Sycamore Informatics Inc., Privacy Policy

Introduction

Purpose and Scope

This policy identifies Sycamore Informatics’ policies for identifying and maintaining the privacy of personal information maintained by Sycamore Informatics or in its products or for its vendors/customers.  This Privacy Statement applies to all Sycamore Informatics staff, Affiliates, Websites, and Services. It describes our privacy practices for collecting, sharing, and processing information relating to individuals (“Personal Data”) and how you can learn about your rights and choices regarding processing your Personal Data.

To learn more information about the following aspects of our privacy practices, please click on the links below:

Privacy and Your Information

Customer Data

GDPR

Privacy Shield

Security

Cookies

Privacy Related Communication

Sycamore strives to maintain communication with our current and prospective customers.  Our Chief Privacy Officer is happy to help with questions or inquiries.

Michael Owings
Chief Privacy Officer
privacy@sycamoreinformatics.com
Sycamore Informatics, Inc.
271 Waverley Oaks Rd, #103
Waltham, MA 02452
United States

Changes to Privacy Policy

Sycamore Informatics reserves the right to modify this Privacy Policy at any time.

Privacy and Your Information

This Privacy Policy describes the practices of Sycamore Informatics and how it uses personal information in connection with its software products and services.

Information Collected

When contacting us or requesting information from the Sycamore website, we may collect information such as your email.  When you are accessing secured areas for our services, such as the collaboration site, Sycamore Software as Services for our product, and online user guides, we may collect information such as full name, company name, email address, phone number, login id, and password.

As you navigate our Websites, Sycamore may collect information through commonly used information-gathering tools such as web beacons and cookies. Information collected includes standard information from your web browser, such as your Internet Protocol (IP) address, browser type, operating system, referring/exit pages, links clicked, and actions taken while browsing.

Sycamore Informatics does not store any Protected Health Information (PHI) in its products for user authentication, audit trail, or user notifications. Sycamore’s customers may store this information as part of their data and are subject to their privacy policies.

Sycamore Informatics has a policy on cookies collected by its website; please see our Cookie Policy.

This policy is available for review during an audit of Sycamore Informatics and is available through links on the Sycamore Informatics website.

Personal Information Used by Sycamore Informatics

Sycamore Informatics uses personal information collected from our Website to perform the services requested.  This may include the following examples:

  • Gather support issues and requests from customers, 

  • Obtain contact information from prospective customers who visit our website, 

  • User authentication and identification within our products

  • Administer your account

  • Send requested product or service information

  • Send product updates

  • Send marketing communications

  • Respond to questions and concerns

  • Improve our Web site and marketing efforts

Personal Information stored in Sycamore’s products includes information to authenticate users, record an audit trail and provide users with informational messages about the status of the products. Sycamore uses personal information to authenticate user access to its products and to record user actions.

Third-Party Access

We may share your Personal Data with third parties in the ways described in this Privacy Statement.

We may provide your Personal Data to companies or their Websites (such as our Customer Service Portal Provider) that provide Services to help us with business activities, such as customer support for our Services. These companies are authorized to use your Personal Data only as necessary to provide these Services to us.  Furthermore, these companies have privacy policies that have been reviewed by Sycamore.

We may also disclose your Personal Data:

  • As required by law, such as to comply with a subpoena or similar legal process,

  • When we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request,

  • If we are involved in a merger, acquisition, or sale of all or a portion of our assets, you will be notified via email and/or a prominent notice on our Website of any change in ownership or uses of your Personal Data, as well as any choices you may have regarding your Personal Data,

  • To any other third party with your prior consent to do so.

Sycamore does not have any subsidiaries or entities with which it shares information. Sycamore does not publish any personal data.

Customer Data

Customers may provide or upload data for hosting and processing Purposes (“Customer Data”). Sycamore will not review, share, distribute, or reference any such Customer Data except as provided in the SYCAMORE INFORMATICS, INC. MASTER PROFESSIONAL SERVICES & SUBSCRIPTION AGREEMENT or as may be required by law. Per the agreement, we may access Customer Data only to provide the SaaS or Professional Services, prevent or address Service or technical problems at a Customer’s request in connection with Customer support matters, or as may be required by law.

Service Providers, Sub-Processors, and Third Parties

To help us provide SaaS and Professional Services to our customers, Sycamore may transfer Personal Data to third-party partners. The provisions of our Customer and partner agreements cover such transfers to third parties.

Data Retention:

Sycamore will retain your information (including Customer Data we collect on behalf of our Customers) for as long as the Customer’s account is active or as needed to provide you with SaaS and Professional Services and as necessary to comply with our legal obligations, resolve disputes, enforce our agreements, or as otherwise reasonably necessary for our business purposes. This is also covered in the Sycamore Informatics, Inc Master Professional Services & Subscription Agreement.

Third-Party Sub-processors

Sycamore uses several third-party sub-processors, and a list of the processors can be requested by sending your request to privacy@sycamoreinformatics.com.

GDPR

For Customers: Sycamore’s data processing commitments to all Customers comply with the GDPR and other applicable data protection laws. Sycamore Customers may e-sign and receive a countersigned copy of Sycamore’s Privacy and Security Processor Addendum (“Privacy & Security Addendum”)  here.

The GDPR Addendum sets out the scope, subject matter, duration, and purpose of Sycamore’s data processing, the types of personal data processed, and the rights of data subjects. It also details Sycamore’s confidentiality obligations as a data processor, cooperation regarding inquiries from data subjects and authorities, international data transfers, Sycamore’s sub-processors, and the location and deletion of data. Finally, our security measures and personal data breach indemnity commitments are explained.

For Individuals: This section provides specific information about how Sycamore complies with the EU General Data Protection Regulation (“GDPR”). It supplements the information contained in the rest of our Privacy Statement and applies to all data subjects residing in the European Union.

Our Data Protection and Information Security Officers have assessed our obligations as data controllers for Sycamore products. Operating in a way that fosters trust and transparency, we appreciate the GDPR benefits of improving our business, becoming more efficient, and creating better relationships with our customers and those whose data they collect.

Sycamore will process personal data only if and to the extent that at least one of the following applies:

  1. You have given consent to the processing of your personal data for one or more specific purposes;

  2. processing is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into a contract;

  3. processing is necessary for compliance with a legal obligation to which Sycamore is subject; or

  4. processing is necessary for the purposes of the legitimate interests pursued by Sycamore or by a third party, except where such interests are overridden by your interests or your fundamental rights and freedoms.

When we collect personal data from you, we will make sure that you are aware of the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, if applicable, the legitimate interests pursued by Sycamore or by a third party; the recipients or categories of recipients of the personal data, if any; and where applicable, the appropriate or suitable safeguards to protect your personal data. We will also inform you of the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period; your right to request access to and rectification or erasure of personal data or restriction of processing or to object to processing as well as the right to data portability; if processing is based on consent, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal; your right to lodge a complaint with a supervisory authority; whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract with us, as well as whether you are obliged to provide the personal data and of the possible consequences of failure to provide such data; and the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

If Sycamore intends to further process the personal data for a purpose other than that for which the personal data were collected, we will provide you, before that further processing, with information on that other purpose and any relevant further information.

You may exercise your data subject rights under Articles 15 to 22 of the GDPR by contacting privacy@sycamoreinformatics.com. Sycamore will provide information on action taken on a request under Articles 15 to 22 to you without undue delay and, in any event, within one month of receipt.

If we need to extend by two further months where necessary, taking into account the complexity and number of the requests that require more time, then Sycamore will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay. If you request by electronic form means, we will provide the information to you by electronic means where possible, unless otherwise requested by you.

If Sycamore does not take action on your request, we will inform you without delay and, at the latest, within one month of receipt of the request of the reasons for not taking action and your possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

For our Software Solutions, Sycamore is a Data Processor of EU Personal Data under the direction of our Customers, who are Data Controllers. Here, Sycamore has no direct relationship with the individuals whose Personal Data it processes. If you are a customer of one of our Customers and would no longer like to be contacted by one of our Customers that use our Services, please get in touch with the Customer that you interact with directly. An individual who seeks access or who seeks to correct, amend, or delete inaccurate data should direct queries to the appropriate Sycamore Customer (the Data Controller). If a Sycamore Customer requests our assistance in removing data, Sycamore will respond to such requests within 45 business days.

For more information on GDPR, please visit: What is GDPR, the EU’s new data protection law?

Privacy Shield

Sycamore Informatics, Inc. complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the European Union (“EU”), the United Kingdom (“UK”) and Switzerland to the United States, respectively. 

Sycamore Informatics, Inc complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. 

Sycamore Informatics, Inc has certified to the U.S. Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program and to view our certification, please visit https://www.privacyshield.gov/. A list of Privacy Shield member organizations can be found at: https://www.privacyshield.gov/list.

Types of personal data collected.

We collect business contact details from customers, suppliers, and other business partners in the EU, UK, and Switzerland (“EU, UK, and Swiss Business Contacts”), including name, job title, company affiliation, and contact details. From our website, visitors who request additional information about our products or who wish to access secure areas of our website, we collect name, company name, email address, mailing address, phone number, portal login ID, and password.

We also store and process personal data on behalf of our customers. Our customers use our cloud-based software products to process personal data at their discretion, including data about their customers, employees, and patients.

We are subject to the Principles for all personal data that we receive from companies or individuals in the EU, UK, and Switzerland (“EU, UK, and Swiss Data”) in reliance on the Privacy Shield Frameworks. We also receive some data in reliance on other compliance mechanisms, including data processing agreements based on the Standard Contractual Clauses.

Purposes of collection and use

We collect and use personal data of EU, UK, and Swiss website visitors for purposes of providing products and services to our customers, communicating with business partners about business matters, processing data on behalf of corporate customers, providing information on our services, and conducting related tasks for legitimate business purposes. 

How to contact us

If you have any questions regarding this notice or if you need to update, change or remove personal data that we control, you can do so by contacting privacy@sycamoreinformatics.com or by regular mail addressed to

Sycamore Informatics, Inc.
271 Waverley Oaks Rd, #103
Waltham, MA 02452
United States

To contact Sycamore’s Chief Information Security Officer:

Pankaj Tyagi
Chief Information Security Officer
271 Waverley Oaks Rd, #103
Waltham, MA 02452
United States

ptyagi@sycamoreinformatics.com

Types of third parties to which we disclose personal data and purposes

Sycamore is responsible for processing personal data it receives under the Privacy Shield Frameworks and subsequently transfers it to any third party acting as an agent on its behalf. Sycamore complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, UK, and Switzerland, including the onward transfer liability provisions.

We share EU, UK, and Swiss Data with our subsidiaries, affiliates, and contractors who process personal data on behalf of Sycamore. We may also need to provide personal data to our partners to fulfill product and information requests and to provide customers and prospective customers with information about Sycamore and its products and services. We share EU, UK, and Swiss Data with other third parties for the purposes for which we receive the EU, UK, and Swiss Data (e.g., performance of contractual obligations and rights), and we may also disclose EU, UK and Swiss Data where we are legally required to disclose (e.g., under statutes, contracts or otherwise) or where the disclosure is permitted by law or the Privacy Shield Principles and we have a legitimate business interest in such disclosure.

EU, UK, and Swiss website visitors may opt out of disclosures to entities other than agents unless the disclosure is required by law or necessary under contracts by sending an email to privacy@sycamoreinformatics.com, but such an opt-out request may make it difficult or impossible for us to provide requested services. We minimize disclosures of personal data as reasonably practicable.

Right to access

EU, UK, and Swiss website visitors have the right to access the personal data we process about them. To access your personal data, please send a request to privacy@sycamoreinformatics.com.

Because Sycamore may have limited access to personal data our customers' store in our services, if you wish to request access, limit use, or disclosure, please provide the name of the Sycamore customer who provided your personal data to our services. We will refer your request to that customer and support them as needed in responding to your request.

Choices and means

EU, UK, and Swiss Business Contacts may choose to change personal data, unsubscribe from email lists, or cancel an account by contacting privacy@sycamoreinformatics.com. EU, UK, and Swiss website visitors may choose to unsubscribe from our marketing communications using the unsubscribe mechanism in our emails.

Independent dispute resolution body and Arbitration

If you have an unresolved privacy or data use concern that we still need to address satisfactorily, please get in touch with Sycamore’s independent dispute resolution services in the US: 

American Arbitration Association at https://adr.org/.

When covering employee data received from the EU, UK, and Switzerland for use in the context of the employment relationship, Sycamore commits to cooperate with and comply with the advice of the EU & UK Data Protection Authorities and the Swiss Federal Data Protection and Information Commissioner.

Investigatory and enforcement powers of the FTC

Sycamore’s commitments under the Privacy Shield Frameworks are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

The requirement to disclose

Sycamore may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Security and Infrastructure

Data security is paramount for Sycamore and our customers. Sycamore protects customer data with world-class physical, network, application, and data-level security. In addition, Sycamore invests in the most advanced and modern infrastructure to provide an innovative, scalable, global, predictable, and secure environment.

Security

Sycamore maintains a comprehensive security program based on ISO 27001 to ensure customer data confidentiality, integrity, and availability. Sycamore is committed to ensuring our services are available for operation and use at times set forth in service-level agreements, protected against unauthorized physical and logical access – including biometric entry authentication and 24/7/365 onsite monitoring – and that our system processing is complete, accurate, timely, and authorized.

(SOC 2) Type II report under the Security and Availability Trust Service Principles (TSPs). Sycamore uses AWS data centers and service providers that publish SSAE16 SOC1 Type II, and SOC3 (SysTrust) reports. These reports confirm that Sycamore delivers fully secure, reliable, high-quality operating standards using AWS data center operations, including provisioning, managing, and monitoring the hardware, network, and firewall. These reports are for limited distribution and are shared under a confidentiality agreement (CDA) with AWS.

ISO (INTERNATIONAL ORGANIZATION FOR STANDARDIZATION) 27001
Sycamore has achieved ISO (International Organization for Standardization) 27001 certification for its Information Security Management Systems (ISMS) covering various products and supporting infrastructure as described in the ISO certificate. ISO 27001 is a globally recognized security standard that provides guidelines for the policies and controls an organization has to secure its data. The standard sets out internationally agreed-upon requirements and best practices for the systematic approach to the development, deployment, and management of a risk/threat-based information security management system.

ISO (INTERNATIONAL ORGANIZATION FOR STANDARDIZATION) 9001
Sycamore has achieved ISO (International Organization for Standardization) 9001 certification for its Quality Management Systems (ISMS) covering various processes supporting infrastructure as described in the ISO certificate. ISO 9001 is a globally recognized standard that provides guidelines for an organization's policies and controls to provide repeatable processes and outcomes. The standard sets out internationally agreed-upon requirements and best practices for the systematic approach to developing, deploying, and managing quality management systems.

Infrastructure

Sycamore leverages the most advanced cloud infrastructure to provide an innovative, scalable, global, predictable, and secure environment using AWS.

AWS is Privacy Shield certified and has entered into the EU Model Clauses and a Business Associate Agreement (HIPAA) with Sycamore. See further AWS Certifications. To ensure conformance with local regulations, application data resides and is backed up in key geographic regions — U.S. (West and East Coast), Europe (Germany and Ireland), and Japan.


Dated: 29 November 2022 Version 4.0