Privacy Policy

CERTPOINT Systems Inc. ("CERTPOINT") respects individual privacy and values the confidence of its customers, vendors, business partners and others. CERTPOINT strives to collect, use and disclose personal information in a manner consistent with the laws of the countries in which it does business and has a tradition of upholding the highest ethical standards in its business practices. CERTPOINT abides by the Safe Harbor Principles developed by the U.S. Department of Commerce and the European Commission as well as the Frequently Asked Questions ("FAQs") issued by the Department of Commerce on July 21, 2000. This Safe Harbor Privacy Policy (the "Policy") sets forth the privacy principles that CERTPOINT follows with respect to transfers of personal information from the European Economic Area ("EEA") (which includes the fifteen member states of the European Union ("EU") as well as Iceland, Liechtenstein and Norway) to the United States.

CERTPOINT as Processor on Behalf
CERTPOINT provides customized computer services designed to help companies manage employee training more effectively. In this capacity, CERTPOINT does not own or control any of the information it processes on behalf of CERTPOINT’s client company. All such information is owned and controlled by the client company. In this capacity, CERTPOINT receives information transferred from the EU to the US merely as a processor on behalf.

CERTPOINT has appointed a Privacy Officer who is responsible for the internal supervision of CERTPOINT’s privacy policies and data security. CERTPOINT is committed to educating its employees, clients, and users of the Vuepoint Learning System ("VLS Users") in the US and in the EU about CERTPOINT’s compliance with EU Safe Harbor.

CERTPOINT’s Privacy Officer and its legal team are available to address questions concerning CERTPOINT’s EU Safe Harbor privacy policies or data security practices.

Processing Contracts
Before starting any processing on behalf of CERTPOINT’s client company, CERTPOINT will enter into a processing contract with the EU data controller responsible for the personal information pursuant to the applicable EU Member State Data Protection law. The processing contract ensures that the EU data controller will be in compliance with the Member State data protection laws. Any data processed by CERTPOINT will not be further disclosed to third parties except as expressly set forth in this Policy and where permitted or required by the processing contract, EU Safe Harbor or the applicable Member State Data Protection law. Any information which CERTPOINT’s client company (acting as the EU controller) identifies as sensitive will be treated accordingly.

The processing contract will also specify that the processing will be carried out with appropriate data security measures. CERTPOINT offers password protection, SSL encryption, and a secure hosting environment to protect personal information from loss, misuse, unauthorized access, disclosure, alteration, and destruction.

CERTPOINT’s database contains information which is used for the purposes of VLS User authentication, distribution of courses/system rights to VLS Users, and reporting to the client company on employee learning activity. CERTPOINT does not provide any VLS User information from its database to any third parties.

Notice - Prior to the transfer of any non-public personal information from the EU to the US, CERTPOINT requires contractual confirmation from the EU controller from which CERTPOINT acquired the information that the applicable data subjects were provided with proper notice pursuant to the applicable EU member state data protection law.

Choice - Prior to the transfer of any non-public personal information from the EU to the US, CERTPOINT requires contractual confirmation from the EU controller from which CERTPOINT acquired the information that the applicable data subjects were provided with the choice to determine how their information may be used pursuant to the applicable EU member state data protection law.

CERTPOINT will, upon request, remove an individual's name and related information from its database. In order to request that CERTPOINT not use an individual's non-public personal information, such individual should contact its company's VLS System Administrator, which will be provided with administrative rights to accommodate such requests.

Data Integrity - CERTPOINT takes reasonable steps to assure the information which is transferred from the EU to the US is reliable, accurate and complete. The steps CERTPOINT takes to assure data integrity are made in light of the purposes for which the personal information is used.
 
Onward Transfer - Except as provided below, CERTPOINT does not disclose or transfer personally identifiable VLS User information to any third parties.

CERTPOINT may from time to time use agents to perform processing tasks on behalf and under the instruction of CERTPOINT and may offer third party services to VLS Users. CERTPOINT requires that its agents and any third party service providers either:

Security - CERTPOINT will take reasonable precautions to protect personal information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. CERTPOINT limits access to personal information and data to those persons in CERTPOINT’s organization, or agents of CERTPOINT Systems, that have a specific business purpose for maintaining and processing such information and data. Individuals who have been granted access to personal information are aware of their responsibilities to protect the security, confidentiality, and integrity of that information.

Any security compromises or potential security compromises and any inquiries concerning security should be reported to the CERTPOINT Privacy Officer at privacy@certpointsystems.com.

Written communication should be addressed to:

CERTPOINT
4 Expressway Plaza, Suite 200
Roslyn Heights, NY 11577
Attn: Privacy Officer

Access - An individual may, through their company VLS System Administrator, request access to their own personal information as maintained in CERTPOINT’s database. VLS System Administrators can correct, amend, or delete personal information if it is inaccurate.

Enforcement - A VLS User who wishes to file a complaint or who takes issue with the Policy should direct such communication to CERTPOINT’s Privacy Officer at the addresses specified above. The Privacy Officer will provide details regarding the process to be followed when filing a complaint.

CERTPOINT will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information in accordance with the principles contained in this Policy. Any other controversy or claim arising out of or relating to this Policy, or the breach thereof, shall be settled by arbitration administered by the American Arbitration Association ("AAA") in accordance with its applicable commercial rules as well as the Safe Harbor Enforcement Principle; provided, further, that any arbitrator shall be either an attorney or retired judge having significant and recognized experience with and knowledge of privacy issues and information technology. In addition, the exclusive location for such arbitration shall be New York, NY. All decisions of the arbitration panel shall be final and binding on the parties, which waive any right to further appeal the arbitration award, to the extent an appeal may be lawfully waived.

CERTPOINT is also subject to the jurisdiction of the US Federal Trade Commission. The Federal Trade Commission may be contacted at the following address:

Federal Trade Commission
Attn: Consumer Response Center
600 Pennsylvania Avenue NW
Washington, DC 20580
consumerline@ftc.gov 
www.ftc.gov 

Changes to This Policy
The practices described in this Policy are current personal data protection policies as of January 9, 2004. CERTPOINT reserves the right to modify or amend this Policy at any time consistent with the requirements of the Safe Harbor Principles. Appropriate public notice will be given concerning such amendments.