Updated November 2020
Introduction: Torus Sphere, in order to provide its product and services has to collect certain information about individuals and organizations. This can include customers, suppliers, contact and employees as well as other individuals with which Torus Sphere has a relationship. This document outlines how data must be collected, handled and stored to meet data protection standards.
Torus Sphere complies with the EU-U.S. Privacy Shield Frameworks and the Swiss-U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States. Torus Sphere has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view Torus Sphere's certification, please visit https://www.privacyshield.gov/.
The data protection policy ensures:
Applies to all data Torus Sphere holds relating to identifiable individuals. This can include:
This policy is designed to protect Torus Sphere and its customers from security risks.
Reputational damage Torus Sphere could suffer if unauthorized access is gained to sensitive data
Breaches of confidentiality. For example, information being distributed inappropriately
Failure to offer choice. Individuals should have a choice in how Torus Sphere uses data relating to them.
The General Data Protection Regulation describes how organizations like Torus Sphere must collect, handle and store personal information. It contains these 9 principles:
Lawfulness, fairness and transparency – Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
Purpose limitation – Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Data minimization – Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy – Personal data shall be accurate and, where necessary, kept up-to-date.
Storage limitation – Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentiality – Personal data shall be processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful processing against accidental loss, destruction or damage, using appropriate technical or organizational measures.
Accountability – The controller shall be responsible for, and be able to demonstrate compliance with the GDPR.
Torus Sphere, Inc. complies with the Privacy Shield’s Principle regarding accountability for onward transfers. Torus Sphere, Inc. remains liable under the Principles if its onward transfer recipients process Personal Data in a manner inconsistent with the Principles, unless Torus Sphere, Inc. proves that it was not responsible for the event giving rise to the damage.
Within the scope of this privacy notice, if a privacy complaint or dispute cannot be resolved through Torus Sphere, Inc.’s internal processes, Torus Sphere, Inc has agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure.
Subject to the terms of the VeraSafe Privacy Shield Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe under the Privacy Shield Dispute Resolution Procedure, please submit the required information to VeraSafe here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/
The Federal Trade Commission is the statutory body having jurisdiction to investigate claims against our organization regarding possible unfair or deceptive practices and violations of laws or regulations relating to privacy.
To the extent allowed by law, Customers located or residing outside the United States of America, or otherwise not subject to the laws or jurisdiction of this Country, irrevocably agree all disputes arising out of or in connection with this Agreement shall be finally settled by binding arbitration under the Rules of Arbitration of the International Chamber of Commerce by one arbitrator appointed in accordance with the said Rules. The language of the arbitral proceedings shall be English (or as determined between the Parties). Judgment upon any award(s) rendered by the arbitrator may be entered in any court having jurisdiction thereof. The arbitrator is authorized to include in the award an allocation to any Party of such costs and expenses, including reasonable attorneys’ fees, as the arbitrator shall deem reasonable.
All Torus Sphere employees have a responsibility to adhere to the policy.
The Executive Leadership Team (ELT) is ultimately responsible for ensuring Torus Sphere meets its legal obligations.
The Executive is responsible for:
The CTO is responsible for:
The Marketing Manager is responsible for:
For paper storage, sensitive documents should be stored in a locked drawer or filing cabinet when not in use.
Data stored on-line or on local servers and devices (electronically) must be protected from unauthorized access, accidental deletion, and malicious attempts to access.
Data stored in the Amazon Redshift warehouse will have additional security measures:
It is important Torus Sphere ensure the accuracy of relevant data.
All individuals who are the subject of personal data held by Torus Sphere are provided these rights:
Subject Access Requests should be made by e-mail.
It is the aim of Torus Sphere to process requests relating to these rights within 14 days.
The identity of requester will be verified before information is distributed.
In certain circumstances, the regulations allow data to be disclosed to law enforcement agencies
without consent of the data subject. Torus Sphere will disclose data in these circumstances, after ensuring the request is legitimate after notifying the Board and the company’s legal advisers where necessary.
TORUS SPHERE appropriately secures its information from unauthorized access, loss, or damage while supporting the open, information-sharing needs of its business purposes.
To ensure the security of client data, TORUS SPHERE employees shall only access client data when necessary and with prior authorization either from the client or from TORUS SPHERE’s management.
Access to TORUS SPHERE’s client data shall be limited to those employees whose duties require such access and only for when they have a legitimate need for a job-related purpose
All TORUS SPHERE’s Information is classified into one of four levels based on its sensitivity and the risks associated with disclosure. The classification level determines the security protections that must be used for the information. TORUS SPHERE also adheres to industry guidelines that identify Personally Identifiable Information (PII), also known as Sensitive Personal Information (SPI).
PII, as used in information security and privacy laws, is defined as any information that can be used to distinguish or trace an individual’s identity, such as social security number, date and place of birth, mother’s maiden name, national identification number, passport number, vehicle registration plate number, driver’s license number, face, fingerprints, handwriting, credit card numbers, identity, bank account numbers, genetic information, telephone number, login name, screen name, nickname, or handle
When combining information, the classification level of the resulting information must be re-evaluated independently of the source information’s classification to manage risks.
The classification levels are:
TORUS SPHERE’s Information classified Personally Identifiable Information is Restricted. PII includes but it is not limited to:
TORUS SPHERE’s Information is classified as Confidential if it falls outside the Restricted classification and is not intended to be shared freely within or outside TORUS SPHERE due to its sensitive nature and/or contractual or legal obligations.
Sharing of Confidential information may be permissible if necessary to meet the legitimate business needs of TORUS SPHERE. Unless disclosure is required by law (or for purposes of sharing between law enforcement entities), when disclosing Confidential information to parties outside TORUS SPHERE, the proposed recipient must agree (i) to take appropriate measures to safeguard the confidentiality of the information and (ii) not to disclose the information to any other party.
TORUS SPHERE’s Information is classified as Unrestricted if it falls outside the Restricted and Confidential classifications, and is not intended to be freely shared outside of TORUS SPHERE.
The presumption is that unrestricted information will remain within TORUS SPHERE. However, this information may be shared outside of TORUS SPHERE if necessary to meet the legitimate business needs of TORUS SPHERE and the proposed recipient agrees not to re-disclose the information without the consent from TORUS SPHERE.
TORUS SPHERE Information is classified as Publicly Available if it is intended to be made available to anyone inside and outside of TORUS SPHERE.
TORUS SPHERE staff and third-party associates are expected to:
An employee found to have violated this policy may be subject to disciplinary action up to and including termination of employment. A violation of this policy by a temporary worker, contractor, or vendor may result in the termination of their contract or assignment with TORUS SPHERE
Term Definition Authorization – The function of establishing an individual's privilege levels to access and/or handle information.
Confidentiality – Ensuring that information is kept in strict privacy.
Integrity – Ensuring the accuracy, completeness, and consistency of information.
TORUS SPHERE's Information – Information that TORUS SPHERE collects, possesses, or has access to, regardless of its source. This includes information contained in hard copy documents or other media, communicated over voice or data networks, or exchanged in conversation.