Safe Harbor Privacy Policy

Overview

Esker, Inc. ("Esker"), a subsidiary of Esker, S.A., is a recognized leader in helping organizations eliminate manual processes, gain process visibility and control, and reduce the use of paper by automating the flow of documents into, within, and out of an organization. Esker respects individual privacy and values the confidence of its customers, employees, consumers, business partners, and others. Not only does Esker strive to collect, use, and disclose Personal Information in a manner consistent with the laws of the countries in which it does business, but it also has a tradition of upholding the highest ethical standards in its business practices. This Safe Harbor Privacy Policy (“Policy”) sets forth the privacy principles Esker follows with respect to transfers of Personal Information from the European Economic Area (“EEA”) (which includes the twenty-seven member states of the European Union (“EU”) plus Iceland, Liechtenstein and Norway) and from Switzerland to the United States.

This Policy applies to Esker’s Offline Practices, the Esker On Demand, FlyDoc, and TermSync Platforms (collectively the “Services”), the software that is downloadable through the Services-in particular the Esker Loader, On Demand Printer, and VSI-FAX Server, and the Esker websites www.esker.com, www.eskerondemand.com, www.flydoc.com, and ww2.termsync.com (“Esker Websites”) that are directly linked to this Policy. If you visit the Esker Websites and you elect to register to use the Services or provide Esker with Personal Information, you authorize Esker to collect and use such Personal Information as set forth in this Policy. If you register and use the Services from Esker, Esker’s collection and use your Personal Information shall be limited to the purpose of providing the Services for which you have engaged Esker for. All data collected on the Esker Websites is owned by Esker. Personal Information collected through the Services is owned by you.

Furthermore, Esker is a software company offering the Services. When you use the Services, Esker may receive personal information controlled by you about your customer’s customers, clients, employees or others, and process that Personal Information at your direction. Personal Information collected pursuant to the previous sentence is held by Esker (and agents authorized to do so by Esker) for differing purposes depending upon the particular service transports or business processes selected by you. Such service transports and business processes include but not limited to one or more of the following: Postal Mail, Inbound Fax, Outbound Fax, Electronic Mail, Short Message Service, Purchasing Automation Processing, Accounts Payable, Accounts Receivable, or Sales Order Processing. You may also elect to archive your documents.

Definitions

For purposes of this Policy, the following definitions shall apply:

1. “Agent” means any third party that collects or uses personal information under the instructions of, and solely for, Esker or to which Esker discloses personal information for use on Esker’s behalf.
2. “Customer Relationship” means Customers who utilize the Esker websites www.esker.com, www.eskerondemand.com, www.flydoc.com, ww2.termsync.com, the Services, and the software that is downloadable through the Services-in particular the Esker Loader, On Demand Printer, and VSI-FAX Server; and provided Esker with data that has been collected from your customers’. Esker is the data processor of your customers’ data and not the data controller.
3. “Esker Websites” means www.esker.com, www.eskerondemand.com, www.flydoc.com, and ww2.termsync.com that are directly linked to this Policy.
4. “Personal Information” means any information or set of information that identifies or could be used by or on behalf of Esker to identify you. Personal Information may include, for example, name, signature, employee identification number, social security number, telephone number, insurance policy number, job title, financial information, account numbers, passwords, or any other information that is capable of being associated with you. Personal Information does not include aggregate data that has been divorced from identifiable characteristics.
5. “Sensitive Personal Information” is a subset of Personal Information and includes information pertaining to your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, information related to an individual’s health or sex life, as well as biometric identifiers, such as finger and voiceprints, and information as to commission or alleged commission of a criminal offense or any related proceedings.

Safe Harbor

The United States Department of Commerce and the European Commission have agreed on a set of data protection principles and frequently asked questions to enable United States companies to satisfy the requirement under EU law that adequate protection be given to Personal Information transferred from the EEA to the United States (the "U.S.-EU Safe Harbor"). The United States Department of Commerce and the Federal Data Protection and Information Commissioner of Switzerland (“FDPIC”) have agreed on a similar set of principles and frequently asked questions to enable United States companies to satisfy the requirement under Swiss law that adequate protection be given to Personal Information transferred from Switzerland to the United States (the “U.S.-Swiss Safe Harbor”). Consistent with its commitment to protect personal privacy, Esker complies with the U.S.-EU Safe Harbor as set forth by the United States Department of Commerce and the U.S.-Swiss Safe Harbor (collectively the “Safe Harbor Principles”) regarding the collection, use, and retention of Personal Information from the EU/Switzerland. Additional information on the U.S.-EU Safe Harbor Framework can be found at the U.S. Department of Commerce’s website at http://export.gov/safeharbor/. Esker is subject to the jurisdiction of the United States Federal Trade Commission. The Federal Trade Commission may be contacted at the following address:

Federal Trade Commission 
Attn: Consumer Response Center
600 Pennsylvania Avenue NW
Washington, DC 20580
www.ftc.gov  

Scope

This Policy sets forth the seven privacy principles, which have been developed based on the Safe Harbor Principles, under which Esker manages the processing of Personal Information collected offline, manually, Human Resources, online, and the data collected through the Services provided to you, for which Esker is the data processor in the EEA, Switzerland, and other countries that are part of the European Union, and subsequently transferred to the United States. Adherence by Esker to the seven privacy principles may be limited: (a) to the extent required to respond to a legal or ethical obligation; (b) to the extent necessary to meet national security, public interest, or law enforcement obligations; and (c) to the extent expressly permitted by an applicable law such as to comply with a subpoena, rule, or regulation.

Privacy Principles

Principle 1: Notice. When Esker collects Personal Information directly from you online in the EEA, it will inform you about the purposes for which it collects and uses Personal Information about you, the types of non–agent third parties to which Esker discloses that Personal Information, the choices and means, if any, Esker offers you for limiting the use and disclosure of Personal Information about you, and how to contact Esker. Notice will be provided in clear, conspicuous, and accurate language when you are first asked to provide Personal Information to Esker, or as soon as practicable thereafter, and in any event before Esker uses or discloses the information for a purpose other than that for which it was originally collected. Where Esker receives Personal Information from its parent company, subsidiaries, affiliates, or other entities in the EEA, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such Personal Information relates.

When you use the Services, Esker operates under the assumption that it is your obligation as data controller to notify your customers about the purposes for which Esker collects and uses Personal Information about them, how your customers can contact Esker with any inquiries or complaints, the types of agents to which Esker discloses your customer’s Personal Information, and the choices and means offered for limiting Esker’s use and disclosure. As the data processor, Esker makes available to you this Policy so that you can better understand Esker’s data practices and whether they are consistent with privacy notices you make available to your customers.

When Personal Information is collected. The following are examples of when Esker collects Personal Information (these are only examples and are not an all-encompassing list of when Personal Information is collected): (a) create a user account to become a member of the Esker Websites or create an account to use the Services; (b) make online purchases; (c) register products online; (d) request technical support, or professional services for an Esker product; (e) register for webcasts; (f) request information or materials (e.g., whitepapers); (g) participate in surveys and evaluations; (h) participate in promotions, contests, giveaways, or online chats; (i) submit questions or comments to Esker; (j) attend conventions, trade shows, and expositions; and (k) when you are a new hire during Esker’s new hire applicant process, Personal Information may be used solely to evaluate you as a candidate for employment. In such instances, you may be requested to provide information such as educational background, employment experience, and job interest. Esker may also collect demographic information, such as your age, gender, interests, and preferences. Forms that may be necessary for you to complete will indicate whether information requested is mandatory or voluntary.

Types of Personal Information Collected. The types of Personal Information which may be collected include but are not limited to the following: (a) your first and last name; (b) your title and your company's name; (c) your home, billing, or other physical address (including street name, name of a city or town, state/province); (d) your e-mail address; (e) your telephone number; (f) your fax number; (g) any other identifier that permits Esker to make physical or online contact with you; and (h) any information that Esker collects online from you and maintains in association with your account, such as your Esker username and password.

Using Your Personal Information. Esker uses the Personal Information you provide to: (a) create and maintain your accounts; (b) process, fulfill, and follow-up on your orders; (c) register your products; (d) answer your questions; (e) register you in programs (per your request); and (f) send you surveys and information. Esker also uses your Personal Information to provide you with information related to your account and the products or services you purchased from Esker, to better understand your needs and interests, to improve Esker’s service, and to personalize communications. Any other information transferred by you in connection with its visit to the Esker Websites-that is information that cannot be used to identify you-may be included in databases owned and maintained by Esker or its agents. Esker retains all rights to these databases and the information contained in them.

Esker’s Agents. Esker may provide Personal Information to agents who provide services such as information processing, extending credit, fulfilling orders, delivering products to you, managing and enhancing your data, providing customer service, assessing your interest in Esker products and services, and conducting research or satisfaction surveys. These companies are obligated to protect your Personal Information and may be located wherever Esker operates.

Internet Protocol (“IP”) Addresses. An IP Address is a number assigned to your computer by your internet service provider so that you can access the internet. Generally, an IP Address changes each time you connect to the internet. However, if you have a broadband connection, depending on the circumstances, it is possible that the IP Address that Esker collects, or even perhaps a cookie Esker uses, may contain Personal Information that could be deemed identifiable. This is because with some broadband connections your IP Address doesn’t change and could be associated with your personal computer. Esker uses your IP Address to report aggregate information on use and to help improve the Esker Websites.

Esker Blogs/Community Forums. Esker Websites offer publicly accessible blogs or community forums such as blog.esker.com and ww2.termsync.com/blog. You should be aware that any Personal Information you provide in these areas may be read, collected, and used by others who access them. Esker shall not be responsible or liable for the Personal Information you choose to submit in these forums. To request removal of your Personal Information from our blog or community forum, contact Esker at usprivacy@esker.com. In some cases, Esker may not be able to remove your Personal Information, in which case Esker will let you know if it is unable to do so and why.

Esker Newsletters and Marketing E-mails. Esker may use your Personal Information to send you newsletters and/or marketing e-mails. You may choose to stop receiving Esker’s newsletter or marketing emails by following the unsubscribe instructions included in the emails or by contacting Esker at usprivacy@esker.com.

Postings on the Esker Websites. Esker posts your testimonials/comments/reviews on the Esker Websites which may contain Personal Information. Esker obtains your consent via email prior to posting the testimonial to post your name along with your testimonial.

Esker Operations. To facilitate Esker’s global operations, Esker may transfer and access data about you from around the world, including the United States and Europe. This Policy shall apply even if Esker transfers data about you to other countries. Esker may provide your Personal Information to a third party in connection with the sale, assignment, or other transfer of the business of the Esker Websites to which the Personal Information relates, in which case Esker will require any such buyer to agree to treat your Personal Information in accordance with this Policy.

Esker E-Invoicing. Depending which of the Services you use, Esker will send to you your invoice as an e-invoice through the Esker Accounts Receivable on Demand Web Portal. When necessary, the e-invoice sent by Esker will be signed electronically by the third party, Trustweaver, and archived electronically as required by applicable laws. You may opt-out of receiving your e-invoice via the Esker Accounts Receivable on Demand Web Portal at any time by contacting Esker at www.esker.com/myinvoices.

Third Party E-Commerce Solutions Provider. Esker’s shopping cart is hosted by its e-commerce solutions provider, who hosts Esker’s ordering system and collects Personal Information and/or Sensitive Personal Information that pertains to billing-such as your credit card number-directly from you for the purpose of processing your order. When you place your order and hit the “payment” box, you are navigated away from the Esker Websites and taken directly to the website of Esker’s e-commerce solutions provider to provide your Personal Information and/or Sensitive Personal Information and complete your order. Esker does not access, use, or store the Personal Information or Sensitive Personal Information that pertains to your billing information. This Policy does not apply to Esker’s e-commerce solutions provider. You should read the privacy statement of Esker’s e-commerce solutions provider with regards to how it accesses, handles, and storage your Personal Information and/or sensitive Personal Information.

Bundled and Rebranded Relationship with Third Parties. Esker may enter into relationships with third parties who bundle the Services with their products or rebrand the Services with their own logo. When Esker enters into these types of relationships Esker will not share your Personal Information with these third parties. This Policy does not apply to the Personal Information collected by these third parties when the Services are bundled with their products or when they rebrand the Services with their own logo. Esker recommends you contact these third parties directly for information on their privacy, security, data collection, and distribution policies.

Third Party Websites. As a convenience to you, the Services and Esker Websites may contain links to a number of other third-party websites that Esker believes may offer useful information. This Policy does not apply to those third party websites. All Personal Information collected on the third-party websites is controlled by that company’s privacy policy. Esker recommends you contact those websites directly for information on their privacy, security, data collection, and distribution policies.

Principle 2: Choice. In the event Personal Information is to be used for a new purpose incompatible with the purposes for which the data was originally collected or subsequently authorized or transferred to the control of a third party that is not acting as an agent of Esker’s, data subjects are given notice of such use and, where feasible and appropriate, an opportunity to decline to have their data so used or transferred. In the event that Sensitive Personal Information is to be used for a new purpose or transferred to the control of a third party not acting as an agent of Esker’s, the data subject’s explicit consent will be obtained prior to the new use or transfer of the data, unless such new use or transfer is: (1) in the vital interests of the data subject or another person; (2) necessary for the establishment of Esker’s legal claims of defenses; (3) required to provide medical care or diagnosis; (4) necessary to carry out Esker’s obligations in the field of employment law; or (5) related to data that are manifestly made public by the data subject. In these cases, data subjects are given notice of such use.

When you use the Services, the U.S.-EU Safe Harbor requires that members offer its customers a choice to opt-out of uses and disclosures of their data that are incompatible with the purposes for which that data was originally collected or subsequently authorized. Esker operates under the assumption that it is generally your obligation as data controller to obtain from your customers the appropriate consent to transfer and process their data to Esker. As your data processor, Esker will not share, sell, rent, or trade with third parties for their marketing purposes any of your data or your customer’s data collected by us, unless you direct us to do so and have the appropriate authorization to do so.

Principle 3: Onward Transfer. Except as described in this Policy, Esker will not share your Personal Information with third parties without your consent. In those instances in which Esker shares Personal Information, Esker will obtain assurances from its agents that they will safeguard Personal Information consistently with this Policy. Examples of appropriate assurances that may be provided by agents include but are not limited to: (a) a contract obligating the agent to provide at least the same level of protection as is required by the relevant Safe Harbor Principles; (b) being subject to EU Directive 95/46/EC (the EU Data Protection Directive); (c) being subject to Swiss Federal Act on Data Protection; (d) Safe Harbor certification by the agent; or (e) being subject to another European Commission or Swiss FDPIC adequacy finding (e.g., companies located in Canada). Where Esker has knowledge that an agent is using or disclosing Personal Information in a manner contrary to this Policy, Esker will take reasonable and appropriate measures to prevent or stop the use or disclosure.

Principle 4: Security. Esker takes reasonable and appropriate physical, technical, and organizational precautions to protect your Personal Information in its possession from loss, misuse, unauthorized access, disclosure, alteration, and destruction. Esker has adopted security and operational policies to protect Personal Information. These policies include technical and organizational security measures, including without limitation, password protections for online information systems, restricted access to Personal Information, and industry standard technical security measures. Specifically, with regards to the Esker Websites, Esker hosts the Esker Websites in a secure server environment that uses firewalls, intrusion detection systems, and other advanced technology to prevent interference or access from outside intruders. Furthermore, Esker uses Secure Socket Layer technology on the Esker Websites to encrypt Personal Information when Personal Information is sent on the Esker Websites. Additionally, Esker annually trains its employees on this Policy, its other internal policies, and makes this Policy available to Esker’s business partners. Esker and its business partners enter into confidentiality agreements which require that care and precautions be taken to prevent loss, misuse, unauthorized access, disclosure, alteration, and destruction of your Personal Information.

Esker will retain the Personal Information for no longer than is necessary for the purposes for which the Personal Information was collected or for which it is to be further processed. In any case a storage period is notified in advance and not expired yet, and you agree on a specific storage period, Personal Information will be stored for the agreed period. Upon the termination of services, Esker discards any record with Personal Information as well as those provided to third parties. (Note: unless otherwise agreed upon between the parties in writing, an actual discard occurs two (2) months after the termination of any service agreement in order to prevent from re-registration during the grace period). If you wish to cancel your account or request that Esker no longer uses your Personal Information to provide you services contact Esker at usprivacy@esker.com. Esker will retain and use your Personal Information as necessary to comply with its legal obligations, resolve disputes, and enforce agreements.

Principle 5: Data Integrity. Esker will use Personal Information only in ways that are compatible with and relevant for the purposes for which it was collected or subsequently authorized by you. Esker takes reasonable and appropriate physical, technical, and organizational measures to ensure that Personal Information is relevant to its intended use, accurate, complete, reliable, and current.

Principle 6: Access. If you utilize either of the Services, you can ensure your contact information and preferences are accurate, complete, and up-to-date by logging in to your account, clicking on the “set-up” link, and accessing the menu items found on the left-hand side. For all Personal Information linked to your billing information, you must contact Esker. Upon request, Esker will grant you reasonable access to Personal Information that Esker holds about you. Esker will also take reasonable measures to permit you to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete, except where the burden or expense of providing access would be disproportionate to the risks to your privacy in the case in question or where the rights or privacy of persons other than you would be violated. Furthermore, the U.S.-EU Safe Harbor requires that data subjects must have access to Personal Information about them that an organization holds, and that they be able to correct, amend, or delete that information where it is inaccurate. Esker operates under the assumption that it is generally your obligation as data controller to provide your clients a means of accessing their data. If you would like your Personal Information deleted, please contact Esker at usprivacy@esker.com. Esker will respond to requests within thirty (30) days of receipt.

Principle 7: Enforcement. Esker has in place internal mechanisms for conducting objective, annual self-assessment compliance audits of its relevant privacy practices to verify adherence to the privacy principles in this Policy. Any employee that Esker determines is in violation of the privacy principles in this Policy will be subject to appropriate corrective actions.

Dispute Resolution

To file a complaint regarding this Policy, you should contact Esker at usprivacy@esker.com. Esker’s General Counsel/Chief Compliance Officer will explain the process to be followed when filing a complaint and will investigate and attempt to resolve complaints and disputes regarding the collection, use, and disclosure of Personal Information by referencing the privacy principles stated in this Policy. For complaints that cannot be resolved, Esker has agreed to participate in the following dispute resolution procedures in the investigation and resolution of complaints to resolve disputes pursuant to the Safe Harbor Principles: (1) For disputes involving all Personal Information received by Esker from Switzerland, Esker has agreed to cooperate with the Swiss FDPIC; and (2) For disputes involving employment-related Personal Information received by Esker from the EEA, Esker has agreed to cooperate with the independent dispute resolution service provided by the Data Protection Authorities in the EEA Page 6 of 6 and to participate in the dispute resolution procedures of the panel established by the European Data Protection Authorities.

Use of Cookies

The Esker Websites use "cookies". A cookie is a small file that an Esker Website may send to your browser. This file is then stored on your hard drive. Cookies cannot be used to run programs or deliver viruses to a computer. The cookie saves information regarding your session and account on the Esker Website, which the browser passes back to the Esker Website's server. Cookies enable Esker to build better websites by recording how and when you use the Esker Websites and to better serve you when you return to the Esker Websites. Cookies are also used to ensure you do not fill out forms on the Esker Websites multiple times. You can set your browser to refuse cookies, however, if you disable the cookies, you will have to use the Esker Websites.

Web Beacons

The Esker Websites contain electronic images known as web beacons (sometimes called single-pixel gifs) which may be used in some of Esker’s emails to let Esker know which emails and links have been opened by recipients. Some of Esker’s business partners also employ web beacons that help it better manage content on the Esker Websites. However, Esker has no access to or control over such web beacons.

Third Party Cookies

The use of cookies by Esker’s business partners, affiliates, or service providers is not covered by this Policy. Esker does not have access or control over those cookies. Esker’s business partners, affiliates, and service providers use session ID cookies to make it easier for you to navigate the Esker Website, in order for a visitor to use the shopping cart, etc.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if the Services are temporarily suspended for maintenance we might send you an email. Generally, users may not opt-out of these communications. These communications are not promotional in nature.

Collection of Children’s Online Personal Information

Esker does not knowingly collect Personal Information from children under the age of thirteen (13) through the Esker Websites. If Esker learns that it has Personal Information on a child under the age of thirteen (13), then that Personal Information will be deleted from Esker’s systems. Children are also restricted from customer registration and buying products/services on the Esker Websites. For tips on protecting children’s privacy online, please view the FTC’s website at http://www.ftc.gov/privacy/privacyinitiatives/childrens.html

Contact Information

Esker will work with you to resolve any concerns you may have about this Policy. To ask questions regarding this Policy or any of Esker’s privacy practices, request the deletion of Personal Information, or issue a complaint, you can contact Esker via email or mail at the following address:

Esker, Inc.
Attn: General Counsel/Chief Compliance Officer
1212 Deming Way, Suite 350
Madison, WI 53717
usprivacy@esker.com

Changes to this Policy

Esker may amend this Policy from time-to-time, consistent with the requirements of the Safe Harbor Principles. When Esker does update this Policy, it will also revise the “Last Updated” date at the bottom of this Policy. Any material changes to this Policy will also be posted at http://www.esker.com/safe-harbor-privacy-policy.asp whenever this Policy is changed in a material way.

Last Updated

June 29, 2016