To European Union Residents
Quovant processes your personal data in accordance with the EU data protection legislation, including national or international legislation implementing the EU Data Protection Directive (until superseded), the Privacy in Electronic Communications (“ePrivacy”) Directive (EU), and the General Data Protection Regulation (EU) 2016/679 (“GDPR”), as amended or superseded.
Please read this Policy carefully and contact Quovant if you have any questions about our privacy practices or your personal information choices. It is important that you check back often for updates to this Policy. If we make changes we consider to be important, we will let you know by placing a notice on the relevant Services and/or contact you using other methods such as email.
This Policy was last updated on May 24, 2018
Our mission is to provide legal spend and matter management software and services to corporate legal, risk and claims professionals using best reasonable practices with respect to security, availability, processing integrity and confidentiality. The SOC 2 and SOC 3 engagement reports clearly demonstrate that data security and privacy is of fundamental importance to Quovant.
The following principles and related criteria have been developed by the American Institute of CPAs (AICPA) and the Canadian Institute of Chartered Accountants (CICA) for use by practitioners in the performance of trust services engagements:
- The system is protected against unauthorized access (both physical and logical).
- The system is available for operation and use as committed or agreed.
- Processing integrity. System processing is complete, accurate, timely and authorized.
- Information designated as confidential is protected as committed or agreed.
- Personal information is collected, used, retained, disclosed and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA.
SOC 2 reports focus on controls that do not impact the internal controls over financial reporting, but are instead relevant to the security, availability, or processing integrity of a system or the confidentiality or privacy of the information processed. SOC 3 reports are designed to meet the needs of users who want assurance on the controls at a service organization related to security, availability, or processing integrity of a system. Together, these SOC reports represent the next generation of AICPA standards for reporting on controls over security and availability at service organizations in the United States.
Quovant is committed to the responsible handling and protection of personal information.
Personal information means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.
The types of personal information we collect
We collect personal information from you, for example, if you register for a User Account, register for an event, retain or use our Services, or request customer support or information. We may ask you to provide information such as your name, email address, business address and phone number. Not all of the personal information Quovant holds about you will always come directly from you. It may, for example, come from your employer, or your client, if they use our Services. We also collect personal information from publicly available websites, to help us maintain data accuracy and provide and enhance the Services.
Occasionally, in the course of providing services to our clients, we collect and process what may be considered sensitive personal information.
Sensitive personal information is a subset of personal information and may generally be defined as any information related to racial/ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, and other medical information including biometric and genetic data, or sexual life or preferences. In some instances, sensitive personal information may also include criminal allegations or convictions, precise geolocation information, financial and bank account numbers, or other unique identifiers, such as government-issued social security numbers, or other identifiers.
How we use personal information
We process personal information for these Services and business-related purposes
- Account setup and administration: We use personal information such as your name, email address, and phone number, and name of company. We will use such information for purposes related to the Services (including providing support, sending notices about maintenance downtime schedules and other administrative matters, or other matters pertinent to the Services). Applications for the User Account will be reviewed to determine if user is a member of a client or law firm in good standing. Approvals and login information will be sent to users via e-mail.
- Surveys and polls: If you choose to participate in a survey or poll, any personal information you provide may be used for marketing or market research purposes.
- Hosted services: Some of our Services provide document storage as an integral part of the product or solution offering. Documents stored by our customers may contain personal information in business and personal tax forms, payroll and financial data, and legal and litigation-related documents, for example. Any information stored by or on behalf of our customers is controlled and managed by and only made accessible to those customers or parties our customers may authorize from time to time. Our access to this information is limited to Quovant personnel with a critical business reason, such as technical support. Please see below to learn more about where we process and store information..
- Legal obligations: We may be required to use and retain personal information for legal and compliance reasons, such as the prevention, detection, or investigation of a crime; loss prevention; or fraud. We may also use personal information to meet our internal and external audit requirements, information security purposes, and as we otherwise believe to be necessary or appropriate: (a) under applicable law, which may include laws outside your country of residence; (b) to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include such authorities outside your country of residence; (c) to enforce our terms and conditions; and (d) to protect our rights, privacy, safety, or property, or those of other persons.
When we share personal information
Quovant shares or discloses personal information when necessary to provide Services or conduct our business operations as described herein. When we share personal information, we do so in accordance with data privacy and security requirements. We may occasionally share non-personal, anonymized, or de-identified, and statistical data with third parties. Below are the parties with whom we may share personal information and why.
- Within Quovant: Personal information will be made available to internal Quovant teams if necessary for the provision of Services, account administration, sales and marketing, customer and technical support, and business and product development, for instance. All of our employees and contractors are required to follow our data privacy and security policies when handling personal information. Personal data is processed at the Quovant office in Nashville, Tennessee, USA.
- Our third-party service providers: We partner with and are supported by service providers. Personal information will be made available to these parties only when necessary to fulfill the services they provide to us, such as software, system, and platform support; cloud hosting services; data analytics; and fulfillment of services. Our third-party service providers are not permitted to share or use personal information we make available to them for any other purpose than to provide services to us.
- Third parties for legal reasons: We will share personal information when we believe it is required, such as:
- To comply with legal obligations and respond to requests from government agencies, including law enforcement and other public authorities, which may include such authorities outside your country of residence.
- In the event of a merger, sale, restructure, acquisition, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings)
- To protect our rights, users, systems, and Services.
Where we store and process personal information
We collaborate with third parties such as cloud hosting services, suppliers, and technology support to serve the needs of our business, workforce, and customers. We take appropriate steps to ensure that personal information is processed and secured according to applicable law.
How we secure personal information
Quovant takes data security seriously, and we use appropriate technologies and procedures to protect personal information. Our information security policies and procedures are closely aligned with widely accepted international standards and are reviewed regularly and updated as necessary to meet our business needs, changes in technology, and regulatory requirements.
- Policies and procedures
- We have measures in place to protect against accidental loss and unauthorized access, use, destruction, or disclosure of data
- We have a Business Continuity and Disaster Recovery strategy that is designed to safeguard the continuity of our service to our clients and to protect our people and assets
- We place appropriate restrictions on access to personal information
- We implement appropriate measures and controls, including monitoring and physical measures, to store and transfer data securely
- We conduct Privacy Impact Assessments in accordance with legal requirements and our business policies
- Training for employees and contractors
- We require privacy, information security, and other applicable training on a regular basis for our employees and contractors who have access to personal information and other sensitive data
- We take steps to ensure that our employees and contractors operate in accordance with our information security policies and procedures and any applicable contractual conditions
- Vendor risk management
- We require, through the use of contracts and security reviews, our third-party vendors and providers to protect any personal information with which they are entrusted in accordance with our security policies and procedures
How long we keep personal information
Quovant implements policies and rules relating to the retention of personal information. We retain personal information for as long as we reasonably require it for legal or business purposes. In determining data retention periods, Quovant takes into consideration local laws, contractual obligations, and the expectations and requirements of our customers. When we no longer need personal information, we securely delete or destroy it.
Your right to access and correct your personal information
We respect your right to access and control your information, and we will respond to requests for information and, where applicable, will correct, amend, or delete your personal information.
- Access to personal information: If you request access to your personal information, we will gladly comply, subject to any relevant legal requirements and exemptions, including identity verification procedures. Before providing data to you, we will ask for proof of identity and sufficient information about your interaction with us so that we can locate any relevant data.
- Correction and deletion: In some jurisdictions, you have the right to correct or amend your personal information if it is inaccurate or requires updating. You may also have the right to request deletion of your personal information; however, this may not always be possible due to legal requirements and other obligations and factors. Remember that you can update your account information by using the “Contact Us” option within the relevant Service or through your User Profile in Quovant’s secured web portal.
- Filing a complaint: If you are not satisfied with how Quovant manages your personal data, you have the right to make a complaint to a data protection regulator. A list of National Data Protection Authorities can be found here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.
Please contact Quovant’s Privacy Officer with any requests related to your personal information.
You should keep in mind that Internet transmissions (including emails) are never 100% secure or error-free. As such, you should take steps to protect yourself, especially online and take special care in deciding what information you send to us via e-mail or other transmissions. Moreover, where you use passwords, ID numbers, or other special access features on this site, it is your responsibility to safeguard them. You should choose a strong password, do not use the same password that you use on other sites and do not share your password with anyone else. Also remember to sign out of our website and close your browser window when you have finished ensuring that others who may have access to your computer cannot access your personal data.
Quovant provides information solutions for professionals, and our Services are not aimed at children.
How to contact us
We understand that you may have questions or concerns about this Policy or our privacy practices or may wish to file a complaint. Please feel free to contact us:
Quovant Data Protection
Address: 696 Melrose Avenue, Nashville Tennessee U.S.A.
Attn: Quovant Privacy and Security Officer