Customer Data Protection
Firmex International Ltd (“Firmex”, “we”, “us”, or “our”) provides cloud based Virtual Data Rooms that allow our Customers to share files in a secure environment for business processes including due diligence, corporate governance, regulatory compliance, litigation, and procurement (“Virtual Data Rooms”).
This Customer Data Protection Statement represents an Agreement between Firmex and the Customer and governs the use of Customer Data. If there is any inconsistency between this general Agreement and any negotiated Agreement between Firmex and the Customer, the terms of the negotiated agreement will prevail.
Customer: a legal entity with whom Firmex has an Agreement to provide the Virtual Data Room
Customer Data: data stored in and generated through the use of the Virtual Data Room, including Materials, User information, metadata, and logs
Materials: documents, images, video and any other material that is stored in the Virtual Data Room
User: an individual authorized by the Customer to access the Virtual Data Room
The following terms are used as defined in the EU General Data Protection Regulation (GDPR):
Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Personal Data: any information relating to an identified or identifiable natural person (“Data Subject”)
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Third Party: a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data
3. Data We Process
Firmex may process the following types of Customer Data in order to provide and support the Virtual Data Rooms:
User Information: The Virtual Data Room requires minimal information from Users for the purpose of authentication and communication. Personal Data is limited to the name, email address, and office location.
Metadata: User activity within the Virtual Data Room are automatically logged, e.g. login time, location, Materials accessed. These logs are available to the Customer via the administrator portal for the purpose of monitoring behaviour and investigations.
Materials: The Materials uploaded to the Virtual Data Rooms by Users may contain Personal Data. Firmex does not access information within the Materials except in limited circumstances upon the Customer’s explicit and specific request for support.
4. Purposes for Processing
Firmex processes Customer Data for the following purposes:
- To provide and enhance our product and service offerings
- To provide insights and statistics on an aggregated basis to help our Customers measure their performance, better understand their customers and improve their product and service offerings
- To respond to Customer requests for support or assistance
With regard to Personal Data, Firmex acts as a Processor on behalf of Customers. Customers have primary responsibility for interacting with Data Subjects, and the role of Firmex is generally limited to assisting Customers as needed. Firmex processes data only upon a Customer’s instruction and shall have a duty to respect the security and confidentiality of the data, pursuant to the measures outlined in agreements with Customers and as required by applicable law.
For clarity, a Customer may be a Controller or a Processor of Personal Data. Where a Customer is a Processor of Personal Data, Firmex shall process Personal Data as sub-processor on behalf of the Controller. Instructions from the Controller regarding the processing Personal Data shall be given through the Processor.
5. How We Protect Data
Data Protection Program
Firmex maintains a managed data protection program to identify risks and implement preventative measures. Our Privacy Officer, supported by a network of senior professionals throughout the business and engineering teams, is responsible for managing the data protection program. The program is reviewed on a regular basis to provide for continued effectiveness.
Firmex Employees with access to Customer Data are trained on data protection and their responsibilities, and they are bound by confidentiality agreements and subject to background checks. Firmex has implemented a Privacy by Design (PbD) approach, and our team receives specific training related to their job responsibilities.
Firmex takes security seriously. We take various steps to protect information you provide to us from loss, misuse, and unauthorized access or disclosure. These steps take into account the sensitivity of the information we collect, process and store, and the current state of technology.
The Virtual Data Room is reviewed annually by an independent third party. This SOC-2 report covers the Trust Services criteria for security and availability and is available to Customers upon request.
6. Transparency and Cooperation with Customers
Firmex undertakes to be transparent regarding its data processing activities and to provide Customers with reasonable cooperation to help facilitate their respective data protection obligations.
Data Breach Notification: In the event that Firmex becomes aware of any unauthorized access to or disclosure of Customer Data, Firmex will promptly notify affected Customers to the extent such notification is permitted by applicable law.
Obligations Upon Termination: Upon termination of the Services, Firmex shall, at the request of the Customer, delete, render un-identifiable, or return all Customer Data. Firmex will certify that it has done so, unless legislation prevents it from returning or destroying the data.
7. Sharing and Disclosure
There are limited times when information may be shared by Firmex. This section discusses how Firmex may share such information.
Sub-processing by Third Parties: Firmex may retain third party sub-processors. Such third-party sub-processors shall process data only in accordance with the Customer’s instructions and the commitments outlined in this and other Agreements.
Such third-party sub-processors have entered into written agreements with Firmex in accordance with the applicable requirements, and Firmex conducts annual due diligence to verify their security measures. Firmex can provide Customers with a list of sub-processors and notify them of changes.
Compliance with Laws: Firmex may share or disclose data to comply with legal or regulatory requirements and to respond to lawful requests, court orders and legal process.
Enforcing Our Rights, Preventing Fraud, and Safety Firmex may share or disclose data to protect and defend the rights, property, or safety of us or third parties, including enforcing contracts or policies, or in connection with investigation and preventing fraud.
Changes to our Business Structure: Firmex may share or disclose data if we engage in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of Firmex’s assets, financing, acquisition of all or a portion of our business, a similar transaction or proceeding, or steps in contemplation of such activities (e.g. due diligence).
8. Data Subject Rights
Firmex acts as a data Processor on behalf of Customers. Customers have primary responsibility for interacting with Data Subjects, and the role of Firmex is generally limited to assisting Customers as needed.
Access, Correction, Amendment or Deletion Requests: Firmex shall promptly notify a Customer if Firmex receives a request from a Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. Firmex shall not respond to any such Data Subject request without the Customer’s prior written consent except to confirm that the request relates to that Customer.
Firmex shall provide Customers with cooperation and assistance in a reasonable period of time and to the extent reasonably possible in relation to any request regarding Personal Data.
Handling of Complaints: Data Subjects may lodge a complaint about processing of their respective Personal Data by contacting the relevant Customer or the Firmex Privacy department at the email address firstname.lastname@example.org. Firmex shall promptly communicate the complaint to the Customer to whom the request relates.
Customers shall be responsible for responding to all Data Subject complaints forwarded by Firmex, except in cases where a Customer has disappeared factually or has ceased to exist in law or become insolvent. Where Firmex is aware of such a case, it undertakes to respond directly to Data Subjects’ complaints within thirty (30) days, including the consequences of the complaint and further actions Data Subjects may take if they are unsatisfied by the reply.
Regulatory Inquiries and Complaints: Firmex shall, to the extent legally permitted, promptly notify a Customer if it receives an inquiry or complaint from a data protection authority in which that Customer is specifically named. Upon a Customer’s request, Firmex shall provide the Customer with cooperation and assistance in relation to any regulatory inquiry or complaint involving Firmex’s processing of Personal Data.
9. Changes to this Statement
We may change this statement from time to time, and if we do we will post any changes on this page. If you continue to use the Virtual Data Room after those changes are in effect, you agree to the revised policy. This document was last updated in December 2022.
10. Contacting Firmex
Firmex International, Ltd.
110 Spadina Avenue, Suite 700
Toronto, ON M5V 2K4