An Unwavering Commitment to Protecting Your Privacy
Flexible Technology Solutions (“FlexTecs”)
Flexible Technology Solutions is committed to respecting and protecting the privacy of individuals with whom we come into contact. We believe in protecting the rights of the individual to the privacy of their Personal Information.
What do we do for our clients and what data do we receive?
Flexible Technology Solutions collects and processes transactional client business to business data to help us improve our clients’ financial performance by various means. We are primarily recovery auditors and recovery audit technology providers who process procurement-to-payment transactional information (i.e. accounts payable data, vendor file information, promotions, merchandise line item/product data, supply chain/logistics data, etc.) to identify client overpayments or missed vendor income.
As a “Processor” of data on behalf of our clients, Flexible Technology Solutions maintains appropriate information security controls to protect any Personal Information and will only access, analyse, or transfer this information as lawfully instructed by our client. In each case of data access, analysis, or transfer, we have been contractually committed by a client (“Controller” under GDPR) to process specific client business data files under agreed upon appropriate security measures, model clauses, and/or other appropriate written authorizations.
FlexTecs does not collect Personal or Sensitive Personal data in order to perform our services (our role as a “Processor”) or provide this data (including FlexTecs employee data) to any third parties for any purpose, such as site analytics. However, there may be occasions where we inadvertently receive personal information embedded in client-supplied data such as the vendor master file and client email communication. In these minority share of cases we effort to filter out and securely destroy Personal information and any data irrelevant to the business to business transaction functions that we serve.
In addition, FlexTecs will come into possession of limited amounts of Personal Information (e.g. name, email address, phone number) through routine correspondence such as email communications and portal correspondence. In all cases, we take all necessary and appropriate steps to secure all data in line with what is required for Personal and Sensitive Personal information, to ensure that we limit exposure for the individual and we that we are in compliance with all GDPR and SOC obligations for commercial data Processors.
We validate and continuously test that appropriate technical, administrative, and physical controls are in place to protect any Personal Information. We ensure that reasonable controls are in place to enforce confidentiality, limit use, and ensure proper disposal and retention of Personal Information.
For purposes of our Privacy Notice, we define Personal and Sensitive Personal Data as follows:
- Personal Information (“Personal Information”) is information that pertains to or is about any individual, and can be linked to or used to identify that individual, and with respect to information originating from the EU, “Personal Information” is any information relating to an identified or identifiable natural person, as defined under the General Data Protection Regulation (“GDPR”). Examples of Personal Information include Names, Personal Email Addresses and Home Addresses.
- Sensitive Personal Information (“Sensitive Personal Information”) means Personal Information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership or that concerns health.
Data Storage and International Data Transfers
FlexTecs, unless otherwise prohibited by law and/or client contractual requirements, will receive and process client data in one of, or both of, the following ways. In some cases, FlexTecs is contractually required to store data in both ways to meet client-mandated redundancy and business continuity requirements.
- US-based secured cloud storage – highly-secured, *EU-US Privacy Shield standard, SOC1 certified facility
- EU-based secured cloud storage – highly-secured, GDPR-compliant storage within European Economic Area (“EEA”)
In each case of receipt of data, FlexTecs adheres to contractually-obligated data storage, security, and confidentiality measures. In addition, FlexTecs maintains and continuously enhances controls in adherence of our own SOC certification requirements and new requirements under GDPR. We are committed to protecting the privacy, confidentiality, and security of the data that is provided to us, including Personal Information, through a combination of technical, physical and administrative measures, controls, including internal policies, practices and procedures. In cases of onward transfer to third parties of data of EU individuals received pursuant to the EU-US Privacy Shield, Flexible Technology Solutions remains liable. We ensure that our third parties maintain the same level of security as us.
*EU-U.S. Privacy Shield
Federal Trade Commission (“FTC”)
Flexible Technology Solutions operates under the jurisdiction of the FTC.
What are my Rights and Protections regarding my Personal Information and Sensitive Personal Information?
FlexTecs commits to cooperate with EU Data Protection Authorities (DPAs) and comply with the advice given by such authorities with regard to Human Resources data transferred from the EU in the context of the employment relationship.
Although FlexTecs does not intentionally collect and process Personal or Sensitive Personal Information as part of delivery of our services, we adhere to the highest global standards of data and privacy protection including the required principles of GDPR, effective 25th May 2018, and those of EU-US Privacy Shield certification. These standards include:
- Reasonable and Diligent Measures to Protect Your Privacy. FlexTecs values individual’s privacy and holds the security and proper care in handling individuals’ data as a top priority. FlexTecs maintains a relentless focus on Information Security, Business Continuity, and global privacy standards. We maintain and continuously upgrade our physical, organizational, and technical controls and protocols to provide reasonable assurances that all data is protected. Additional details regarding our highly secured data storage infrastructure, advanced access and authentication controls, business continuity measure, and global compliance protocols are available upon request.
- “Opt-in” Provisions. As a Processor of data on behalf of our clients, FlexTecs accepts data in accordance with explicit contractual obligations and assurances regards what data we are to accept, the approved usage(s), storage and confidentiality requirements, and regulatory compliance requirements. For internal data, FlexTecs (as a “Controller” of selected individual Personal Information for employees and former employees) provides individuals with clear instructions regarding their rights, data utilization, safeguard measures, and opt out options.
- Clear Disclosure and Transparency of Utilization of Data. As a Processor of data on behalf of our clients, FlexTecs adheres to strict guideline regarding data received, usage and Information Security. As a Controller of HR and non-HR data for our employees, FlexTecs accepts and protects only essential “opt-in” data required by law and company published and mutually approved handbook(s).
- Right to Access. All FlexTecs employees have the right to access their information and update it on request via firstname.lastname@example.org. FlexTecs do not intend to use employee data for any other purposes other than it was originally collected for. If this changes, employees will be provided with an opportunity to OptOut. In certain situations, Flexible Technology Solutions may be required to disclose your personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, upon receipt of a valid judicial instruction.
- Right to Erasure. FlexTecs retains data in line with personal consent, contractual and legal obligations. Our infrastructure and technology platform ensures that we are able to comply, in a timely manner with all client and individual requests for erasure of data. Furthermore, FlexTecs proactively and securely filters and disposes of any data that is unnecessary for our contractually obligated and legally authorized completion of our work.
- Retention of Data. FlexTecs retain its employee information for 84 months after their leave date. Client data is retained for 6 years or erased at request.
- Notifications and Timely Response to Any Queries. FlexTecs commits to prompt responsiveness to any queries or requests related to Personal or Sensitive Personal information. These requests and queries may include but are not limited to restrictions, objections, erasures/opt-outs, and explanations of usage. FlexTecs will continue to provide responses, notifications, and follow-through in line with the standards required for client-level SLAs, GDPR, SOC, and EU-US Privacy Shield.
FlexTecs commits to independent dispute resolution and investigative compliance in line with EU-US Privacy Shield Standards and GDPR requirements as of 25th May 2018. Complaints can be referred to our Chief Information Officer via email@example.com.
Independent Dispute Resolution and Subject to Investigative Authority of FTC and EU Information Commission.
If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed, you can submit your complaint to Privacy Trust, an independent third party. Visit https://www.privacytrust.com/drs/FlexTecs to file a complaint. If you feel complaints are not being addressed, you have the right to invoke binding arbitration through the Privacy Shield Panel, in some circumstances.