Onit complies with the EU-U.S. Privacy Shield Framework (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Information (as defined below) within the scope of the Onit’s Privacy Shield certification and transferred from the European Union and the United Kingdom , as applicable to the United States in reliance on Privacy Shield. Onit has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such Personal Information. If there is any conflict between the terms in this Privacy Shield Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/list.
For purposes of this Privacy Shield Policy:
- “Personal Information” means any information that (i) is transferred from the European Union or the United Kingdom to Onit in the United States; (ii) is about an identified or identifiable individual; and (iii) is recorded in any form.
- “Data Controller” means an entity that alone or jointly with others determines the purposes and the means of the processing of Personal Information.
- “Data Processor” means an entity that processes Personal Information on behalf of a Data Controller in accordance with the Data Controller’s instructions.
As part of Onit’s Web-based applications, Onit’s customers (and their designees, including other service providers to such customers) are permitted to submit electronic data and information, including personal data, to Onit’s servers. In this context, Onit acts as a data processor and does not determine how its customers’ data is utilized in Onit’s servers and its customers are the Data Controllers. Onit does not choose or determine the types of data that are submitted to Onit’s servers, and any access to or use of such data by Onit is in connection with completing the contractual obligations of Onit, as data processor, to its customers. As part of Onit’s professional services operations, Onit processes data and information, including personal data, on behalf of its customers. In this context, Onit acts as a data processor on behalf of its customers and its customers are the Data Controllers.
Where Onit acts as a data processor, Onit does not have a direct relationship with individuals whose Personal Information Onit processes in the US. In these circumstances, Onit’s customers are responsible for providing the required notice and choice to individuals.
Personal Information Collected by Onit
Content and information submitted by a user is controlled by Onit’s customers, as described above. Here are some examples of content and information collected by Onit (but please note, these are only examples and there may be others): first and last name, email address, phone number, other contact information, company you work for, business unit you belong to, and other types of information.
Onit also collects Non-Personally Identifiable Information from Users of the services, including without limitation: Internet protocol addresses, profile information, aggregate User-data, demographic information, geographical information, browser types, operating system types, and usage statistics. This Non-Personally Identifiable Information is used to manage the services, track services usage, and improve the services. This Non-Personally Identifiable Information may be shared with third-parties to provide more relevant services and third party content to users. User IP addresses may also be recorded for security and monitoring purposes.
How does Onit Use your Personal Information?
Personal Information is used by Onit for the following purposes:
- to send you requested information on our products and services;
- to provide you with information about new features, products and services;
- to provide support to you in connection with your use of the Onit products, including notices of system downtime;
- to provide the services, products and support to our customers;
- to collect feedback on your use of our products and services;
- to help us improve our products and services or develop new products or services; or
- to comply with applicable laws or regulations.
Transfer of Personal Information to Other Parties
Onit does not sell any Personal Information to third parties. Onit does share Personal Information in the following circumstances:
Business Partners of our Customers
Onit discloses Personal Information to business partners of our customers as directed by our customers, or where we believe it is necessary to provide a service which a customer has requested, or as otherwise authorized or directed by you. Examples include:
- integrations to third parties which host systems for Onit customers, such as AdobeSign and Salesforce.
- if our customer is a legal department, their vendors receive information related to e-billing
- if our customer is a law firm or vendor, its billing information (including the names and rates of its employee) is shared with its customer
Authorized Service Providers
Onit may disclose your Personal Information to its affiliates and service providers it has retained to perform services on its behalf. We require service providers to whom we disclose Personal Information and who are not subject to laws based on the European Union Data Protection Directive to either (i) subscribe to the Privacy Shield principles or (ii) contractually agree to provide at least the same level of protection for Personal Information as is required by the relevant Privacy Shield principles.
Legal Requirements and Business Transfers
Onit may disclose Personal Information (i) if we are required to do so by law or legal process, (ii) in response to law enforcement authority or other government official requests, (iii) in connection with an investigation of suspected or actual illegal activity or (iv) in the event that Onit is subject to a merger or acquisition to the new owner of the business. Disclosure may also be required for company audits or to investigate a complaint or security threat. When Onit discloses Personal Information to its third-parties as described above, we may be liable if these third parties process your personal information in a manner inconsistent with the Privacy Shield Principles and we are responsible for the event giving rise to the damage.
Onit implements commercially reasonable security measures designed to protect your Personal Information.
How to Access your Personal Information And Enforcement
Onit reviews its compliance with this Privacy Shield Policy to verify that the assertions made in it are true and that the practices the Privacy Shield Policy contains are implemented correctly. Onit will investigate any breach of this Privacy Shield Policy that has been reported to Onit.
In circumstances where Onit acts as a Data Processor, individuals should submit any requests to access their Personal Information or complaints concerning the processing of their Personal Information to the Onit customer that originally collected their information in accordance with the customer’s relevant dispute resolution mechanism (if available). Onit will participate in the customer’s dispute resolution process at the request of the individual.
If the issue cannot be resolved through the customer’s internal dispute resolution mechanism, the individual may submit the request or complaint to Onit by emailing us at [email protected].
If our response does not address your concern, you can contact JAMs here (https://www.jamsadr.com/eu-us-privacy-shield), which provides an independent third-party dispute resolution body based in the United States. If neither Onit nor JAMs resolves your complaint, you may have the possibility to engage in binding arbitration through the Privacy Shield Panel. Also, Onit’s commitments under the Privacy Shield are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
How to Contact Us
Please address any questions or concerns regarding this Privacy Shield Policy or Onit’s practices concerning Personal Information by:
Emailing our privacy contact at [email protected].
Attention: Office of Privacy & Security
1360 Post Oak Blvd.
Houston, Texas 77056
This Privacy Shield Policy was last revised Feburary 18, 2019.