3Aware® EU-U.S. Data Privacy Framework (EU-U.S. DPF) Notice
3Aware® EU-U.S. Data Privacy Framework (EU-U.S. DPF) Notice, effective as of August 19, 2024
3Aware, Inc. ("3Aware", "us", "our" or "we") is committed to protecting the privacy of individuals who visit the 3Aware Web sites ("Visitors") and individuals associated with organizations who register to use the Services as defined below ("Customers"). This Privacy Policy (the "Statement") describes 3Aware's privacy practices in relation to the use of 3Aware's public Web site ( https://3aware.ai/.), other 3Aware Web sites made available from time to time, and applications and services offered by 3Aware (collectively, the "Services").
This notice outlines our general policy and practices for implementing the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF (collectively, DFF Principles). If there is any conflict between the terms in this notice and the EU-U.S. DPF, the DFF Principles will govern. For the purposes of this notice, "personal data" refers to any personally identifiable information that we receive in the U.S. from the European Economic Area (EEA) and/or the United Kingdom "Sensitive personal data" is a subcategory of "personal data" and is defined as personal data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or the sex life of the individual.
For more information on how 3Aware generally collects and maintains personal data, and to review our policies regarding data privacy and security, please access the 3Aware Privacy Policy at Privacy Policy.
Data Processing
3Aware is a data processor on behalf of its Customers. We provide services to our Customers to use to operate aspects of their businesses. 3Aware may process Data our Customers submit to our Services or instruct us to process the Data on their behalf. 3Aware' Customers are data controllers and decide what Data to submit.
Types of Personal Data Collected and Purposes for Using and Disclosing Personal Data
To provide Services to our Customers, 3Aware collects personal data that includes, but is not limited to, (1) first and last names; (2) email addresses; (3) telephone numbers; and (4) mailing addresses. 3Aware processes Data submitted by Customers for various purposes, including, but not limited to: (1) providing 3Aware' online Services to our Customers and (2) marketing our products and services to our Customers. To fulfill these purposes, 3Aware may access the Data to provide the Services, to correct and address technical or service problems, to follow the instructions of the Customer who submitted the Data, or to fulfill contractual requirements. Please be aware that in rare situations, it may be necessary disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF
3Aware complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. 3Aware has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Choice to Limit Use and Disclosure of Personal Data
We recognize that EEA and/or United Kingdom individuals have the right to limit the use and disclosure of their personal data, and 3Aware is committed to respecting those rights. We offer individuals the opportunity to opt-out of disclosures of personal data to a third party or the use of personal data for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individual. We will comply with the DFF Principles with respect to disclosures of personal data including, when applicable, obtaining the explicit consent (i.e., opt-in consent by way of our Customers) of the individual prior to disclosing personal data to a third party or using personal data for purposes other than those for which it was originally collected or subsequently authorized by the individual.
Accountability for Onward Transfers of Personal Data to Third Parties
We are potentially liable in cases of onward transfers of personal information to third parties, such as when third parties that act as agents on our behalf process personal information in a manner inconsistent with the DFF Principles. 3Aware uses a limited number of third-party service providers to assist us in providing our Services to Customers. These third parties may access, process, or store personal data in the course of providing their services. 3Aware maintains contracts with these third parties to ensure that they provide the same level of privacy protection as is required by the DFF Principles and to restrict their access, use and disclosure of personal data in compliance with our DFF Principles obligations. We also transfer personal data to our third party agents, such as: infrastructure as a service providers and vulnerability testing providers.
Right to Access Personal Data
3Aware recognizes that EEA and United Kingdom individuals have the right to access personal data about them, and to limit use and disclosure of their personal data and 3Aware is committed to respect this right. Individuals also have the right to obtain our confirmation of whether we maintain personal data relating to you. Further, 3Aware will also enable you to correct, amend or delete personal data related to you in our possession and control that is inaccurate or incomplete. Your right to access your personal data may be restricted in exceptional circumstances, including, but not limited to, when the burden or expense of providing this access would be disproportionate to the risks to your privacy in the case in question, or where the rights of persons other than you would be violated by the provision of such access. If 3Aware determines that your access should be restricted in a particular instance, we will provide you with an explanation of our determination and respond to any inquiries you may have.
Because 3Aware personnel have limited ability to access the data our Customers submit to our Services, individuals who wish to request access, to limit use, or to limit disclosure of his/her Data must provide the name of the 3Aware Customer who submitted his or her Data to the Service(s). 3Aware will contact the Customer with your request and will support the Customer as needed in responding to your request. To request to access, correct, amend, or delete personal data, please contact 3Aware at privacy@3aware.ai.
Recourse, Enforcement, and Liability
In compliance with the DFF Principles, 3Aware commits to resolve DPF Principles-related complaints about our collection and use of your personal information. 3Aware is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) and, under certain conditions, you may be required to invoke binding arbitration. You are required to disclose personal information in response to lawful requests.
EEA and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact 3Aware at:
3Aware, Inc.
6100 Technology Center Drive
Indianapolis, IN 46278
Phone: 317.799.0457
privacy@3aware.ai
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, 3Aware commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to ICDR/AAA, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of ICDR/AAA are provided at no cost to you.