Imprivata Data Privacy Framework Policy

This Data Privacy Framework Policy (“Policy”) applies to Imprivata, Inc., Ground Control, Inc., FairWarning, LLC, and SecureLink, Inc., which have all been integrated into Imprivata, Inc. This Policy was last updated on November 22, 2024 and supplements our Imprivata Privacy Policy (“Imprivata Policy”).

What does this Policy cover?

Imprivata complies with the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework as outlined by U.S. Department of Commerce regarding the collection, use, and retention of Personal Data (as defined below) that is transferred from European Union member countries and Switzerland to the United States. If there is any conflict between the policies outlined in this Policy and the Data Privacy Framework Principles, the Data Privacy Framework Principles will govern. To learn more about the Data Privacy Framework, and to view our certification page, please visit https://www.dataprivacyframework.gov/s/participant-search.

As the Data Privacy Framework only applies to Personal Data transferred from European Union member countries and Switzerland, this Policy only applies to Personal Data transferred from European Union member countries and Switzerland to our operations in the United States.

All employees of Imprivata that have access to Personal Data covered by this Policy are responsible for conducting themselves in accordance with this Policy. Personal Data covered by this Policy shall not be collected, used, or disclosed in a manner contrary to this Policy without proper written permission from Imprivata’s legal department.

What terms do I need to know to understand this policy?

“Data subject” means an identifiable natural person who can be identified, directly or indirectly, by Personal Data supplied to Imprivata.

“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”).

“Sensitive Personal Data” mean Personal Data regarding a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, biometric or genetic data used to uniquely identify a data subject, physical or mental health, criminal record, or sexual orientation or life.

How does Imprivata comply with Data Privacy Framework?

Imprivata commits to subject all Personal Data covered by this Policy to the Data Privacy Framework Principles in accordance with the respective Data Privacy Framework. Information about each of the Data Privacy Framework Principles, and how Imprivata complies with each, can be found below.

Notice

Imprivata notifies Data Subjects covered by this Policy about our data practices regarding Personal Data received in the U.S. from European Union member countries and Switzerland in reliance on the respective Data Privacy Framework. The information we provide to Data Subjects (as set forth in the Imprivata Policy) includes the types of Personal Data we collect about them, the purposes for which we collect and use such Personal Data, the types of third parties to which we disclose such Personal Data and the purposes for which we do so, the rights of Data Subjects to access their Personal Data, the choices and means that we offer for limiting our use and disclosure of such Personal Data, how our obligations under the Data Privacy Framework are enforced, and how Data Subjects can contact us with any inquiries or complaints.

Choice

If Personal Data is (a) disclosed to a third party not identified at the time of data collection or (b) used for a purpose other than that which it was originally collected for, Imprivata will provide Data Subjects with an opportunity to choose whether to have their Personal Data so disclosed or used. Imprivata’s employees are responsible for providing proper notification to Data Subjects when they have the right to opt out of such disclosures or uses.

Accountability for Onward Transfer

In the event that Imprivata transfers Personal Data covered by this Policy to a third party acting as a controller, we will do so only if the third party has provided us with contractual assurances that it will (a) process the Personal Data for limited and specified purposes consistent with the consent provided by the Data Subject; (b) provide the same level of protection as is required by the Data Privacy Framework Principles; and (c) notify us if they can no longer meet this obligation.

As more fully set forth in the Imprivata Policy, in the conduct of Imprivata’s business operations, we may share Personal Data with attorneys, consultants, human resources providers, payroll providers, and other service providers contracted to provide services for the activities, delivery, and management of Imprivata products and services.

Imprivata may disclose Personal Data to approved third party data processors retained or contracted by Imprivata such as business partners and subcontractors, including, without limitation, affiliates, vendors, service providers and suppliers. We may share certain Personal Data with third parties who conduct marketing studies and data analytics, including those that provide tools or code which facilitates our review and management of our web site and services, such as Google Analytics or similar software products from other providers.

Except to the extent agreed by you, Imprivata may be required to share Personal Data as required or permitted by law, regulation, legal process, court order, bankruptcy or other legal requirement, or when we believe in our sole discretion that disclosure is necessary or appropriate, to respond to an emergency or to protect our rights, protect your safety or the safety of others, investigate fraud, comply with a judicial proceeding or subpoenas, court order, law-enforcement or government request, including without limitation to meet national security or law enforcement requirements, or other legal process and to enforce our agreements, policies and terms of use. Other than the aforementioned exceptions, the use and disclosure of all transferred Personal Data will be subject to this Policy.

In the event that Imprivata transfers Personal Data covered by this Policy to a third party acting as an agent, we will do so only if the third party has provided us with contractual assurances that it will (a) transfer the Personal Data for limited and specified purposes; (b) provide the same level of protection that is required by the Data Privacy Framework Principles; (c) take reasonable and appropriate steps to ensure that the agent effectively processes the Personal Data transferred in a manner consistent with our obligations under the Data Privacy Framework Principles; (d) and require the agent to notify us if it makes a determination that it can no longer meet its obligations to provide the same level of protection as required by the Data Privacy Framework Principles. If we receive such a notice, we will (a) take reasonable and appropriate steps to stop and remediate any authorized processing and (b) provide a summary or copy of the relevant privacy provisions of our contract with that agent to the U.S. Department of Commerce, if requested.

Imprivata remains liable under the Data Privacy Framework Principles if an agent processes Personal Data covered by this Policy in a manner inconsistent with the Principles, except where we are not responsible for the event giving rise to the damage. Additionally, we may be required to disclose Personal Data in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

Security

Imprivata takes reasonable and appropriate measures to protect Personal Data covered by this Policy from loss, misuse, unauthorized access, disclosure, alteration and destruction. While Imprivata cannot guarantee the security of Personal Data, we are committed to safeguarding all Personal Data received from the EU and Switzerland.

Data Integrity and Purpose Limitations

Imprivata only collects Personal Data covered by this Policy that is relevant for the purposes of processing, as set forth in the Imprivata Policy. We do not process Personal Data that is incompatible with the purposes for which it was collected or authorized by the Data Subject. Additionally, Imprivata takes reasonable steps to ensure that any Personal Data that is collected is relevant to its intended use, accurate, complete and current.

Imprivata retains Personal Data in a form identifying or making identifiable a Data Subject only for as long as it serves a purpose of processing, which includes the performance of Services, obligations to comply with professional standards and legitimate business purposes. We will only request the minimum amount of Personal Data required to carry out these purposes and will adhere to the Data Privacy Framework Principles for as long as we retain Personal Data.

Access

All Data Subjects have the right to access the Personal Data covered by this policy that Imprivata holds about them. Additionally, if Personal Data is inaccurate or has been processed in violation with the Data Privacy Framework, Data Subjects have the right to access their Personal Data to correct it, amend it or delete it.

To request access to, or correction, amendment or deletion of, Personal Data, a Data Subject should contact us at: privacycommittee@imprivata.com. Imprivata will cooperate with all reasonable requests to assist Data Subjects to exercise their rights under the Data Privacy Framework, except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, or where the rights of persons other than the Data Subject would be violated.

Recourse, Enforcement and Liability

Imprivata’s participation in the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework is subject to investigation and enforcement by the Federal Trade Commission. In compliance with the Date Privacy Framework Principles, Imprivata commits to resolve complaints about your privacy and our collection or use of your Personal Data.

EU and Swiss individuals with inquiries or complaints regarding this Policy should first contact: privacycommittee@imprivata.com.

Imprivata has further committed to cooperate with the panel established by the European Union data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Data Privacy Framework complaints concerning data transferred from the EU and Switzerland to the United States. If you do not receive timely acknowledgment of a complaint, or if we do not satisfactorily address your compliant, please visit the Data Privacy Framework website (https://www.dataprivacyframework.gov/s/article/How-to-Submit-a-Complaint-Relating-to-a- Participating-Organization-s-Compliance-with-the-DPF-Principles-dpf) for more information about how to contact your local DPA or the Swiss Commissioner.

In addition to the above dispute resolution mechanisms, Data Subjects may be able to invoke binding arbitration before the Data Privacy Framework Panel to be created by the U.S. Department of Commerce and the European Commission, under certain conditions.

Imprivata agrees to periodically review and verify our compliance with the Data Privacy Framework Principles, and to remedy any issues that arise out of failure to comply with the Data Privacy Framework Principles. We acknowledge that failure to provide an annual self-certification to the U.S. Department of Commerce will remove Imprivata from the Department’s list of Data Privacy Framework participants.

What happens if Imprivata changes this Policy?

Imprivata may modify this Policy from time to time, consistent with changes to the requirements of the Data Privacy Framework Principles, or changes within our organization. If Imprivata changes this Policy, we will provide Data Subjects appropriate notice regarding such modifications by highlighting the change on our Site, or by emailing Data Subjects’ email addresses of record.

How can I contact Imprivata about this Policy?

Should you have any questions or concerns about this Policy or need to update certain Personal Data, please contact Imprivata at privacycommittee@imprivata.com.