1.1 We are Centrix Networking Limited, trading as “Centrix Software”. We are a company registered in England and Wales with registered number 3674795, and our registered office is at Centrix House, 5 Oxford Road, Newbury, Berkshire RG14 1PD, United Kingdom.
(a) our “Customer”, we mean the business (whether a natural person or a legal entity) we contract with to provide our services;
(b) a “Customer Administrator”, we mean those of our Customer’s officers, employees and agents who have user accounts enabling them to log in to, configure and administer our services; and
(c) a “Customer User”, we mean those of our Customer’s officers, employees and agents whose personal data we collect on behalf of our Customer in the course of providing our services; and
(d) “Data Subjects”, we mean Customer Administrators, Customer Users and, if our Customer is a natural person, our Customer.
2 Responsibility for personal data
2.1 When we collect personal data and process it purely in the course of providing our services to our Customer, our Customer remains the data controller in respect of those personal data. We simply process those data on our Customer’s behalf in order to provide them with our services. Our online subscription agreement http://www.centrixsoftware.com/saas-ts-and-cs sets out our obligations to our Customer in respect of those personal data. We are not responsible for our Customers’ data privacy or security practices.
3 The personal data we collect, why we collect it and what we do with it
Data collected during registration
3.1 When our Customer creates an account with us, we require it to provide the contact details of at least one person who will be a Customer Administrator, in order to ensure that we have a named administrative and billing contact. Our Customer may also choose to create additional Customer Administrators through online administration facilities we provide as part of the Services. We collect appropriate contact information for each Customer Administrator, including his or her business email address, telephone number and postal address.
3.2 We use the information we collect during registration:
3.2.1 to perform administrative and billing tasks relating to the services we provide to our Customer, such as creating user accounts and raising invoices; and
3.2.2 to communicate with our Customer via the Customer Administrators about its account with us, and about our other products and services which our Customer may find of interest.
3.3 We do not make any other use of the information we collect during registration.
Data collected by our collection agent
3.4 Many of the services we provide involve us providing to our Customers insight into how their IT infrastructure is being used. In order to allow us to do that, our Customers install a piece of software we provide, called a “collection agent”, on their Customer Users’ PCs and other devices. As well as information about the Customer’s software and hardware, our collection agent gathers and sends to us certain information about Customer Users, including:
3.4.1 email addresses;
3.4.2 Active Directory usernames;
3.4.3 the software and hardware they use; and
3.4.4 the data and files they access.
3.5 We use the information collected by our collection agent to enable us to provide our services to our Customer. Additionally, to help us understand our Customers’ needs, and to help us identify trends in the market, we do create and analyse aggregated sets of anonymised statistical data based on the data collected by our collection agent, and we process Customer Users’ personal data to the extent necessary to create those anonymised data. We cannot identify any individual Customer User (or even Customer) from those anonymised data, either alone or by cross-reference to the raw data.
3.6 We do not use the information collected by our collection agent for any other purpose.
3.7 We delete the information we collect for a Customer using our collection agent 30 days after we cease providing our services to that Customer.
3.9 Cookies are small text files stored in a browser’s cache by our servers and which our servers can read when that browser accesses our site. The Information Commissioner’s website has more detail about how cookies work generally here http://ico.org.uk/for_the_public/topic_specific_guides/online/cookies.
3.10 In addition to the cookies set by our own site, we use a third party service called “LeadLander”. LeadLander attempts to identify the business (but not the individual) visiting our site by checking the site user’s IP address against its database. LeadLander also sets cookies to help it provide this service, and is able to use those cookies to track visitors across sites who use its services by IP address. However, the LeadLander services which we use do not collect any personal data.
4 Circumstances in which we share personal data with third parties
4.1 We share personal data relating to a particular Customer’s Customer Users with that Customer. We also share personal data with certain of our suppliers to the extent necessary to allow us to provide and market our own services, as described below. Except as described below, we do not share Data Subjects’ personal data with anyone else. In particular, we do not sell their personal data to list brokers or direct marketers. However, please note that our Customers may themselves choose to share with third parties their Customer Users’ personal data derived from reports produced using our services. In those circumstances, our Customer is the data controller and Data Subjects should refer to them.
Hosting of our systems
4.2 Many of our systems are hosted on Microsoft’s Azure platform in the Republic of Ireland and the Netherlands, and so we process personal data using their infrastructure. Microsoft has committed to keep those personal data within the European Economic Area, and will not transfer it elsewhere. Microsoft is a participant in the “Safe Harbor” data protection programme operated by the U.S. Department of Commerce, the European Union and Switzerland, and has received joint approval of its customer-facing data processing agreements from the EU Article 29 Working Party. Microsoft’s online services privacy statement can be found here: http://www.microsoft.com/privacystatement/en-us/OnlineServices/Default.aspx
Compliance and legal requirements
4.3 We may also from time to time share Data Subjects’ personal data:
(a) in confidence with our professional advisers (including our auditors and solicitors), only to the extent necessary to enable them to perform their services to us; or
(b) if we are required to do so by law or by order of a court with jurisdiction over us.
5 Export of personal data outside the EEA
5.1 In certain limited circumstances, we do export the personal data of Data Subjects outside of the EEA for processing. We only do that:
5.1.1 if our Customer is based outside of the EEA, to the extent necessary to provider our services to our Customer (for example, by providing access to reports generated by our systems); or
5.1.2 otherwise, only if there is a good reason to do so and where adequate safeguards (such as the U.S. “Safe Harbor” programme, or data processing agreements in EU-approved form) are in place.
6 Security of personal data
6.1 We protect our own systems with appropriate technical and organisational measures, including firewalls, access control systems, strong passwords, anti-virus software, and robust information security policies. We actively monitor our systems for signs of attack or intrusion.
6.2 However, there are certain aspects of the security of Data Subjects’ personal data processed by us which are beyond our control. In particular, we cannot control:
6.2.1 what our Customer does with information we provide to them in the course of providing out services;
6.2.2 security failures arising during transit across the public Internet; or
6.2.3 failures of security at an upstream technology provider affecting that upstream provider’s customers generally.
7 Data Subjects’ rights in respect of their personal data
7.1 Except for information which is specifically requested from us, our marketing communications and newsletters will always provide a reasonably obvious means of opting out of such communications in future. In any event, if any Data Subject wishes to stop receiving some or all marketing communications from us, he or she can let us know by email to firstname.lastname@example.org or by writing to our head office at the address above, for the attention of the compliance team.
7.2 If a Data Subject wishes to exercise his or her right to access his or her personal data held by us, the easiest and most efficient way to do so is to email email@example.com or write to our head office at the address above, for the attention of the compliance team. Please note that we may make a charge of up to £10 to cover our costs in responding to such requests. Where our Customer is the data controller in respect of the relevant personal data, we will refer any such request to our Customer.