OD Consultancy Ltd trading as PROJECTFUSION (“we”,”us”, or “our”) provide cloud and customer hosted Data Rooms that allow our clients to share files in a secure environment for business processes, including due diligence, corporate governance, regulatory compliance, ligation, procurement and HR (“Data Rooms”).
Here are the details that the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the processing of personal data and on the free movement of such data, known as the General Data Protection Regulation (GDPR) says we have to give you as a ‘data controller’:
Our site address is: all domains ending in projectfusion.com or safedrop.com.
Our company name is:OD Consultancy Ltd, trading as Projectfusion
Our registered address is: Innovation Reception Innovation Way, Discovery Park, Sandwich, Kent, England, CT13 9FF
Our nominated representative is: Angus Bradley and they can be contacted at +44 207 739 4252.
We’ve done our best to keep this simple, if you’d like to discuss any aspect of this, please email email@example.com and we’ll talk you through things.
This document was substantially updated in May 2018.
Customer: a legal entity with whom Projectfusion has an Agreement to provide the Data Rooms Service
Customer Data: data stored in and generated through the use of the Data Room, including Materials, User information, metadata , and logs.
Materials: documents, images, video and any other material that is stored in the Data Room
User: an individual authorized by the Customer to access the Data Room
User Support Information: name, email address and sometimes IP address of a User who has contacted Projectfusion for support
The following terms are used as defined in the EU General Data Protection Regulation (GDPR):
Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Personal Data: any information relating to an identified or identifiable natural person (“Data Subject”)
Processor: a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller
Third Party: a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorized to process Personal Data
Data We Process
We may collect and process the following types of Customer Data in order to provide and support the Data Rooms:
User Information: The Virtual Data Room requires minimal information from Users for the purpose of authentication and communication. Personal Data is limited to the name, email address, and IP address. Under certain circumstances we use“cookies” to enable you to sign in to our services and to help personalize your online experience. A cookie is a small text file that is placed on your hard disk by a Web page server. Cookies contain information that can later be read by a web server in the domain that issued the cookie to you. Most computers and some mobile web browsers automatically accept cookies but, if you prefer, you can change your web browser to prevent that or to notify you each time a cookie is set.
Metadata: User activity within the Virtual Data Room is automatically logged, e.g. login time, location, Materials accessed. These logs are available to the Customer via the administrator portal for the purpose of monitoring behaviour and investigations.
Materials: The Materials uploaded to the Virtual Data Rooms by Users may contain Personal Data. We do not access information within the Materials except in limited circumstances upon the Customer’s explicit and specific request for support, and with Customer permission.
Purposes for Processing
We process Customer Data for the following purposes:
- To provide & enhance our service
- To provide insights and statistics on an aggregated basis to help our Customers measure their performance, better understand their customers and improve their product and service offerings
- To provide a security audit trail of access for our Customers, showing which Users have looked at which Materials. This includes username, user email address, IP address and what action the user took.
- To respond to Customer requests for support or assistance
With regard to Customer Data, PROJECTFUSION acts as a Processor on behalf of Customers.
Metadata after Data Room closure
Once a Data Room has closed we become a Data Controller in common with respect to the Metadata. We keep Metadata for up to 7 years in encrypted storage in case it is required for security breach analysis. We will delete Metadata on Customer request.
Control and processing of User Support Information
We are a Controller of User Support Information. We process this information to provide support for Data Rooms. Information is stored on support tools zendesk.com and intercom.com.
Under GDPR PROJECTFUSION will ensure that your Personal Data is processed lawfully, fairly and transparently, without adversely affecting your rights. We will only process your Personal Data where it is necessary for the performance of a contract to which you are a party or for the purposes of the legitimate interests pursued by us or a third party, or where another of the lawful bases set out under GDPR applies and only in the following circumstances:
a) you use or attempt to use a data room
b) you view a safedrop
c) you contact us for support
d) your Personal Data is contained within Customer Data.
If you do not want PROJECTFUSION to use the Personal Data for any of the reasons set out above, please let us know by contacting firstname.lastname@example.org, and we will delete you Personal Data from our systems. You will no longer be able to use the Data Room service after this.
How we protect data
PROJECTFUSION has been in continual development since 1999. As a result, it is a proven system that has helped facilitate thousands of secure ﬁle shares. We are regularly audited by a UK government approved auditor, and have been accredited to the SO27001 security standard. This means we have lots of security protocols, including staff screening, standardised rollout/testing, regular threat assessments and reviews, and a well maintained Risk Register.
The highest levels of security are applied to all PROJECTFUSION servers, including regular 3rd party audits, IDS (Intrusion detection), regular nessus scans, strict server access restrictions, and 128-bit SSL encryption for all data transfers.
All Customer Data is encrypted at rest and in transit at all times, and for European users is stored in Europe at all times. All access to Personal Data is protected by a minimum of username/password, two factor authentication (“2FA”) and IP restrictions, backed by tamperproof audit trails that record all administrator activity.
User Support Information is encrypted in transit, and stored with Intercom (https://docs.intercom.com/pricing-privacy-and-terms/data-protection/how-were-preparing-for-gdpr) who are a US based entity certifed under the EU-US Privacy Shield for data transfers. All access to information stored on intercom is protected by a minimum of username/password and 2FA.
We restrict access to personal information to PROJECTFUSION employees who need to know that information in order to operate, develop or improve our services. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.
We will only keep User Support Information for as long as we need to, in order to use it as described above, and/or for as long as we have your permission to keep it. In any event, PROJECTFUSION will conduct an annual review to ascertain whether we need to keep User Support Information. User Support Information will be deleted if we no longer need it.
We are allowed to disclose your data in the following circumstances:
- If we want to sell our business, or our company, we can disclose it to a potential buyer;
- We can disclose it to other businesses in our group;
- We can disclose it if we have a legal obligation to do so, or in order to protect other people’s property, safety or rights;
- We can exchange information with others to protect against fraud or credit risks.
We may contract with third parties to provide services to you on our behalf. These may include payment processing, search engine facilities, advertising and marketing. In some cases the third parties may require access to some or all of your data. These are the third parties that have access to your data: [Intercom (intercom.com), zendesk (zendesk.com), stripe (if you pay online).
Where any of your data is required for such purpose, we will take all reasonable steps to ensure that your data will be handled safely, securely and in accordance with your rights, our obligations and the obligation of the third party under GDPR and the law.
Data Subject Rights
PROJECTFUSION acts as a data Processor on behalf of Customers. Customers have primary responsibility for interacting with you with regards to Personal Data, and the role of PROJECTFUSION is generally limited to assisting Customers as needed.
Access, Correction, Amendment or Deletion Requests: PROJECTFUSION shall promptly notify a Customer if PROJECTFUSION receives a request from a Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. PROJECTFUSION shall not respond to any such Data Subject request without the Customer’s prior written consent except to confirm that the request relates to that Customer. In the case of a Data Subject requesting access to, correction, amendment or deletion of that person’s Personal Data stored in User Support Information we respond promptly and facilitate the request.
Handling of Complaints: Data Subjects may lodge a complaint about processing of their respective Personal Data by contacting the relevant Customer or the PROJECTFUSION Privacy department at the email address email@example.com. PROJECTFUSION shall promptly communicate the complaint to the Customer to whom the request relates.
Customers shall be responsible for responding to all Data Subject complaints forwarded by Projectfusion , except in cases where a Customer has disappeared factually or has ceased to exist in law or become insolvent. Where PROJECTFUSION is aware of such a case, it undertakes to respond directly to Data Subjects’ complaints within thirty (30) days, including the consequences of the complaint and further actions Data Subjects may take if they are unsatisfied by the reply.
Regulatory Inquiries and Complaints: PROJECTFUSION shall, to the extent legally permitted, promptly notify a Customer if it receives an inquiry or complaint from a data protection authority in which that Customer is specifically named. Upon a Customer’s request, PROJECTFUSION shall provide the Customer with cooperation and assistance in relation to any regulatory inquiry or complaint involving PROJECTFUSION’s processing of Personal Data.
Changes to this Statement
We may change this statement from time to time, and if we do we will post any changes on this page. If you continue to use the Data Room after those changes are in effect, you agree to the revised policy. This document was last updated in May 2018.
Please feel free to contact us if you have any questions about PROJECTFUSION’s data protection commitments or practices. You may contact us at firstname.lastname@example.org or at our mailing address below: