Data Privacy Framework (DPF)
EU-US
UK extension to the EU-US
Effective starting: December 21, 2023.
1. What is the EU-US Data Privacy Framework?
The EU-US Data Privacy Framework (the “DPF”) is an adequacy decision adopted on 10 July by the European Commission.
An adequacy decision is one of the tools provided under the General Data Protection Regulation (GDPR) to transfer personal data from the EU to third countries which, in the assessment of the European Commission, offer a comparable level of protection of personal data to that of the European Union.
As a result of adequacy decisions, personal data can flow freely and safely from the European Economic Area (EEA), which includes the 27 EU Member States as well as Norway, Iceland and Liechtenstein, to a third country, without being subject to any further conditions or authorisations. In other words, transfers to the third country can be handled in the same way as intra-EU transmissions of data.
The Data Privacy Framework concludes that the United States ensures an adequate level of protection -compared to that of the EU- for personal data transferred from the EU to US companies participating in the EU-U.S. Data Privacy Framework.
The adequacy decision on the EU-U.S. Data Privacy Framework covers data transfers from any public or private entity in the EEA to US companies participating in the EU-U.S. Data Privacy Framework.
Likewise, the UK Extension to the EU-U.S. DPF provides participating organizations with a reliable mechanism for personal data transfers to the United States from the United Kingdom (and Gibraltar) while ensuring data protection that is consistent with UK law.
To find out more about the EU-US Data Privacy Framework (DPF), click at: Data Privacy Framework.
2. Who We Are?
“Epignosis LLC” is an entity located in the United States of a U.S.A. based company, having its registered office at 1209 Orange Street, City of Wilmington, Delaware, DE 19801, tel. (+1) 646 797 2799, and provides accessible and affordable eLearning services such as eFront (“the Services”) to any single company or organization worldwide.
3. What is this Privacy Policy?
This Privacy Policy is meant to inform you about the way we use Personal Data received from the EU. We value transparency and respect your privacy.
Epignosis LLC complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. Epignosis LLC has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit Data Privacy Framework.
4. What Personal Data Are Received in the US and How We Use Them?
A. Epignosis LLC as Controller of Personal Data
Visitors
Epignosis LLC collects Personal Data through the Site (https://www.efrontlearning.com/) and the Services (“eFront”). A visitor of our Site is the person simply visiting our Site, as well as the person interacting with our Site e.g. by filling in and sending the contact form, or ordering our Newsletter (referred to as “you”, “your” or “Visitor” in this Policy).
Cookies
A cookie is a small data file stored by your browser at your device’s hard disk for record-keeping purposes, namely it records information about the use and activity on the Site. This information may include, but is not limited to, your Internet Protocol address, browser type, but also your web browsing history before visiting the Site, our Site’s search history.
Some cookies are “first party cookies”, which means that they are set by the owner of a website, i.e. Epignosis LLC. Cookies set by parties other than the owner of a website are called “third party cookies”.
Cookies are used for different reasons.
There are the necessary cookies, which are required for technical reasons in order for a website to operate.
Some cookies are used to enhance the performance and functionality of a website, but are non-essential to their use. However, if you decide not to accept such cookies, certain functionality may become unavailable. Such cookies are called preferences cookies.
Some cookies collect information that is used in aggregate form to help a website owner understand how its website is being used. Such cookies are called analytics. For example Google, stores a Google Analytics cookie in order to be able to differentiate between users and be able to show to the website owner how many times people visit a website on average and information on what pages they’ve seen, how long the duration was, and so on. Third party cookies used on our Site upon your consent are Google Analytics.
Some cookies are used for marketing purposes. These are the marketing cookies and are third-party cookies. Third-party cookies are placed by providers (e.g., by Google, Facebook), who a website owner may have engaged to provide advertising services on its behalf. If, from the analysis of information, visitors of a webpage are interested in one of the services, then advertising material would be projected on third party websites. To see how data is collected and analyzed by third party cookies, you can also visit the websites of the third parties.
When you visit our Site, you are asked to consent to the use of cookies. You may choose to consent to none, one or more of the above cookies, except for the necessary ones. You may withdraw your consent to the use of cookies any time during your visit to our Site freely and easily by clicking on the Cookies Manager button and setting your preferences.
Additionally, you can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit.
Newsletter
If you wish to receive our Newsletter, for example announcements about new offers and actions of Epignosis LLC, you may enter your e-mail address on the Site to specifically request registering for the Newsletter. Your email address is solely used for the purpose of sending our Newsletter and you are removed from the Newsletter recipient list, once you choose to unsubscribe. You may be removed from this list, easily and without cost, by selecting the “unsubscribe” link within the e-mail content. You can also send an email at privacy@efrontlearning.com.
To send the Newsletter, we use Mailchimp, a US based company, as a provider of electronic communication platform. For the privacy policy of Mailchimp see Mailchimp Privacy Policy.
Contact Form
If you wish to communicate with us by using the Contact Form, you may enter your name, your e-mail address, your telephone number, the matter you would like to discuss about with us and write your message in the dedicated space. Such personal data is used solely for the purpose of responding to you, and we keep your data only as long as it is necessary to respond to your request.
Other Submissions
Other submissions: We collect other data that you submit to our “Site” or as you participate in any interactive features of the Services, participate in a survey, contest, activity or event, or otherwise communicate with us. Such personal data is used solely for the purpose they were collected, and we keep your data only as long as it is necessary to serve that purpose.
Customers
In addition to the data we collect about Visitors, we also collect data from our Customers that are required for your contract with us, such as identification data (email, address) and contract data (your subscription plan) as well as billing and invoicing data. For billing and payments we engage Stripe (Stripe Global Privacy Policy), Paypal (Paypal Privacy Statement), and Braintree (Braintree Privacy Policy), Xero as an accounting and invoicing platform, (https://www.xero.com/us/legal/privacy/), and Baremetrics (Baremetrics Privacy Policy) for financial metrics, as our agents.
Credit Cards: You should know that we do not store your credit card information in our systems. All credit card transactions are processed using secure encryption – the same level of encryption used by leading banks. Card information is transmitted, stored, and processed securely at gateways on a PCI-compliant network.
We have made sure, by means of a written contract or assignment, that our agents provide at least the same level of data protection as we do, for example that they follow reliable technical and organizational security measures. You should know that Epignosis LLC is liable for onward transfers.
B. Epignosis LLC as data processor
If you decide to purchase or sign in for free to the Services, then Epignosis LLC processes Personal Data inputted in the Services by you/the Customer and your Authorized Users (any person authorized by you to use the Services via your account), as a data processor, i.e. in the way described and instructed by you in the Data Processing Addendum.
Data Processing Addendum
Epignosis LLC is the data processor for all Personal Data processed in relation to the provision of the Services. This means that such Personal Data is collected on the Customer’s/Account Owner’s behalf for its own purposes, that Customer/Account Owner is solely responsible i) for the legality, reliability, accuracy and quality of such Personal Data ii) for the legality of the processing purposes and iii) for the necessity of the processing to serve these purposes, and that the Customer/Account Owner is the data controller of Personal Data processed, while using the Services. Therefore, the Customer/Account Owner is responsible to satisfy the requests of the data subjects/individuals, whose personal data is processed through the Services, while Epignosis LLC shall provide assistance, as requested by Customer. Additionally, the Customer/Account Owner is responsible to inform the data subjects/individuals (any person whose Personal Data is processed by usage of the Services) about the scope, the purpose, the duration and the means of the processing, and to acquire the consent of the data subjects/individuals, whose Personal Data is being processed through the Services, where required. Epignosis LLC executes a Data Processing Addendum with the Customer/Account Owner, which is available on the Site at eFront DPA.
We share personal data with our agents (sub-contractors and sub-processors), solely for the provision of the Services. We have made sure, by means of a written contract or assignment that our sub-processors comply with the DPA, and provide at least the same level of data protection as we do, for example that they follow reliable technical and organizational security measures. You should know that Epignosis LLC is liable for onward transfers.
Our full list of sub-processors, including their tasks, and contact details, as well as their privacy policy is available on this Site as part of the DPA (Attachment 3).
5. Data integrity and purpose limitation
Consistent with the Principles, Personal Data is limited to the information that is relevant for the purposes of processing. We shall not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual. To the extent necessary for those purposes, we shall take reasonable steps to ensure that Personal Data is reliable for its intended use, accurate, complete, and current. We shall adhere to the Principles for as long as we retain such information.
We shall retain Personal Data in a form identifying or making identifiable the individual only for as long as it serves a purpose of processing within the meaning of the Principles.
6. Access
You have the right to access Personal Data that we hold about you and we shall correct, amend, or delete that information where it is inaccurate, or has been processed in violation of the Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated.
7. Choice
You should know that you have the right to choose (i.e., opt out) when your Personal Data is to be disclosed to a third party that is not acting as an agent to perform tasks on behalf of and under the instructions of us or when it is used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized.
You can exercise your right to opt out by contacting us at dpo@epignosishq.com and/or privacy@efrontlearning.com.
8. Security
We take reasonable and appropriate measures to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data. For more information on our Security Policy see Attachment 2 of the DPA on this Site and at Security.
9. Certification
We also constantly monitor the guidance around GDPR compliance and have recently joined the EU Cloud Code of Conduct, an EU Data Protection Code of Conduct for cloud service providers containing rigorous assurances for the protection of data in cloud services. eFront is verified compliant with the EU Cloud CoC, Verification-ID: 2020LVL02SCOPE003. For further information, please visit the List of Adherent Services.
10. Recourse
A. Internal complaint mechanism
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF Epignosis LLC commits to resolve DPF Principles-related complaints about our collection and use of your Personal Data. EU and UK individuals with inquiries or complaints regarding our handling of Personal Data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF should first contact Epignosis LLC at: dpo@epignosishq.com and/or privacy@efrontlearning.com.
B. Alternative Dispute Resolution Provider
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Epignosis LLC commits to refer unresolved complaints concerning our handling of Personal Data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States (Jams DPF).
If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit jamsadr.com for more information or to file a complaint. The services of JAMS are provided at no cost to you.
B. Alternative Dispute Resolution Provider
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, Epignosis LLC commits to refer unresolved complaints concerning our handling of Personal Data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States (Jams DPF).
If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit jamsadr.com for more information or to file a complaint. The services of JAMS are provided at no cost to you.
C. Binding arbitration
You have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms. For additional information see Data Privacy Framework
D. Jurisdiction
You should also know that the Federal Trade Commission has jurisdiction over Epignosis LLC’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF.
11. Disclosure to public authorities
You should know that we may have to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.