D4 LLC is a limited liability corporation organized under the laws of the State of New York, USA. D4 LLC (“D4”) is engaged in the businesses of information and data management and eDiscovery and litigation support services. D4 has operated continuously in this industry since 1997.
The industries of eDiscovery and litigation support are generally recognized to include multiple services for the legal community in US litigations and arbitrations, government investigations, and internal corporate compliance investigations. Those services include technology and infrastructure services, paper and data acquisition, computer forensic services, data mining and data analytics, consulting, hosting, and production services. D4 collects data pursuant to instructions from its customers and clients that are associated with responses to discovery requests in civil litigations, arbitrations, and investigations.
In the course of its work, D4 collects or receives emails and files from client corporations, from individuals, and from individuals on behalf of the corporations which employ them. The emails and files themselves contain, according to the definition below, a variety of personal and business data and information, and sometimes sensitive personal data.
D4 itself has offices globally. D4 clients include law firms, corporations, and individuals who are employed, reside or do business globally. D4 recognizes that legal principles of privacy in the USA differs from legal principles of privacy in many other nations.
Therefore, D4 has formulated the following principles and procedures for maintaining the privacy of individuals for the data entrusted to it.
These principles and procedures are designed to secure for its clients and their employees the privacy protections of the US-EU Privacy Shield and the Swiss Safe Harbor protocol. These principles and procedures are also designed to inform any visitors to D4’s website the type of information that may be collected and how it may be used.
“Personal data” and “personal information” are data about an identified or identifiable individual that are within the scope of the EU Privacy Directive, received by an organization in the United States from the European Union, and recorded in any form.
“Sensitive personal data” is data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information concerning the sex life of an individual.
“Processing” of personal data means any operation or set of operations which is performed upon personal data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
“Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.
PRINCIPLES FOR EU-US PRIVACY SHIELD AND SWISS SAFE HARBOR
D4 is committed to comply with the EU-US Privacy Shield Principles and the US-Swiss Safe Harbor Framework. D4 commits to respect for the privacy concerns and regulations of any nation in which it or its clients may operate.
D4 informs individuals subject to the EU-US Privacy Shield that they have the right to access their personal data, and the right to be informed of the purposes for which their personal data is being collected or used.
D4 informs individuals subject to the EU-US privacy shield when data is transferred to third parties according to the purpose for which the personal data was originally being collected or used.
D4 informs individuals subject to the EU-US privacy shield that they may opt out of collection or use of personal data, or that they may opt in or out for personal data or sensitive personal data from being used in the manner it was originally intended or in a materially different manner.
D4 informs individuals subject to the EU-US privacy shield that they may opt out of onward transfer of personal information to third parties, or with respect to onward transfers, that they may opt in or out for personal data or sensitive personal data from being used in the manner it was originally intended or in a materially different manner.
Individuals afforded the protections of these policies may have access to their personal information. If that information is incorrect, D4 will seek to provide ways to correct or update it accordingly, subject to the reasons for which the personal data was acquired or processed. D4 will take reasonable precautions to verify security, identity, and purpose before providing such access.
D4 commits to secure and manage personal data in a manner that maintains its integrity to the original data preserved and collected.
LIMITS TO SCOPE
D4 commits to work with its individual and corporate clients and their employees to limit the preservation, discovery or other processing of personal data to the smallest possible scope that is necessary to support or resolve a claim or defense of a legal dispute that may be the basis of D4’s engagement.
LIMITS TO DURATION
D4 commits to work with its individual and corporate clients and their employees to limit the duration for which personal data may be retained to the smallest duration necessary to support or resolve a claim or defense of a legal dispute that may be the basis of D4’s engagement.
REQUIREMENTS FOR ONWARD TRANSFERS
In any onward transfer of personal information pursuant to these policies, D4 attempts to ensure that the onward transferee has copies of D4’s policies and procedures of its own privacy requirements for that particular matter, is compliant with the EU-US privacy shield, subjects itself by contract or protective order to the same requirements of notice, choice, transparency, security, data integrity, onward transfer, complaint and enforcement, and/or undertakes an appropriate contract or Protective Order with legal enforceability in the US. Included in any contract or protective order, D4 will seek to ensure that it contains requirements for the transferee to notice D4 and the data subject should it be unable to meet its requirements under these policies. In situations in which an onward transferee cannot meet its continuing requirements, D4 will seek to regain control or other methods to retain compliance with these policies.
D4 INFORMATION SECURITY
Among other security methods, D4 facilities are physically secured alarm security and restricted employee card key access. The D4 data center is secured with biometric, physical, and procedural security and is continuously staffed. D4 is attested SSAE 16 SOC2, SOC3 and undergoes independent third-party security audits and testing. D4 staff undergo background checks and routine training on security measures, including training against active persistent threats.
D4 commits to transparency with clients, data subjects, other data controllers, onward transferees, DPAs, its independent dispute agency at the BBB, and US regulatory authorities with information about its policies, procedures and activities with respect to notice, consent, preservation, collection, use, storage, security, transfer, disposition, continuing compliance, and/or disputes or inquiries about personal data.
COMPLAINTS, INQUIRIES AND ENFORCEMENT
If you make an inquiry or complaint to D4 with respect to the Privacy Shied, D4 agrees to respond to you within 45 days. There is no cost to request information or resolve an issue. If you are not satisfied with the inquiry or response, you have a means for independent recourse for further investigation and resolution. You may contact this individual for inquiries or complaints:
Chief Operating Officer, D4 LLC, 222 Andrews Street, Rochester NY 14604 (585) 385-4040 or write to [specified mailbox email@example.com]
D4 commits to refer unresolved privacy complaints under the EU-US Privacy Shield Principles to BBB EU PRIVACY SHIELD, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus.
If you submit a complaint to a data protection authority (DPA) in the EU, the US Department of Commerce has committed to receive, review and undertake best efforts to facilitate resolution of the your complaint and to respond to your DPA within 90 days. D4 commits to cooperating with your DPA and the US Department of Commerce for such review and resolution. D4 commits to binding arbitration in the event other recourse mechanisms are unsatisfactory to you.
D4’s commitment to resolution of disputes and binding arbitration are enforceable under US law. Inquiries or complaints may be made directly to the US Department of Commerce or to the US Federal Trade Commission.
INFORMATION PROVIDED TO D4 THROUGH OUR WEBSITE
D4 operates a website at www.d4discovery.com. You may browse non-password-protected sections of the D4 website without providing us with personal information. D4 does not collect personal information such as email address when you browse. However, your browser may provide us with certain information about your computer’s browser type, operating system and IP address, your access date and time, and your referring and exiting URLs.
To access certain content on the D4 website, or to register for D4 events or to sign up for D4 publications, or to apply for employment online, D4 asks that you register on the website. Registration includes name, address, telephone number, email address, organization, and some information about your role and your organization. You may choose not to provide this information and therefore not access certain content, register for events or publications, or apply online for employment. The website provides further information for you to do these things by calling or mailing us.
D4 web servers place a small data file or "cookie" on the hard drive of your computer when you first connect to the D4 site. The cookie allows D4 to recognize your computer, on return visits, to study website traffic patterns, to improve our website, and to improve and develop the services that we provide.
D4 uses “web beacons” (also known as Internet tags, pixel tags and clear GIFs) that allow D4 to collect web log information. A web beacon is a graphic on a web page or in an e-mail message designed to track pages viewed or messages opened. The Using these, the website recognizes some non-personal information, such as the date and time you visited our site, the pages you visited, the type of browser you are using, and the type of operating system you are using, D4 may also include web beacons in promotional e-mail messages in order to determine whether messages have been opened.
D4 does not track its users over time or across third party websites and therefore does not respond to Do Not Track (DNT) signals.
The information that is provided to D4 when you browse our website is used by D4 solely for internal purposes including evaluation of site use, assessment of site performance, improvement of site content, improvement and development of D4 products and services. D4 does not use this information to target individuals for marketing unless you register on our website.
When you register on the D4 website for a particular purpose, D4 uses your information for the purposes for which it was provided, which may include contacting you and providing you with the information that you have requested. You may opt out of further communication by using website or email links or by contacting firstname.lastname@example.org
D4 may transfer information we have about you in the event we sell or transfer all or a portion of our business or assets. Should such a sale or transfer occur, we will use reasonable efforts to try to require that the transferee use information you have provided through this website in a manner that is consistent with a website privacy notice.
D4 self-certifies its compliance with the EU-US Privacy Shield and the US-Swiss Safe Harbor Framework.
D4’s Policy Committee for International and EU Privacy Concerns is D4 General Counsel, D4 Chief Operating Officer, D4 Chief Client Officer and CISSP, D4 Director of Information Technology Services, and D4 Senior Vice President of Discovery Engineering. Contact to that team is through D4 Chief Operating Officer, D4 LLC, 222 Andrews Street. Rochester, NY 14604.
D4 operates a formal Change Control Board consisting of individuals from every aspect of D4’s management and operations. These principles and procedures are submitted to D4’s Change Control Board as of the date below.
D4 CONTACTS REGARDING THIS POLICY AND ITS VERSIONS:
1. Corporate Officer: John Rubens, Chief Operating Officer, (585) 385-4040 email@example.com D4 LLC, 222 Andrews Street, Rochester NY 14604
2. Corporate Representative: Charles Kellner, Senior Vice President Discovery Engineering, (401) 694-1005 firstname.lastname@example.org D4 LLC, 222 Andrews Street, Rochester NY 14604
3. Privacy@d4discovery.com is an email distribution list that includes the individuals above plus D4’s General Counsel, Manager of Information Technology, and Chief Client Officer and CISSP.
Version 1.1 September 26, 2016