DevFactory FZ LLC (“DevGraph”) complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from European Economic Area member countries (“EEA”), the United Kingdom (“UK”), and Switzerland (“Personal Data”).
The Privacy Shield Principles require that those who collect and determine the purposes and the means of the processing of Personal Data adhere to certain requirements to comply with the Privacy Rules. The specific functions of a Data Controller depend on the laws of each member state of the EEA, of the UK and of Switzerland. However, because DevGraph does not collect or determine the use of any Personal Data stored on its servers in connection with the Customer Applications, and because it does not determine the purposes for which such Personal Data is collected, the means of collecting such Personal Data, or the uses of such data, DevGraph is not acting in the capacity of a Data Controller and (a) does not have the associated responsibilities under the EU Directive or the US-EU Privacy Shield Framework, and (b) has those associated responsibilities only to the limited extent they have been imposed on data processors under the Swiss Act or the U.S. – Swiss Privacy Shield Framework.
Customer Agreement and Security
DevGraph and each Customer located in the EEA, UK or Switzerland will enter into an agreement that specifies each party’s role in complying with the EU Directive, the Swiss Act, and the Privacy Shield Principles, as applicable. The contract with such a Customer will also specify that the Customer is responsible for security measures with respect to the Customer Application and Personal Data accessible via the Customer Application. Although DevGraph has implemented commercially reasonable security measures to protect data stored on its servers, Customer and its end users are ultimately in control of whether the Personal Data associated with a Customer Application is made available to third parties through such Customer Application. DevGraph will comply with Customer’s instructions with respect to the return or destruction of Personal Data stored on DevGraph’s servers.
In its role as a processor of Personal Data on behalf of its Customers, DevGraph is not able to or required to apply all of the Privacy Shield Principles to Personal Data subject to the EU Directive or the Swiss Act that is received for processing from Customers or end users, except to the limited extent the Privacy Shield Frameworks have been imposed on data processors. Subject to that qualification, DevGraph’s role as a data processor is to assist the Customer, at the Customer’s request, in complying with its obligations under the EU Directive and the Swiss Act.
DevGraph requires that its Customers located in EEA, the UK or Switzerland comply with their obligations under the Privacy Rules prior to the transfer of any such Personal Data from the EEA, UK or Switzerland to the United States in connection with a Customer Application, including compliance with the obligations to provide the notices and obtain the consents required under the EU Directive and the Swiss Act with respect to Personal Data. DevGraph may be required to disclose Personal Data in response to lawful request by public authorities, including to meet national security or law enforcement requirements.
DevGraph requires that its Customers located in the EEA, UK or Switzerland comply with their obligations under the Privacy Rules prior to the transfer of any such Personal Data from the EEA, UK or Switzerland to the United States in connection with a Customer Application, including compliance with the obligations to provide individuals the opportunity to choose (opt out) whether their Personal Data is (1) to be disclosed to a third party or (2) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual as required under the EU Directive and the Swiss Act with respect to Personal Data.
Agents, technology vendors and/or contractors of DevGraph or DevGraph affiliates may have access to an individual’s Personal Data on a need to know basis for the purpose of performing services on behalf of DevGraph or providing or enabling elements of the services. All such agents, technology vendors and contractors who have access to such information are required to keep the information confidential and not use it for any other purpose than to carry out the services they are performing for DevGraph or as otherwise required by law.
Accountability for Onward Transfer
Prior to disclosing Personal Data to a non-agent third party, we shall notify the individual of such disclosure and allow the individual the choice (to opt out) of such disclosure. DevGraph shall ensure that any third party to which Personal Data may be disclosed subscribes to the Privacy Shield Principles or is subject to laws providing the same level of privacy protection as is required by the Privacy Shield Principles and agrees in writing to provide an adequate level of privacy protection. DevGraph may be held responsible in cases of onward transfers to third parties.
Data Integrity and Purpose Limitation
DevGraph is not authorized to access or manipulate Personal Data located on its servers other than as necessary to provide services to a Customer or as otherwise permitted or directed by such Customer. DevGraph takes reasonable steps to assure that Personal Data transferred from the EEA, UK or Switzerland to the United States and stored on DevGraph’s servers in connection with a Customer Application is maintained in a reliable, accurate and complete state, subject to any deficiencies in the state in which such Personal Data was received.
The control, access, and security of the Personal Data stored on the DevGraph servers in connection with a Customer Application is in the direct and primary control of, and subject to the security measures undertaken by, the Customer with respect to such Customer Application. Subject to the foregoing, DevGraph has in place information security procedures and commercially reasonable security measures designed to protect Personal Data stored on its servers from loss, misuse, unauthorized access, disclosure, alteration and destruction. Customers will be notified of any breach with respect to Personal Data of security measures implemented by DevGraph of which DevGraph becomes aware. Any compromise of security or potential compromise of security of which a Customer becomes aware and any inquiries concerning security should be reported promptly by such Customer to DevGraph. Contact information is provided below.
Access and Recourse
DevGraph requires that its Customers located in the EEA, UK or Switzerland comply with their obligations under the Privacy Rules prior to the transfer of any such Personal Data from the EEA, UK or Switzerland to the United States in connection with a Customer Application, including compliance with the obligations to provide the individual’s right to access their Personal Data required under the EU Directive and the Swiss Act.
DevGraph Customers shall allow an individual access to their Personal Data and allow the individual to correct, amend or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated.
Enforcement and Dispute Resolution
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, DevGraph is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.
In compliance with the Privacy Shield Principles, DevGraph commits to resolve complaints about your privacy and our collection or use of your Personal Data transferred to the United States pursuant to Privacy Shield. EEA, UK and Swiss individuals with Privacy Shield inquiries or complaints should first contact us at:
DevFactory FZ LLC
Data Protection Officer
401 Congress Avenue, Suite 2650
Austin Texas 78701 USA
- Human Resources Data. If your complaint involves human resources data transferred to the United States from the EEA, UK or Switzerland in the context of the employment relationship, and DevGraph does not address it satisfactorily, DevGraph commits to cooperate with the panel established by the data protection authorities (DPA Panel) and the Swiss Federal Data Protection and Information Commissioner, as applicable and to comply with the advice given by the DPA panel and Commissioner, as applicable with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Complaints related to human resources data should not be addressed to the BBB EU PRIVACY SHIELD.
- Non-Human Resources Data. DevGraph has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD. If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbb.org/EU-privacy-shield/for-eu-consumers for more information and to file a complaint. This service is provided free of charge to you.
If your Privacy Shield complaint was not resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction
DevGraph has further committed to cooperate with EU data protection authorities and the Swiss Federal Data Protection and Information Commissioner and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship. If your complaint is not satisfactorily addressed, and your inquiry or complaint involves human resource data, you may have your complaint considered by an independent recourse mechanism: for EU/EEA Data Subjects, a panel established by the EU data protection authorities (“DPA Panel”), and for Swiss Data Subjects, the Swiss Federal Data Protection and Information Commissioner (“FDPIC”). To do so, you should contact the state or national data protection or labor authority in the jurisdiction where you work. DevGraph agrees to cooperate with the relevant national DPAs and to comply with the decisions of the DPA Panel and the FDPIC. The services of EU DPAs are provided at no cost to you.
Last Updated: May 1, 2020