All data collected by our Clients through our servers including, but not limited to, submitter names, email addresses, all personal identifiable information, submitter abstracts, proposals, PowerPoints, PDFs, zip files, videos, images, registration detail, CE/CME data, membership profiles, all form information or any other files or information (‘Data’) is confidential in nature. All such Data is the sole property of our clients who each own all rights, title, and interest in the Data. Neither X-CD or any host will sell, rent, or provide any client Data to any third-party services. X-CD agrees that it will (a) keep all Data in strict confidence; (b) not disclose Data to any third parties or to any of its employees not having a legitimate need to possess such Data and such employee will be bound to a confidentiality agreement or non-disclosure agreement with Client; and (c) will not use any Data for a purpose other than its intended purpose.
X-CD Obligations with Respect to Protection of Data
X-CD will implement and maintain appropriate technical and organizational measures to protect all Data against any breach of security leading to accidental or unlawful destruction, loss, alteration or unauthorized disclosure (a “Data Breach”). Such measures shall be consistent with industry standards. If X-CD becomes aware of a Data Breach, X-CD will notify the Client within 48 hours.
In addition, X-CD will create daily backups of the database (6 times per day) and daily backups of the entire server. All backups will be held off-site. Additionally, X-CD will provide regular server maintenance and software upgrades in order to minimize service interruptions and downtimes.
Furthermore, X-CD will at all times maintain a cyber insurance and business interruption insurance policy to cover a maximum of US$1,000,000.00 of all potential claims, in aggregate, for alleged or actual Data Breach occurring within its server or caused as a result of an action of an X-CD employee, for loss of server use, or any business interruption incurred by Client or any users of the Client’s, including without limitation, email delays or non?delivery, loss of business profits, loss of business information, or other pecuniary loss arising out of the use of or inability to use the Licensed Software, Custom Software, or Products or Services arising out of this Agreement.
In order to satisfy the EU General Data Protection Regulation (GDPR), X-CD has implemented a number of software changes. The fundamental change requires all client contacts prior to submitting any personal information to firstly agree to the system use terms and conditions which are specifically designed by X-CD and our clients legal team to satisfy the GDPR (sample below).
Without agreeing to the terms and conditions the contact cannot continue. At a minimum, each contact will acknowledge that they are:
- Submitting personal information, including abstracts, papers, PPTs, videos, handouts and other data, in order to participate in Client conference;
- Submitting personal information for registering to attend a Client conference
- Submitting personal information to become or remain a member of the Client organization or society
The contact must agree that they are submitting their personal identifiable information and are uploading their abstract and other data of their own free will and they agree that they will not enter into any legal action against X-CD (the Data Processor as defined in the GDPR) or Client (the Data Controller as defined in the GDPR) for any accidental or unlawful destruction, loss, alteration or unauthorized disclosure of their personal information, abstract, papers, PowerPoints or any other data. This acknowledgement is time stamped and is kept in the system in the unlikely event that there is a GDPR complaint against any party.
In addition to the express consent provided by contacts our clients must also agree that they will not collect from their submitters sensitive data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, national identification numbers, passport numbers, credit card numbers, biometric data for the purpose of uniquely identifying a person, data concerning health, data concerning a natural person’s sex life or sexual orientation or data leading to discrimination, identity theft or fraud, financial loss, damage to the reputation or collect any data from minors. This is not the full list of restrictions and clients are advised that they are responsible for the data they choose to collect and should consult their legal counsel if they have questions.
GDPR Requirements with Regard to Requests to Remove Data
Additionally, under the GDPR our clients are required to erase personal data without undue delay (i) if the data is no longer needed; (ii) if an contact objects to processing; or (iii) if the processing was unlawful. Where there has been a request to erase data, X-CD clients can immediately use the system backend tools to do so without our intervention.
GDPR Requirements Relating to Email
Email legislation under the GDPR is ambiguous at best. As such we have taken upon ourselves to develop an email management module that exceeds the standards set by the GDPR.
The system allows our clients to manage a user’s email preferences and obtain express consent for communications.
The system allows our client administrators to create as many consent categories as required. The platform by default has a primary “Do Not Contact” category which by default excludes those that select it from receiving emails except transactional emails e.g. confirmation emails related to registration or submission of abstracts.
The system also allows our clients to target or exclude people from e-mailings according to the user’s consent categories.
All emails contain footer text (customized by the Administrator) which links to a screen with the consent categories and the status for that user. The user may view and update their consent status. A user may also update their consent status by logging into the system and updating their status.
X-CD strives to meet our customer security and compliance needs. If this attestation and summary does not suffice for your needs, please communicate directly with us and we will address specific questions you may have.