XOVOX Inc. sees data privacy as a critical piece of our corporate mission. We take seriously our duty to maintain the security and privacy of the personal data of our customers, employees, and vendors to which we have access, and our legal obligations under the data privacy laws of the different countries where we do business. Security and data protection are woven into our organization.
Everyone working on behalf of XOVOX, including our employees, contractors, and vendors, is expected to apply our principles of data privacy and protection to all of their activities and to comply with our privacy policies. Our privacy principles are presented in Section 2, but in general these principles and policies ensure that we only request personal data for which there is a justifiable business need, take steps to properly secure it, allow access or use only when authorized for legitimate business needs, do not retain it past the point when the legitimate business need has ended, and use a secure method to dispose of it.
XOVOX employees and others who have questions or concerns about particular practices and compliance with data privacy laws may contact any of the following: XOVOX’s Chief Privacy Officer (firstname.lastname@example.org) or our Legal Department (email@example.com).
XOVOX recognizes that privacy is a human right. We are committed to the following general principles of data privacy and protection. These principles are expressed in our policies and standards and guide our practices:
XOVOX does not sell personal information.
Personal data collected by XOVOX may be used only for the purposes for which it was collected, specified no later than at the time of collection. Except with the consent of the affected individuals, for purposes compatible with their reasonable expectations, or otherwise in line with applicable law, the subsequent processing of the personal information will be limited to these stated purposes.
Personal data may be made available only to people with a “need to know” and who have the appropriate clearances.
XOVOX holds third parties with whom personal data is shared to these same privacy principles and standards. Such third parties are required to conduct themselves in a manner consistent with our Code of Ethics and Code of Conduct policies, which include requirements for the proper handling of personal data, and to execute data processing agreements where applicable.
Personal data kept by XOVOX must be accurate, relevant, and not excessive in relation to the purposes for which it was collected.
Personal information is to be deleted as soon as it is no longer needed or required to be maintained under applicable laws.
Data subjects are to be informed about how their personal data is used and with whom it may be shared. XOVOX will issue required privacy notices and respond promptly to inquiries about its data processing operations.
XOVOX will maintain best-practice technical and organizational security measures to protect against such risks as accidental or unlawful destruction, loss, or alteration of personal data, and unauthorized disclosure or access.
In the countries where we do business, XOVOX complies with the requirements of applicable laws, such as the European General Data Protection Regulation (GDPR), that give data subjects the opportunity to be notified about what personal information the Company holds, to verify its accuracy, and in some circumstances to object to the processing of their personal data and demand that it be deleted.
XOVOX takes additional security measures to protect highly sensitive data (such as medical and health information) in accordance with applicable laws, including the GDPR in Europe and the Health Information Portability and Accessibility Act (HIPAA) in the United States. This specifically includes any information we may collect about vaccination status for COVID-19 or other diseases.
We consider privacy when building or designing applications, systems and processes that may involve the collection of personal data, and assess them to ensure that privacy-related risks to data subjects are considered and mitigated to the extent reasonably possible.
XOVOX regularly reviews its privacy program and practices to ensure continued internal compliance, effectiveness and alignment with emerging law and best practices.
XOVOX will notify affected data subjects promptly after becoming aware of an incident involving a personal data breach by XOVOX or its vendors, as required by law.
Incident notifications will generally describe the nature of the personal data breach, the likely consequences, the contact point where more information can be obtained, and the measures taken or proposed to be taken by XOVOX to address the breach and mitigate its possible adverse effects.
Where personal data is used to send sales and marketing communications about XOVOX products, we will follow protocols to ensure that we obtain all required consents, and that we offer opt-out and unsubscribe opportunities as required by applicable laws.
XOVOX maintains internal policies, protocols, controls and practices that ensure we act consistent with these privacy principles.
Data subjects who desire more information, or who wish to invoke their rights under applicable privacy laws, are invited to contact firstname.lastname@example.org.
XOVOX was ready for the effective date of the European General Data Protection Regulation (GDPR) in 2018 and the California Consumer Privacy Act (CCPA) in 2020. Under the GDPR, we have an obligation to maintain the security of data concerning European data subjects, respect their rights to access that data and inform them about how data is used, and make sure that in developing applications and systems, we make “privacy by design” and “privacy by default” a part of our culture. Under CCPA we are required to give California consumers similar access to their personal information and establish security measures to prevent data breaches. In addition, XOVOX continues to monitor the development of new data privacy laws in other places where we do business.
Maintaining data security means implementing strong data protection standards at XOVOX and passing through rigorous data security requirements to our suppliers. XOVOX’s Information Security team is committed to state-of-the-art data protection and cybersecurity. XOVOX has formally adopted the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) to plan, structure, test, and measure our enterprise cybersecurity. Our employees are regularly trained and policies and procedures are assessed regularly by our internal auditors and outside consultants.
We conduct detailed security evaluations of our vendors who handle personal data and other confidential information, and we require our vendors to comply with the XOVOX Information Security Requirements for Vendors.
XOVOX has a detailed company-wide incident response plan designed to allow us to quickly take the steps needed to minimize harm and secure customer data. As required by law, XOVOX will notify affected data subjects promptly after becoming aware of an incident involving a data breach by XOVOX or its suppliers.
Under the GDPR, a “data controller” collects and maintains personal data and decides how it is to be processed. A “data processor” follows the instructions of the data controller for processing personal data. In connection with the products and services it provides, XOVOX does not typically process personal data on its customers’ behalf. When we use customer employee contact information to complete orders, conduct business, or enable logins (where user names and passwords are hashed), it’s more accurate to say that XOVOX acts as a data controller.
In those rare cases where XOVOX does act as a data processor on behalf of a customer, XOVOX will enter into an appropriate form of data processing agreement in which XOVOX will agree to:
process personal data only on the written instructions of the controller;
take all measures required pursuant to article 32 of the GDPR in respect of the personal data;
ensure that its staff who are authorized to process the personal data have committed themselves to confidentiality;
ensure that its subcontractors who process such personal data are in turn subject to obligations substantially identical to those applicable to XOVOX;
at the customer’s cost, assist the customer through appropriate technical and organizational measures (insofar as possible) to respond to a request by a data subject to exercise his or her rights in respect of the personal data;
not transfer such personal data onward to recipients outside of GDPR jurisdictions without adequate safeguards;
at the customer’s cost, make available to the customer all information necessary to demonstrate XOVOX’s compliance with these obligations; and
promptly notify the customer of requests received directly from data subjects with respect to personal data submitted through the XOVOX products or services.
Under the CCPA, a company that utilizes a service provider to process personal information of California consumers on its behalf must enter into a written agreement prohibiting the service provider from selling the personal information or using the information for any purpose other than performing the services specified in the contract.
Again, XOVOX does not generally process personal information on behalf of our customers, and XOVOX does not sell personal information. In an appropriate situation XOVOX will enter into agreements acknowledging that as a third party, XOVOX is prohibited from (a) selling any personal information of its customers or their employees, (b) retaining, using or disclosing the personal information for any purpose other than performing the services described in the applicable contract, and (c) retaining, using or disclosing the personal information outside of the direct business relationship between the customer and XOVOX.
XOVOX has employees and contractors all over the world. We need to be able to transfer information across national borders in order to operate our business, including recruiting the best talent, providing them with pay and benefits, evaluating and counseling them regarding their performance, and sharing information about their opportunities for community involvement. In so doing, we are mindful of the laws in each country where we work, particularly those that pertain to data privacy and protection.
We take security measures to protect all personal data (and particularly sensitive data, such as health information) in accordance with applicable laws. This specifically includes any information we may collect about our workforce’s vaccination status for COVID-19 or other diseases.
XOVOX maintains effective controls as to who may access the personal data of our workforce as well as policies regarding how data is to be retained, and for how long.
For members of our workforce who live in Europe, the GDPR (mentioned in Section 3.1 above) imposes special requirements. XOVOX’s GDPR-compliant practices include, but are not limited to:
Robust policies and notices to reflect current laws and advise data subjects of their rights under the GDPR
GDPR-compliant data processing agreements with the outside companies that process employee data on XOVOX’s behalf
Document retention policies under which we do not maintain personal data any longer than required in order to fulfill our legal obligations
Data privacy training as part of our regular Ethics and Compliance Training, which must be completed annually by every XOVOX employee, as well as specialized training for groups who access and use personal data within XOVOX.
Employees who desire more information, or who wish to invoke their data subject rights, are invited to contact our Chief Privacy Officer at email@example.com.
Our commitment to data security extends to protecting personal data as well as XOVOX’s intellectual property from theft. This includes the use of badged access, video monitoring, and the like to maintain physical security, as well as firewalls, encryption, and data loss prevention measures to prevent the misuse of XOVOX’s systems and devices. We obey applicable privacy laws whenever we monitor the use of XOVOX-owned systems and devices.
Personal data is to be made available only to people with a “need to know” and who have the appropriate clearances. If you have access to personal data in connection with your job, be vigilant about the need to prevent inappropriate of unlawful disclosures. Keep current with XOVOX’s privacy and data security training, take advantage of the marketing protocols and other resources available from the Legal Department, and direct any questions to our Chief Privacy Officer at firstname.lastname@example.org.
XOVOX values the many vendors and suppliers who provide us with tools to help us manage information about our workforce, our customers, and others.
XOVOX looks to its vendors to conduct business consistent with our Code of Ethics and Code of Conduct policies, which include data privacy and protection requirements as well as other obligations to ensure that we do business the right way. Put simply, we do business the right way when we act ethically and consistently with our core value of integrity. We look forward to partnering with other organizations in pursuit of this goal.
Under the GDPR (mentioned in Section 3.1), XOVOX is required to have appropriate agreements in place with each vendor who handles the personal data of European data subjects. Any business involved in the processing of personal data of a European data subject must comply with the GDPR, regardless of where the processor’s business is located.
Accordingly, we require vendors and suppliers to sign data processing agreements (DPAs). This is necessary to ensure proper handling and protection of employee and customer data and to provide a valid legal basis for transfers of personal data from Europe to the US. We have found that most of our vendors are already aware of these requirements, which are as important for their own compliance with the GDPR as for ours.