Privacy model
Last updated
Last updated
This purpose of this document is to explain the data privacy guidelines that Paradime is subject to under various regulations, what that means from a customer perspective and what processes we need to follow.
To enforce that companies follow data privacy best practices, various countries and states in the world have developed various regulations. The main purpose of these regulations is to protect the right and interest of the individuals, whose data (that identifies the person uniquely i.e. PII or personally identifiable data) is being processed by a software vendor and in the performance of its activities further processed downstream by other vendors or sub-processors.
The primary regulations at play currently are:
GDPR (General Data Protection Regulation) - intended to protect the rights of EU and UK citizens
CCPA (California Consumer Privacy Act of 2018) - intened to protect the rights of the residents of California
SCC (Standard Contractual Clauses) - intended to protect the rights of EU and UK citizens when their data is exported / transferred from EU/UK to countries, which the EU does not deem to have the same level of safeguards for example USA. The Standard Contractual Clauses came into being as teh EU/US Privacy Shield was scrapped. The judgment in the Schrems II case issued by the European Court of Justice on Thursday 16 July 2020 found that Privacy Shield framework no longer provides adequate safeguards for the transfer of personal data to the United States from the EEA.
Each of the above regulations has their own definitions but most of the time they mean the same thing just worded differently. The following is our naive attempt to simply the jargon a bit.
In all the above regulations, there are always 3 parties / entities involved as follows:
a customer who is sharing their data by connecting to our systems
we, as software vendor, we are processing that data
we, also sometimes, are passing that data for onward processing to other sub-processors like other B2B SaaS vendors that we use to provide the Paradime platform experience
Thus, the following definitions would apply between us and our customer as follows under the different regulations:
Regulation | Customer | Paradime |
---|---|---|
GDPR | data controller | data processor |
CCPA | business | service provider |
SCC | data exporter | data importer |
According to regulations, process means read / access / store / edit / delete / transfer. When a customer uses the Paradime platform, different categories of PII gets processed in different ways as follows:
Type of PII | Kind of processing | Reason |
---|---|---|
Customer's Employee / Contingent Worker PII | read, access, store, delete, transfer | These are Paradime users. We access this PII data from the Customer's identity provider like Okta, Google SAML, etc. when the user / Customer's employee or contingent worker signs up or logs in to Paradime. The user or us can't edit this information on the Paradime platform. |
Customers own customer, prospect, job candidate, pre-prospect website visitor PII | read, access | Paradime is connected to the customers data warehouse and Paradime provides a SQL Workbench feature through which a Paradime user can query their own data warehouse. Depending on how their data warehouse is setup and what permissions the user has, the Customer's own customer data can get read and accessed within the SQL Workbench results tab. But we only hold this data temporarily in the user's web browser memory and not on our servers so upon page refresh the data is erased. This information is never transferred. |
Customers own customer data | read, access | Paradime is connected to the customers data warehouse and Paradime provides a SQL Workbench feature through which a Paradime user can query their own data warehouse. Depending on how their data warehouse is setup and what permissions the user has, the Customer's own customer data can get read and accessed within the SQL Workbench results tab. But we only hold this data temporarily in the user's web browser memory and not on our servers so upon page refresh the data is erased. This information is never transferred. |
A more complete list of all the information we process, the legitimate reason for us to do so can be found in our publicly available Privacy Policy.
Our Data Privacy Addendum is part of our Master Service Agreement (MSA) and both can found together below:
The most up to date list of sub-processors can be found in our publicly available Privacy Policy.