An Unwavering Commitment to Protecting Your Privacy

Updated Privacy Policy- May 2018

Flexible Technology Solutions (“FlexTecs”)

 

Flexible Technology Solutions is committed to respecting and protecting the privacy of individuals with whom we come into contact. We believe in protecting the rights of the individual to the privacy of their Personal Information.

As part of our continuous updating and strengthening of our privacy protection measures and compliance with evolving regulatory standards around the world, we have updated our privacy policy.  This policy outlines our function as a Processor of our clients’ data, the extremely limited level of exposure we encounter to Personal or Sensitive Personal data, and the significant measures we take to ensure protection of any personal data provided by our clients to FlexTecs.

What do we do for our clients and what data do we receive?

Flexible Technology Solutions collects and processes transactional client business to business data to help us improve our clients’ financial performance by various means.  We are primarily recovery auditors and recovery audit technology providers who process procurement-to-payment transactional information (i.e. accounts payable data, vendor file information, promotions, merchandise line item/product data, supply chain/logistics data, etc.) to identify client overpayments or missed vendor income.

As a “Processor” of data on behalf of our clients, Flexible Technology Solutions maintains appropriate information security controls to protect any Personal Information and will only access, analyse, or transfer this information as lawfully instructed by our client. In each case of data access, analysis, or transfer, we have been contractually committed by a client (“Controller” under GDPR) to process specific client business data files under agreed upon appropriate security measures, model clauses, and/or other appropriate written authorizations.

FlexTecs does not collect Personal or Sensitive Personal data in order to perform our services (our role as a “Processor”).  However, there may be occasions where we inadvertently receive personal information embedded in client-supplied data such as the supplier master file and client email communication.  In these minority share of cases we effort to filter out and securely destroy Personal information and any data irrelevant to the business to business transaction functions that we serve.

In addition, FlexTecs will come into possession of limited amounts of Personal Information through routine correspondence such as email communications and portal correspondence. In all cases, we take all necessary and appropriate steps to secure all data in line with what is required for Personal and Sensitive Personal information, to ensure that we limit exposure for the individual and we that we are in compliance with all GDPR and SOC obligations for commercial data Processors.

We validate and continuously test that appropriate technical, administrative, and physical controls are in place to protect any Personal Information. We ensure that reasonable controls are in place to enforce confidentiality, limit use, and ensure proper disposal and retention of Personal Information.

For purposes of our Privacy Notice, we define Personal and Sensitive Personal Data as follows:

  • Personal Information(“Personal Information”) is information that pertains to or is about any individual, and can be linked to or used to identify that individual, and with respect to information originating from the EU, “Personal Information” is any information relating to an identified or identifiable natural person, as defined under the General Data Protection Regulation (“GDPR”).
  • Sensitive Personal Information(“Sensitive Personal Information”) means Personal Information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership or that concerns health.

Data Storage and International Data Transfers

FlexTecs, unless otherwise prohibited by law and/or client contractual requirements, will receive and process client data in one of, or both of, the following ways.  In some cases, FlexTecs is contractually required to store data in both ways to meet client-mandated redundancy and business continuity requirements.

  • US-based secured cloud storage – highly-secured, US-EU Privacy Shield standard, SOC1 certified facility
  • EU-based secured cloud storage – highly-secured, GDPR-compliant storage within European Economic Area (“EEA”)

In each case of receipt of data, FlexTecs adheres to contractually-obligated data storage, security, and confidentiality measures.  In addition, FlexTecs maintains and continuously enhances controls in adherence our own SOC certification requirements and new requirements under GDPR. We are committed to protecting the privacy, confidentiality, and security of the data that is provided to us, including Personal Information, through a combination of technical, physical and administrative measures, controls, including internal policies, practices and procedures.

What are my Rights and Protections regarding my Personal Information and Sensitive Personal Information?

Although FlexTecs does not intentionally collect and process Personal or Sensitive Personal Information as part of delivery of our services, we adhere to the highest global standards of data and privacy protection including the required principles of GDPR effective May 2018 and those of EU-US Privacy Shield certification.  These standards include:

  • Reasonable and Diligent Measures to Protect Your Privacy. FlexTecs values individual’s privacy and holds the security and proper care in handling individuals’ data as a top priority. FlexTecs maintains a relentless focus on InfoSec, Business Continuity, and global privacy standards.  We maintain and continuously upgrade our physical, organizational, and technical controls and protocols to provide reasonable assurances that all data is protected.  Additional details regarding our highly secured data storage infrastructure, advanced access and authentication controls, business continuity measure, and global compliance protocols are available upon request.
  • “Opt-in” Provisions. As a Processor of data on behalf of our clients, FlexTecs accepts data in accordance with explicit contractual obligations and assurances regards what data we are to accept, the approved usage(s), storage and confidentiality requirements, and regulatory compliance requirements.  For internal data, FlexTecs (as a “Controller” of selected individual Personal Information for employees and former employees) provides individuals with clear instructions regarding their rights, data utilization, safeguard measures, and opt out options.
  • Clear Disclosure and Transparency of Utilization of Data. As a Processor of data on behalf of our clients, FlexTecs adheres to strict guideline regarding data received, usage and InfoSec.  As a Controller of HR data for our employees, FlexTecs accepts and protects only essential “opt-in” data required by law and company published and mutually approved handbook(s).
  • Right to Erasure. FlexTecs retains data in line with personal consent, contractual and legal obligations.  Our infrastructure and technology platform ensures that we are able to comply, in a timely manner with all client and individual requests for erasure of data.  Furthermore, FlexTecs proactively and securely filters and disposes of any data that is unnecessary for our contractually obligated and legally authorized completion of our work.
  • Notifications and Timely Response to Any Queries. FlexTecs commits to prompt responsiveness to any queries or requests related to Personal or Sensitive Personal information.  These requests and queries may include but are not limited to restrictions, objections, erasures/opt-outs, and explanations of usage. FlexTecs will continue to provide responses, notifications, and follow-through in line with the standards required for client-level SLAs, GDPR, SOC, and EU-US Privacy Shield.
  • Independent Dispute Resolution and Subject to Investigative Authority of FTC and EU Information Commission. FlexTecs commits to independent dispute resolution and investigative compliance in line with EU-US Privacy Shield Standards and GDPR requirements as of 25 May 2018.