Jexia Privacy & Security Policy
This Privacy & Security Policy (‘Policy’) is part of the Jexia Terms and Conditions as accepted by creating an account (‘Terms’) and describes the process on the privacy matters and the appropriate security measures regarding the Jexia Cloud Services (‘Services’) and, if and to the extent Personal Data is involved, the applicable proceedings, personal data collecting and processing, the personal data principles for Jexia Cloud Services and the privacy and security measures Jexia has taken into account whilst processing Personal Data to create digital transparency.
This Policy is between the Customer of the Services (even if the user (developer) is using Jexia’s Services on behalf of a company or on its own behalf) (‘Customer’) and Jexia Company B.V. (‘Jexia’), and governs Customer’s privacy and its personal data when using the Services, all if and to the made available by the Customer from time to time, and related matters.
This Policy contains information regarding the objectives that Jexia pursue when registering personal data collected by the Services via app.jexia.com where Customer or Customer’s developer logs in to work on or create a project and how Customer can exercise Customer’s rights with regard to Customer’s Personal Data. Jexia will only use Customer’s Personal Data for the purposes described in this Policy and will store and protect any Personal Data collected in accordance with the applicable laws, including the General Data Protection Regulation (EU 2016/679) (‘GDPR’).
Collection of Personal Data
When a Customer uses the Services or logs into its account of the Services, Jexia may register Customer’s Personal Data directly or indirectly in a variety of situations. For example, Customer may want to give its name and contact information while using the Services to communicate with Jexia, to create a free account to make use of the Services, to provide Customer with certain information or service, or to do business with Jexia as either customer, supplier or other business partner. Further, when a Customer creates an account or a paid project and/or uses add-ons or other Services, Customer has to provide Personal Data such as, name, email-address, country, payment information, billing address, username and other personal data provided by Customer (hereinafter: ‘Personal Data’). Within its account Customer is responsible and chooses what kind of Personal Data Customer wants to share on its account. Please do not share any Personal Data on your account that Customer would not want to share or make it available for any other use. However, please note, that in such cases Customer is not able to use (certain parts of) the Services via app.jexia.com.
Jexia collects and stores Personal Data from Customer when Customer contacts Jexia by e-mail, web forms, via the support widget, help center, events or other offline means in order to process Customers inquiries, respond to requests and improve the Services. Jexia collects and processed also certain Personal Data when Customer opens a ticket either via the support widget on the Platform or by sending a request to firstname.lastname@example.org. Jexia will collect Customer’s Personal Data in order to get back to Customer to answer the question and to provide assistance as needed. Unless Customer opt-out, Jexia collects public information about Customer, when using (open) community forums as part of the Services or third party services. Jexia collects Personal Data about Customer when using the services of third parties and/or suppliers.
Jexia collects Personal Data about Customer when Customer sends, receives, or engages with messages in connection with the Services. Jexia also collects and processes Personal Data of Customers for the benefit of the normal business operations of Jexia, in order to inform Customer about, and to make available information, services and other products that may be relevant to Customer, to develop and to make those available via the Services, and to update statistics of the Services, in order to improve Customer’s experience of the Services.
Use of Personal Data
Jexia collects, processes and stores Personal Data concerning Customers of the Services:
- for the benefit of the business operations of Jexia;
- in order to provide Customer with certain services and to inform Customer about, respectively make available the platform, applications and features that may be relevant to Customer, and to develop and to make those available;
- to send Customer a newsletter and other content, products or services that may be of interest to Customer, unless Customer informs Jexia through privacy@Jexia.com that Customer do not wish to receive any offers from Jexia;
- to develop Services statistics;
- Jexia collects and uses Customer’s credit card details, account information, or billing address to verify and complete a financial (digital) transaction of the Services in order to provide respectively make available any subscription Services.
Personal Data of Customer will not be used for other purposes, than the purposes for which Customer have provided the information or Personal Data to Jexia, unless Jexia obtains Customer’s unambiguous consent, or unless otherwise required or permitted by law, or when Jexia has a good faith belief that the disclosure is necessary to prevent or respond to fraud, defend the Services against attacks, or protect the property and safety of Jexia, its customers and users, or the public.
Customer and/or other users of the Services could share contributions, invite other users and collaborate within a Project which may be seen by those other users and/or third parties, therefore these other users or third parties may have access to Customer’s activity logs and see Customer’s name, e-mail address or username. Jexia will not share or disclose any other Personal Data with third parties, without Customers permission.
Jexia will not use the Services to collect special Personal Data such as information regarding political views, race, religious beliefs, health, criminal-law data, or other matters. Jexia will not use, sell, share or otherwise disclose any Personal Data of Customer to any third parties for any other commercial purposes without explicit consent.
Customers have several choices regarding the use of the Services. In general, Customer is not required to submit any Personal Data when Customer visits the website of the Services, but Jexia may require Customer to provide certain Personal Data in order to provide Customer with the Services or to receive additional information about the documentation or Services. Certain features may also ask for Customer’s permission for certain use of Customer’s Personal Data, and Customer has the choice to agree or decline.
Where Jexia have made settings available, Jexia will honor Customer’s choices about who can see Customer’s information, content, storage, upload, distribute, update, retain or delete Personal Data within Customer’s account. However, if the Services are purchased by another party (including Customer’s collaborator) for Customer, the party who purchased access to the Services has the right to control and access to Customer’s account of the Services.
If Customer wishes to prevent cookies from tracking Customer when navigating through the Services, Customer can make use of the permission settings tool on the website. This tool is automatically loaded upon first visit of the website and after that it is accessible via an activation link from the bottom of all webpages. Customer can also reset Customer’s browser to refuse all cookies or to indicate when a cookie is being sent. Note, however, that in that case some portions of the Services may not work (properly) if Customer elect to refuse all cookies.
Access & Data Right Management
If Customer has submitted Personal Data to Jexia, Customer has the right to have reasonable access to the Personal Data that Customer provided to Jexia. Customer is also entitled to request rectification or erasure thereof in case of any inaccuracy or in case such Personal Data is outdated, to withdraw permission regarding the processing of Personal Data that Customer provided to Jexia via this Services, request restriction of such processing or object against such processing in case Customer has provided its consent for processing such Personal Data. Also, Customer is entitled to data portability in relation to the Personal Data that Customer provided to Jexia and to transfer Customer’s Personal Data directly from Jexia to another party.
Requests may be submitted through Customer’s account settings and/or by sending Jexia an e-mail through email@example.com. Customer can also make a request to update or remove information about Customer through the Services or by the support channels. Jexia will make all reasonable and practical efforts to comply with Customer’s request within 30 days, to the extent it is consistent with applicable law.
Jexia intends to protect Customer’s Personal Data and to maintain its accuracy. Jexia implements reasonable physical, administrative and technical safeguards to protect Customer’s Personal Data against loss, theft, and misuse, as well as against unauthorized access, use and disclosure. For example, all (personal) data transmitted to and from the WebApp, such as usernames and passwords, are encrypted. Jexia also requires that Customer and third parties protect such information from unauthorized access, use and disclosure. In case Jexia discovers a security breach that may adversely affect the protection of Customer’s Personal Data processed by Jexia, Jexia will notify Customer, to the extent permitted by law, as soon as reasonably possible.
Jexia uses third party services which serves Cookies to help Jexia to analyze how the Services are used, to optimize the Services and to deliver the best possible experience. Currently, Jexia uses (i) Google Analytics by Google Inc. Hotjar by Hotjar Inc. Mixpanel by to help Jexia to monitor our Services, and (ii) monitoring cookies such as [*] hotjar, Creazyegg and HubSpot.
The Services may include buttons, widgets or content that link to third party services, for example the Twitter, Facebook and LinkedIN links on the website, by which these third parties may serve Cookies to Customer. Jexia do not control the dissemination of these third party Cookies and cannot block Cookies from those sites. For that, please check the relevant third party website for more information.
Obviously, Jexia respects Customer’s choices of Cookies settings. If Customer want to receive Cookies on the Services, other than analytic Cookies set above, Customer can opt-in. If Customer do not want Jexia to collect Personal Data with Cookies from Jexia, Customer can either decide not to opt-in or to opt-out when Customer does not want that Jexia serves Cookies. Jexia may need to set essential/required Cookies so that Jexia can remember Customer’s choices when Customer next visit the Services from the same browser.
Please also be aware that we make every effort to respect Customer’s choices, however, there is the possibility that not all Cookies will be captured. If this is a concern then we would recommend that Customer change Customer’s cookie settings via Customer’s browser; Customer’s browser help function will tell Customer how.
3.- SECURITY POLICY
Jexia will maintain organizational, administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services of the Customer, as described in this Security Policy, applicable to the specific Services purchased and used by the Customer, as updated from time to time.
Jexia will take commercially reasonable efforts to implement and maintain to the extent necessary any appropriate technical and organizational security measures, as specified in article 32 of the GDPR in general and in this Policy in particular. These measures will ensure a level of security appropriate to the risks presented by the processing and the nature of the Personal Data to be protected, and with consideration of the costs to implement and maintain these security measures.
Customer is responsible for the data, content and information it supplies to Jexia, its use of the Services, any and all users of the Services, logins, and all user accounts, maintaining due care and confidentiality in respect of access thereto and use thereof, and for any related use of third party products, software and data. Customer is responsible for the protection of (personal) data being sent and/or processed by the Services on behalf of (end)customer. Customer will comply with any applicable laws and regulations pertaining to the safeguarding of such Personal Data and will take care of the principles as described in clause 4.
The infrastructure of the Services runs at a data center in the Netherlands, where Jexia has the benefits of the security measures. Jexia aims at achieving availability of the Services of twenty-four (24) hours a day, seven (7) days a week, conform the hosting service provider. Jexia does not warrant and specifically disclaims that the operation of the Services and/or its use shall be uninterrupted or error-free, or other defects in the Services.
The Personal Data in Customer’s application will also be hosted by Jexia. In such cases authentication mechanisms are available for Customer, so that only authorized persons by Customer will have access to Customers and their user’s Personal Data via API calls. Customer is responsible to set up different levels of access, and to take care of the security and access control of the applications made available through the Services.
Backup, encryption, and retention time
Jexia will make back-ups of the databases each day . These back-ups will be stored for forty-five (45) days, thereafter older backups will be completely deleted. The back-ups are stored and encrypted by using encryption to protect the Personal Data, and third parties are not able to “sniff” the Personal Data.
Identity and Access
Besides that, only a minimum number of Jexia’s authorized employees will have access to the Personal Data stored through the Services. These authorized employees take care of the hardware setup in the datacenter and any maintenance tasks related to hardware. Any other person needs to have authorization.
These authorized employees will have access credentials to the servers where the passwords are stored to establish access to databases. Access is only required in case of extreme outage or operations required for urgent maintenance on the databases.
Security Incident Management and reporting
In case Jexia discovers a security breach that may adversely affect the protection of Personal Data processed by Jexia on behalf of Customer, Jexia will notify Customer, to the extent permitted by law, as soon as reasonably possible. Jexia will cooperate with Customer on the investigation of the data breach. Customer shall be responsible to notify the relevant authority in case of a data breach.
4.- PRIVACY AND SECURITY PRINCIPLES
Jexia recommends Customer, due to the GDPR, to take care to process Personal Data in a certain way by using the Jexia Services. Customer acknowledges that it needs to comply with the GDPR, and therefore Customer needs to take into account the main principles whilst processing personal data on behalf of its (end)customer.
Principle of lawful, fair and transparent processing
Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject and based on a legal ground, such as the execution of a contractual relation or unambiguous consent of a data subject. Such consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of Personal Data relating to him or her.
Purpose limitation principle
Personal Data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data minimization principle
Personal Data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Personal Data shall be accurate and, where necessary, kept up to date.
Personal Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the Personal Data are processed.
Integrity and confidentiality principle
Personal Data shall be processed in a manner that ensures appropriate security of the Personal Data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Privacy by design & by default
Customer shall implement the appropriate technical and organizational measures in order to ensure that the above mentioned principles are executed adequately.
Customer needs to be able to show (through e.g. documentation) that it complies with the GDPR (principles).
From time to time, Jexia will revise this Policy, without further notice. Jexia recommends that Customer regularly check whether this Policy has been revised. However, Jexia will notify Customer via prominent notifications in the Services or by e-mail about any major changes that would negatively impact Customer’s interests, although Jexia is not envisioning any such changes in the near future. This Policy does not apply to third-party services that may be accessed through links on the Services.
This Policy is exclusively governed by the laws of the Netherlands. Any and all disputes that may arise with respect to the Policy will be referred exclusively to the competent court in the Netherlands, without prejudice to the right of either party to apply for disposition by summary proceedings and unless Jexia as plaintiff or petitioning party elects for the competent court of the domicile or place of business of Customer.
Questions regarding this Policy, regarding access, insight into, rectification, deletion of Personal Data with regard to any inaccuracies, or to transfer Personal Data that Customer provided to Jexia via the Services, or any other questions regarding this policy, may be submitted to Jexia via the following email address: firstname.lastname@example.org.