve the complaint at no cost to you. For more information on binding arbitration, see US Department of Commerce’s Privacy Shield Framework: Annex I (Binding Arbitration), available at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

Contact Us

If you have any questions about this Policy or would like to request access to your Personal Data, please contact us as follows: data.protection@exiger.com

Changes to This Policy

We reserve the right to amend this Policy from time to time consistent with the Privacy Shield’s requirements.

Last modified:   February 19, 2021

Human Rights & Modern Slavery Statement

Exiger Limited’s Human Rights and Modern Slavery Statement

This statement is published on behalf of Exiger Limited (Company 8613726) pursuant to section 54 of the UK Modern Slavery Act (2015). Exiger Limited is a wholly-owned subsidiary of Exiger Holdings, Inc., a company headquartered in New York.

In conducting our business, Exiger is committed to protecting and maintaining all internationally recognised human rights with respect to our employees, the communities in which we operate, and the communities within which our supply chains operate globally. This statement reflects our approach to both modern slavery and human rights, and details the action Exiger Limited took during the 2019 financial year to address the risk and steps in prevention of modern slavery in our operations and supply chain, and how we intend to improve these efforts moving forward.

Who We Are and What We Do

Exiger is a global regulatory and financial crime compliance and risk management company. Exiger equips financial institutions, multinational corporations, and governmental agencies with the practical advice and technology solutions needed to prevent compliance breaches, respond to risk, remediate major issues, and monitor ongoing business activities. Exiger works with clients worldwide to assist them in managing their critical challenges effectively while developing and implementing the policies, procedures, and programs needed to create a sustainable compliance environment.

By the end of the 2019 financial year, Exiger employed approximately 546 people, with offices in the United States, United Kingdom, Canada, Hong Kong, Romania, and Singapore. Alongside our staff, independent contractors and data service suppliers play a key role in our client-facing teams and in providing our diligence and technology services.

Our Approach to Human Rights and Modern Slavery

Exiger is led by Executive Chairman Mike Cherkasky and by CEO and President Michael Beber, who also leads the Board of Directors of Exiger Limited, our UK-based affiliate. Exiger’s Board of Directors provides both leadership and a strong tone from the top regarding ethical conduct.

Founded to conduct the largest ever court-appointed monitorship of a global financial institution. We are committed to conducting business in a responsible manner. Integrity—one of our company’s seven guiding principles—is embedded in Exiger’s culture through our Code of Conduct, which outlines the values and high ethical standards of both personal and corporate conduct expected of everyone who works for or with Exiger.

Committed to ensuring that no modern slavery or human trafficking takes place within our business. We have a zero-tolerance policy towards forced or bonded labour; we ensure all our terms of employment are voluntary and adhere to local laws with respect to minimum age requirements, wages, overtime, and working hours; and we expect the same from our suppliers, contractors, and third parties. Further, Exiger employees are encouraged to speak up and to raise any concerns of potential or actual ethical conduct breaches.

Our Assessment of the Risk to our Organisation and Supply Chains and Supplier Due Diligence

Exiger has assessed our organisation’s modern slavery risk to be relatively low. Exiger is a consultancy in the governance, risk, and compliance space. Exiger employs a highly skilled workforce, and according to the Global Slavery Index, operates almost exclusively in countries with a lower prevalence risk of modern slavery.

Moreover, Exiger subjects all permanent staff and independent contractors to a criminal background check prior to onboarding. Additionally, Exiger subjects its data service suppliers to enhanced due diligence through Exiger’s bespoke third party management software, DDIQ and Insight 3PM. This technology uses artificial intelligence to conduct public records research and negative news screening, and also risk rates our suppliers to enable Exiger to closely monitor higher-risk suppliers. Our highest risk data service suppliers are subject to daily negative news screening to ensure we can quickly identify and monitor any new risk.

Exiger’s operational procurement consists primarily of office facility services, such as security and cleaning, and of product purchases, such as laptops, office supplies, and marketing materials. To minimize the risk of modern slavery further down these supply chains, Exiger ensures responsible procurement practices, such as avoiding unreasonable expectations and excessive downward pressure on pricing.

Exiger Limited’s London office obtains facilities services from one supplier. This supplier is a signatory to the UN Global Compact, a public declaration of their commitment to business integrity. The supplier has published their own Modern Slavery Statement explaining the steps they have taken to prevent modern slavery and human trafficking from their supply chains. We will continue to review this relationship to ensure such standards are maintained.

Our Progress During the Previous Financial Year

Although Exiger has never identified a human rights breach within our organisation or our supply chains, we are not complacent. During the previous financial year we have:

  • Updated our Code of Conduct to include specific commitments we have made for addressing ethical issues, including modern slavery;
  • Updated our procurement process to ensure a more robust due diligence process during new supplier onboarding. In the event that we are considering entering into a high-risk relationship with any supplier, such relationship with will be vetted by our internal Client Selection and
  • Conflict Management Committee. If accepted, the relationship will be subject to ongoing monitoring to ensure compliance with our high ethical standards; and
  • Implemented an anonymous ethics and compliance reporting hotline, available 24 hours a day to all Exiger employees, in all our host country languages, to ensure that any individual wishing to submit an incident report may do so without fear of retribution.

Our Plans for the Future

We are committed to continually improving our efforts to identify, address, and prevent modern slavery. Moving forward, we commit to:

  • Providing modern slavery guidance to our operational procurement staff to further increase awareness of the risks within our supply chains. We will encourage greater consideration of ethical performance as a deciding factor in procurement selection; and
  • Mapping the supply chain of Exiger branded merchandise; this includes reviewing our vendors, identifying product sources, and identifying and addressing potential modern slavery risks further down the chain.

Exiger Limited’s Board of Directors reviewed and approved this statement and, as a declaration of its commitment to address and prevent modern slavery within our business and our supply chains,

Ron Collins signed this statement on the behalf of the Board of Directors on June 30, 2020

Director and CFO

Human Resources & Job Applicant Privacy Policy

Exiger is a global firm with offices in Australia, Canada, Hong Kong, Romania, Singapore, the United Kingdom, and the United States. The corporate headquarters for Exiger is located in the United States, and this is the central repository for processing information about our employees, contractors, and job applicants.

This Human Resources & Job Applicant Privacy Policy (“Policy”) describes how Exiger LLC and its subsidiaries and affiliates in the United States (“US”) (“Exiger,” “Company,” “we,” or “us”) collect, use, and disclose certain personally identifiable information that we receive in the US from our affiliates, including data from the European Union (“EU”), the United Kingdom (“UK”), and Switzerland (“Human Resources Data”). This Policy applies to the following US affiliated entities: Exiger LLC, Exiger Diligence, Inc., Convergent Solutions, Inc. This Policy supplements our Privacy Notice located at http://www.exiger.com/privacy, and unless specifically defined in this Policy, the terms in this Policy have the same meaning as the Privacy Notice.  This Policy is available to Exiger employees as part of Exiger’s employee handbook and as part of job postings. 

Exiger continues to comply with the EU-US Privacy Shield and Swiss-US Privacy Shield Frameworks as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Union member states, the United Kingdom, and Switzerland.  Exiger has certified that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the policies in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov.

In addition, for transfers to the US and/or countries viewed as inadequate, we have taken appropriate safeguards to require that your Personal Data will remain protected in accordance with this Human Resources & Job Applicant Privacy Shield Policy and as required by applicable data protection law. These include implementing an adequate method of transfer, such as the European Commission’s Standard Contractual Clauses, for transfers of Personal Data with our third-party service providers and partners, further details of which can be provided upon request.

For purposes of enforcing compliance with the Privacy Shield, Exiger is subject to the investigatory and enforcement authority of the US Federal Trade Commission. For more information about the Privacy Shield, see the US Department of Commerce’s Privacy Shield website located at: https://www.privacyshield.gov. To review Exiger’s representation on the Privacy Shield list, see the US Department of Commerce’s Privacy Shield self-certification list located at: https://www.privacyshield.gov/list.

Human Resources Data Collection and Use

We may receive the following categories of Human Resources Data in the US:  name, email, address, telephone number, date of birth, national identification number, gender, nationality. We process Human Resources Data of our employees, contractors, and job candidates for the following purposes: recruiting, onboarding background checks, making benefits available to them, and otherwise enabling them to do their jobs.

Exiger will only process Human Resources Data in ways that are compatible with the purpose that Exiger collected it for, or for purposes the individual later authorizes. Before we use your Human Resources Data for a purpose that is materially different than the purpose we collected it for or that you later authorized, we will provide you with the opportunity to opt out. Exiger maintains reasonable procedures to help ensure that Human Resources Data is reliable for its intended use, accurate, complete, and current.

If we collect sensitive Human Resources Data, we will obtain your opt-in consent where the Privacy Shield requires, including if we disclose your sensitive Human Resources Data to third parties, or before we use your sensitive Human Resources Data for a different purpose than we collected it for or than you later authorized. We do not seek to obtain and will not collect such data about a job candidate unless permitted to do so by applicable laws (e.g., US equal opportunity monitoring).

Under the data protection laws of the EU member states, the UK, and Switzerland, a “Controller” is an organization that determines the purposes for which and the manner in which Human Resources Data are to be processed. A “Processor” processes Human Resources Data on behalf of a Controller, and only in accordance with the Controller’s instructions. Exiger acts as a Processor when it advises a client with respect to matters involving Client Data that includes Human Resources Data, and as acts as a Controller when processing Human Resources Data for its employees, contractors, and/or job candidates.

Your personal data may be accessed by Exiger employees or agents (e.g., Human Resources, Employees via an internal address book, recruiters, and/or interviewers working in the country where the position for which you are working or are applying is based, as well as by Exiger Employees or agents working in different countries within the Exiger global organization. Individuals performing administrative functions and IT personnel within Exiger may also have a limited access to your personal data to perform their jobs. In some countries, you may have fewer rights under local law than you do in your country of residence, but we have put in place legal mechanisms designed to ensure adequate protection of your personal data that is processed by Exiger subsidiaries and affiliates within the Exiger global organization, including the transfer of your personal data to countries other than the one in which you reside.

Job Candidates

For job candidates, we may also collect work and educational history, achievements, and test results. We also may collect personal data about you from third parties, such as professional recruiting firms, your references, prior employers, Exiger employees with whom you have interviewed, and employment background check providers, to the extent this is permitted by applicable law. We may use your personal data for legitimate human resources and business management reasons including:

  • identifying and evaluating candidates for potential employment, as well as for future roles that may become available;
  • recordkeeping in relation to recruiting and hiring;
  • ensuring compliance with legal requirements, including diversity and inclusion requirements and practices;
  • conducting criminal history checks as permitted by applicable law;
  • protecting our legal rights to the extent authorized or permitted by law; or
  • emergency situations where the health or safety of one or more individuals may be endangered.

We may also analyze your personal data or aggregated/pseudonymized data to improve our recruitment and hiring process and augment our ability to attract successful candidates.

If you elect to join a recruiting program, we may retain your personal data to consider you for future employment opportunities and for a period of time specific to that program, unless you decide to opt-out prior to such time.

You are not required to provide any requested information to us, but failing to do so may result in not being able to continue your candidacy for the job for which you have applied.

We do not make recruiting or hiring decisions based solely on automated decision-making.

Whistleblowers Data (Ethics and Compliance Hotline Data)

We use Lighthouse Services, Inc. for an anonymous ethics and compliance hotline for all professionals of Exiger. Information provided by you may be the basis of an internal and/or external investigation into the issue you are reporting and your anonymity will be protected to the extent possible by law by Lighthouse. However, your identity may become known during the course of the investigation because of the information you have provided.  

When you submit a report through the website, phone, fax, or email, the hotline provider creates a report from the data you provide (both written, verbal, and/or metadata – like IP address or caller-ID). Any personal data that you provide is included in the report. Reports are submitted by Lighthouse to a company designee for investigation according to our company policies. Depending on the investigation, part or all of the report may be shared with business unit leaders, managers, the legal department, outside counsel, or other investigators for investigation needs, based on a need to know basis as outlined in our investigations policy.

While providing personal information to us may start with your consent, we may be under a legal obligation to investigate and further process the personal information you gave us on the legal basis of a legal obligation. You can contact us at data.protection@exiger.com regarding this information and revoking your consent. We will respond to your request and inform you of that we will stop processing the personal information in the report, or provide you reasons that we cannot.

The reporting system has a function in which they enable anonymous communication without waiving anonymity. Further communications and personal data sent to us through the anonymous communication will be added to the report and considered processed under the same consent. If you waive anonymity, you probably cannot undo the waiver. Your identity will be made part of the report. As we have a legal obligation to retain reports according to our data retention policy, revoking your consent would likely not be sufficient to undo the waiver and remove your identity from the report. However, you may make the request to revoke your consent to data.protection@exiger.com and we will consider the request.

Data Transfers to Third Parties

Third-Party Agents or Service Providers. We may transfer Human Resources Data to our third-party agents or service providers who perform functions on our behalf, including payroll processors, insurance brokers and providers of other employee benefits, as well as contractors who provide due diligence services for onboarding.

We enter into written agreements with those third-party agents and service providers requiring them to provide the same level of protection the law requires and limiting their use of the data to the specified services provided on our behalf. We take reasonable and appropriate steps to ensure that third-party agents and service providers process Human Resources Data in accordance with our legal obligations and to stop and remediate any unauthorized processing. In cases of onward transfer to third parties of data of individuals in the EU, UK, or Switzerland received pursuant to the European Commission’s Standard Contractual Clauses, Exiger is potentially liable.

We use third party service providers to provide a recruiting software system. We also may share job applicant’s personal data with other third-party service providers that may assist us in recruiting talent, administering and evaluating pre-employment screening and testing, and improving our recruiting practices.

Some of our online recruiting activities are hosted by third parties. When you access sites operated by these third parties, they may, consistent with our Privacy Policy, place Cookies or Other Tracking Technologies on your device. You can learn more about our use of Cookies and other tracking technologies reading our Privacy Policy.

In addition, we may disclose or transfer your personal data in the event of a re-organization, merger, sale, joint venture, assignment, or other transfer or disposition of all or any portion of our business.

Transfers to Exiger Affiliates.  If we transfer your Human Resources Data to one of our affiliated entities within our corporate group, we will take steps to ensure that your Human Resources Data is protected with the same level of protection the law requires.

Disclosures for National Security or Law Enforcement. Under certain circumstances, we may be required to disclose your Human Resources Data in response to valid requests by public authorities, including to meet national security or law enforcement requirements.

Security

Exiger maintains reasonable and appropriate security measures to protect Human Resources Data from loss, misuse, unauthorized access, disclosure, alteration, or destruction in accordance with the law.

Access Rights

You have the right to obtain our confirmation of whether we maintain personal information relating to you. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data, should direct his query to privacy@exiger.com. If requested to remove data, we will respond within a reasonable timeframe.

Your right to access your Personal Data may be restricted in exceptional circumstances, including, but not limited to, when the burden or expense of providing this access would be disproportionate to the risks to your privacy in the case in question, or when the rights of persons other than you would be violated by the provision of such access. If we determine that your access should be restricted in a particular instance, we will provide you with an explanation of our determination and respond to any inquiries you may have.

Data Retention

We retain Human Resources Data according to Exiger’s internal data retention policy. For most of your data, that will be 7 years after your employment has ended (exceptions include, but are not limited to, pension documents, etc.). If you would like the specifics of the retention policy, please contact us at privacy@exiger.com.

If you accept an offer of employment by us, any relevant personal data collected during your pre-employment period will become part of your personnel records and will be retained in accordance with specific country requirements. If we do not employ you, we may nevertheless continue to retain and use your personal data for a period of time (which may vary depending on the country) for system administration purposes, to consider you for potential future roles, and to perform research. Thereafter, we retain a minimum amount of your personal data to record your recruiting activity with us.

Questions or Complaints

 In compliance with the EU-US Privacy Shield Principles and the Swiss-US Privacy Shield Principles, Exiger commits to resolve complaints about our collection or use of your personal information. Individuals in European Union member states, the United Kingdom, or Switzerland with inquiries or complaints regarding this privacy policy should first contact Exiger at:  privacy@exiger.com.

Exiger has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles and Swiss-US Privacy Shield Principles to BBB EU Privacy Shield, a non-profit alternative dispute resolution provider located in the United States and operated by BBB National Programs, Inc. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers/ for more information and to file a complaint.

Any employee who is not satisfied with the internal resolution of the complaint may seek redress with the national data protection or labor authority in the country where the employee resides. In the event that the employee chooses to file a complaint with a national data protection authority, Exiger will cooperate in investigations by, and comply with the advice of, competent EU member state authorities. Further, Exiger has committed to cooperate with (i) the Panel established by the EU data protection authorities (DPAs), (ii) the UK Information Commissioner’s Office (“ICO”), and (iii) the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) with regard to unresolved Privacy Shield complaints.

Binding Arbitration

You may have the option to select binding arbitration for the resolution of your complaint under certain circumstances, provided you have taken the following steps: (1) raised your compliant directly with Exiger and provided us the opportunity to resolve the issue; (2) made use of the independent dispute resolution mechanism identified above; and (3) raised the issue through the relevant data protection authority and allowed the US Department of Commerce an opportunity to resolve the complaint at no cost to you. For more information on binding arbitration, see US Department of Commerce’s Privacy Shield Framework: Annex I (Binding Arbitration), available at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

Contact Us

If you have any questions about this Policy or would like to request access to your Human Resources Data, please contact us as follows: data.protection@exiger.com

Changes to This Policy

We reserve the right to amend this Policy from time to time consistent with the Privacy Shield’s requirements.

Last modified:   March 17, 2021

Data Processing Agreement

This Data Processing Agreement (“DPA”) is entered into by the Customer as named in the executed contract (“Customer”) and the Exiger entity as named in the executed contract, on behalf of itself and its affialites (“Exiger”), and is attached to and made a part of that executed contract between Customer and Exiger (the “Agreement” or “Contract”). All capitalized terms not defined herein shall have the meaning set forth in the Agreement.

1. Definitions

1.1 The following expressions are used in this DPA:

(a) “Adequate Country” means a country or territory that is recognised under EU Data Protection Laws from time to time as providing adequate protection for personal data;

(b) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, including, but not limited to, franchisees and subsidiaries;

(c) “Customer Group” means Customer and any Affiliate subject to the laws of the European Union, European Economic Area or their member states, Switzerland, or the United Kingdom;

(d) “Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economi Area and their member states, Switzerland, the United Kingdom, and the United States and its states, applicable to the Personal Data under the Agreement as amended from time to time.

(e) “Data Subject Request” means a request from or on behalf of a data subject relating to access to, or rectification, erasure or data portability in respect of that person’s Personal Data or an objection from or on behalf of a data subject to the Processing of its Personal Data consistent with that person’s rights under the EU Data Protection Laws;

(f) “Data Controller“, “Data Subject“, “Supervisory Authority” and “Data Processor” shall have the meanings ascribed to them in the EU Data Protection Laws;

(g) “Exiger Group” means Exiger and any Affiliate; and

(h) “Process”, “Processes” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, including the collection, recording, organization, storage, updating, modification, retrieval, consultation, use, transfer, dissemination by means of transmission, distribution or otherwise making available, merging, linking as well as blocking, erasure or destruction.

2. Status of the parties

2.1 The type of Personal Data Processed pursuant to this DPA, the subject matter, duration, nature and purpose of the Processing, and the categories of data subjects, are as described in Appendix 1.

2.2 Each of Customer and Exiger warrant in relation to Personal Data that it will comply (and will ensure that any of its staff and/or sub-processors comply), with the EU Data Protection Laws.  As between the parties, Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.

2.3 In respect of the parties’ rights and obligations under this DPA regarding the Personal Data, the parties hereby acknowledge and agree that, as between the parties, Customer or clients of Customer or other member of Customer Group is/are the Data Controller and Exiger is the Data Processor. Accordingly, Exiger agrees that it shall Process all Personal Data in accordance with its obligations as a Data Processor under the EU Data Protection Laws and pursuant to this DPA. Customer, on behalf of itself, its clients, and the Customer Group, agrees that it shall provide instructions and personal data in accordance with its obligations as a Data Controller under the EU Data Protection Laws and pursuant to this DPA.

2.4 Each of Exiger and Customer shall designate to the other an individual within its organisation authorised to respond from time to time to enquiries regarding the Personal Data and each of Exiger and Customer shall deal with such enquiries promptly.

3.  Exiger obligations

3.1 With respect to its Processing of Personal Data under this DPA, Exiger warrants that it shall:

(a) only Process the Personal Data in order to provide the Services and shall act only in accordance with this Agreement and Customer’s written instructions as represented by the Agreement and this DPA, this Processing includes:

(i) Processing to discover and/or fix errors in Processing;

(ii) Processing to make the Services better;

(b) in the unlikely event that applicable law requires Exiger to Process Personal Data other than pursuant to Customer’s instruction, Exiger will notify Customer (unless prohibited from so doing by applicable law);

(c) without undue delay upon becoming aware, inform Customer if, in Exiger’s opinion, any instructions provided by Customer under Clause 3.1(a) infringe the EU Data Protection Laws;

(d) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the Processing, in particular protection against unavailability, accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. Such measures include, without limitation, the security measures set outinAppendix 2;

(e) take reasonable steps to ensure that only authorised personnel have access to such Personal Data and that any persons whom it authorises to have access to the Personal Data are under obligations of confidentiality;

(f) without undue delay upon becoming aware, notify Customer of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data (a “Security Breach“);

(g) promptly provide Customer with reasonable cooperation and assistance in respect to the Security Breach and all information in Exiger’s possession concerning the Security Breach;

(h) not make any announcement about a Security Breach (a “Breach Notice“) without:

(i) the prior written consent from Customer; and

(ii) prior written approval by Customer of the content, media and timing of the Breach Notice;

unless required to make a disclosure or announcement by applicable law;

(i) promptly notify Customer if it receives a Data Subject Request. Exiger shall not respond to Data Subject Requests without Customer’s prior written consent except to confirm that such request relates to Customer. To the extent Customer does not have the ability to address a Data Subject Request (including via the Services), Exiger shall provide reasonable assistance to facilitate the Data Subject Request, provided Customer shall pay Exiger’s charges for providing such assistance, at Exiger’s standard consultancy rates.

(j) without undue delay following, and in any event within sixty (60) days of, termination or expiry of the Agreement or completion of the Services, delete all Personal Data Processed pursuant to this DPA following termination or expiry of the Agreement or completion of the Services; deletion will be at Customer’s direction and according to the terms of the Agreement, unless retention is required otherwise by law.

(k) provide such assistance as Customer reasonably requests (taking into account the nature of the Processing and the information available to Exiger) to assist Customer with its obligations under EU Data Protection Laws with respect to:

(i) data protection impact assessments (as such term is defined in the EU Data Protection Laws);

(ii) notifications to the supervisory authority under EU Data Protection Laws and/or communications to data subjects by Customer in response to any Security Breach; and

(iii) Customer’s compliance with its obligations under the EU Data Protection Laws with respect to the security of Processing;

provided Customer shall pay Exiger’s charges for providing the assistance in clause 3(1)(k), at Exiger’s standard consultancy rates set out in the Agreement.

4. Sub-processing

4.1 Customer grants a general authorisation (a) to Exiger to appoint other members of the Exiger Group as sub-processors and (b) to Exiger and other members of the Exiger Group to appointsub-processors to support the performance of the Services.

4.2 Exiger will maintain a list of sub-processors to be provided to Customer upon request and will add the names of new or replacement sub-processors to the list prior to any sub-processing of Personal Data by the new or replacement sub-processor. If Customer has a reasonable objection to any new or replacement sub-processor, it shall notify Exiger of such objections in writing within ten (10) days of the notification and the parties will seek to resolve the matter in good faith.

4.3 Exiger will ensure that any sub-processor it engages to provide the services on its behalf in connection with this Agreement does so only on the basis of a written contract which imposes on such sub-processor terms substantially no less protective of Personal Data than those imposed on Exiger in this DPA (the “Relevant Terms“). Exiger shall procure the performance by such sub-processor of the Relevant Terms and shall be liable to Customer for any breach by such sub-processor of any of the Relevant Terms.

5. Audit and records

5.1 Exiger shall, in accordance with EU Data Protection Laws, make available to Customer such information in Exiger’s possession or control as Customer may reasonably request and which Exiger is lawfully entitled to disclose with a view to demonstrating Exiger’s compliance with the obligations of Data Processors under EU Data Protection Law in relation to its Processing of Personal Data.

5.2 Customer may exercise its right of audit under EU Data Protection Laws, in response to which Exiger will provide:

(a) an audit report by a registered and independent external auditor demonstrating that Exiger’s technical and organizational measures are sufficient and in accordance with an accepted industry audit standard (such as ISO 27001 or SSAE 18 II SOC1 and SOC2); Exiger will commission an audit on an annual basis; and

(b) additional information in Exiger’s possession or control to an EU supervisory authority when such authority requests or requires additional information in relation to the data Processing activities carried out by Exiger under this DPA.

6. Data transfers

6.1 To the extent any Processing of Personal Data by Exiger takes place in any country outside the EEA (except if in an Adequate Country), the parties agree that the standard contractual clauses approved by the EU authorities under EU Data Protection Laws and attached to this DPA (the “SCCs”) will apply with respect to that Processing, and that Exiger will comply with the obligations of the ‘data importer’ and Customer will comply with the obligations of ‘data exporter’, as set forth in the SCCs.

6.2 Customer acknowledges that the provision of the Services under the Agreement may require the Processing of Personal Data by sub-processors, as permitted under this DPA, in countries outside the EEA from time to time.

6.3 If, in the performance of this DPA and/or the Agreement, Exiger transfers any Personal Data to a sub-processor (which shall include without limitation any affiliates of Exiger) and without prejudice to clause 4 where such sub-processor will Process Personal Data outside the EEA, Exiger shall in advance of any such transfer ensure that a mechanism to achieve adequacy with respect to that Processing is in place such as:

(a) execution of a written agreement between Exiger and the sub-processor providing at least an equivalent level of data protection as required of Exiger under this DPA, and/or a version of the SCCs approved by the EU authorities under EU Data Protection Laws providing at least an equivalent level of data protection as required of Exiger under this DPA; or

(b) the existence of any other specifically approved safeguard for data transfers (as recognised under the EU Data Protection Laws) and/or a European Commission finding of adequacy.

6.4 The following terms shall apply to the clauses set out in the SCCs:

(a) Customer may exercise its right of audit under clause 5.1(f) of the SCCs as set out in, and subject to the requirements of, clause 5.2 of this DPA; and

(b) Exiger may appoint sub-processors as set out, and subject to the requirements of, clauses 4 and 6.3 of this DPA.

7. General

7.1 If Customer determines that a Data Breach with respect to its Personal Data requires notification to any supervisory authority and/or data subjects and/or the public or portions of the public, Customer will notify Exiger before the communication is made and supply Exiger with copies of any written documentation to be filed with the supervisory authority and of any notification Customer proposes to make (whether to any supervisory authority, data subjects, and/or the public or portions of the public) which references Exiger, its security measures, and/or role in the Security Breach, whether or not by name. Subject to Customer’s compliance with any mandatory notification deadlines under the EU Data Protection Laws, Customer will consult with Exiger in good faith and take account of any clarifications or corrections Exiger reasonably requests to such notifications that are consistent with the EU Data Protection Laws.

7.2 This DPA is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail insofar as the subject matter concerns the Processing of Personal Data. In the event of any conflict between the terms of this DPA or the Agreement and the terms of the SCCs, the terms of the SCCs shall prevail.

7.3 To the extent allowed by law, Exiger’s liability to Customer and to each member of Customer Group (taken together) under or in connection with this DPA (including under the standard contractual clauses set out in the SCCs) shall be subject to the same limitations and exclusions of liability as apply under the Agreement as if that liability arose under the Agreement.

7.4 This DPA sets out all of the terms that have been agreed between the parties in relation to the subjects covered by it. Other than with respect to statements made fraudulently, no other representations or terms shall apply or form part of this DPA.

7.5 A person who is not a party to this DPA shall not have any rights to enforce this DPA including (where applicable) under the Contracts (Rights of Third Parties) Act 1999 of the United Kingdom.

7.6 Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

7.7 Without prejudice to clause 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the SCCs, this DPA shall be governed by and construed in accordance with the laws of the country or territory stipulated for this purpose in the Agreement and each of the parties agrees to submit to the Choice of jurisdiction as stipulated in the Agreement in respect of any claim or matter arising under this DPA.

7.8 Other than with respect to any accrued liabilities of either party and the provisions of clauses 1, 2, and 7, this DPA shall terminate automatically on the expiry or termination for whatever reason of the Agreement.

7.9 To the extent that other jurisdictions in which Exiger provides services already have or hereafter adopt laws that are similar to GDPR, this DPA shall be interpreted in a reasonable manner to apply to such other jurisdictions and their laws and regulations to the extent reasonably applicable.

Attachment 1 to the Data Processing Exhibit

Standard Contractual Clauses

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

Name of the data exporting organisation: Customer named in the executed contract

Address: as provided in the executed contract

And

Name of the data importing organisation: Exiger entity named in the executed contract, on behalf of itself and its affiliates

Address: c/o Exiger LLC, 1675 Broadway, 15th Floor, New York, NY 10019, USA

Tel.: 212.455.9400; fax: N/A; e-mail: data.protection@exiger.com

Other information needed to identify the organisation: N/A

EACH ABOVE “PARTY”, TOGETHER “THE PARTIES”, HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer of personal data by the data exporter to the data importer specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

(a) ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

(b) ‘the data exporter’ means the entity who transfers the personal data;

(c) ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of EU Data Protection Laws 95/46/EC;

(d) ‘the subprocessor’ means any processor engaged by the data importer or by any other subprocessor of the data importer who agrees to receive from the data importer or from any other subprocessor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;

(e) ‘the applicable data protection law means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established; and

(f) ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.

2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.

3. The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

(a)       that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;

(b)      that it has instructed and throughout the duration of the personal data processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;

(c)       that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;

(d)      that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;

(e)       that it will ensure compliance with the security measures;

(f)       that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of EU Data Protection Laws 95/46/EC;

(g)      to forward any notification received from the data importer or any subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;

(h)      to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;

(i)       that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a subprocessor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and

(j)       that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

(a)       to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(b)      that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;

(c)       that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;

(d)      that it will promptly notify the data exporter about:

(i)       any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation,

(ii)      any accidental or unauthorised access, and

(iii)     any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

(e)       to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;

(f)       at the request of the data exporter to submit its data processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;

(g)      to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;

(h)      that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;

(i)       that the processing services by the subprocessor will be carried out in accordance with Clause 11;

(j)       to send promptly a copy of any subprocessor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

1.        The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or subprocessor is entitled to receive compensation from the data exporter for the damage suffered.

2.        If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his subprocessor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, in which case the data subject can enforce its rights against such entity.

The data importer may not rely on a breach by a subprocessor of its obligations in order to avoid its own liabilities.

3.        If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the subprocessor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the subprocessor agrees that the data subject may issue a claim against the data subprocessor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the subprocessor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

1.        The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

(a)         to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

(b)         to refer the dispute to the courts in the Member State in which the data exporter is established.

2.        The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

1.        The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.

2.        The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any subprocessor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.

3.        The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any subprocessor preventing the conduct of an audit of the data importer, or any subprocessor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5 (b).

Clause 9

Governing Law

The Clauses shall be governed by the law of the country of establishment of the data exporter.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Subprocessing

1.        The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the subprocessor which imposes the same obligations on the subprocessor as are imposed on the data importer under the Clauses. Where the subprocessor fails to fulfill its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the subprocessor’s obligations under such agreement.

2.        The prior written contract between the data importer and the subprocessor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the subprocessor shall be limited to its own processing operations under the Clauses.

3.        The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.

4.        The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data processing services

1.        The parties agree that on the termination of the provision of data processing services, the data importer and the subprocessor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.

2.        The data importer and the subprocessor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data processing facilities for an audit of the measures referred to in paragraph

This agreement has been entered into on the date stated in the Agreement.

Appendix 1 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

The Customer named in the executed Agreement, which wishes to receive the services defined in the Agreement.

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

The Exiger entity named in the executed Agreement, which provides the services defined in the Agreement.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

The data subjects are the data targets of the data exporter and its affiliates. The data subjects may be existing or prospective clients and/or vendors of the data exporter and its affiliates located in the EEA, Switzerland, and/or UK, and individuals who are employees, principals, agents, or representatives of, or otherwise affiliated or associated with, individual or institutional clients and/or vendors, or prospective clients and/or vendors, of the data exporter and its affiliates in the EEA, Switzerland, and/or UK.

Categories of data

The personal data transferred concern the following categories of data (please specify):

name, address, date of birth, company employment, professional experience and affiliations, wealth data, Social Security Number, Tax ID number, passport number, or other government-issued identification number or code, and such other data that may be transferred from the data exporter to the data importer for the purposes of performing the services pursuant to the executed contract.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

With the processing of media sources, data regarding criminal prosecution of data subjects may be processed and evaluated in the risk assessment.

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

The subject matter of processing: to create due diligence and/or vetting reports for regulatory purposes. The nature and purpose of processing: processing open web sources and selected data bases to extract due diligence information. The duration of processing: the processing shall continue until the earliest of (i) expiry/termination of the Agreement or (ii) the date upon which processing is no longer necessary for the purposes of either party performing its obligations under the Agreement (to the extent applicable).

Appendix 2 to the Standard Contractual Clauses

This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

The data importer will undertake appropriate technical and organizational measures to protect against unauthorized of unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The measures to be taken should take into account available technology and the cost of implementing the specific measures, and must ensure a level of security appropriate to the harm that might result from a breach of security and the nature of the data to be protected.

Appropriate measures must include, without limitation, the following:

  1. Adopting and implementing data importer’s policies and standards related to security;
  2. Assigning responsibility for information security management;
  3. Devoting adequate personnel resources to information security;
  4. Requiring employees, vendors and others with access to personal data to enter into signed confidentiality agreements;
  5. Conducting training to make employees aware of information security risks and to enhance compliance with the data importer’s policies and standards related to data protection;
  6. Preventing unauthorized access to personal data through the use, as appropriate, of physical and logical (password) entry controls, secure areas for data processing, procedures for monitoring the use of data processing facilities, and built-in system audit trails;
  7. Protecting data maintained in online systems through the use, as appropriate, of secure passwords, network intrusion detection technology, encryption and authentication technology, secure log-on procedures, and virus protection;
  8. Monitoring compliance with the data importer’s policies and standards related to data protection on an ongoing basis;
  9. Complying with all of the provisions of the Agreement relating to security which provisions shall take precedence over this Appendix 2 in the event of any conflict or inconsistency; and
  10. Taking such other steps as may be appropriate under the circumstances.