Commitment to Privacy
SAS® Solutions OnDemand (“we”, “us” and “our”) is a SAS business unit offering software as a service (SaaS), enterprise hosting, remote managed services and other analytics solutions, and the subject-matter experts to manage them. We provide these solutions to organizations (“you” and “your”) and your employees, consumers, patients and students (“data subjects”) around the world.
The privacy of your data subjects is important to us. We are providing this policy to describe and explain our information practices and the measures we take to protect their privacy and comply with applicable law and our obligations. This policy also describes your choices regarding use, access and correction of your data subjects’ personal data so that you can better understand our practices and ensure that they are consistent with any privacy notices you have made available to them.
Scope of Policy
EU-US Privacy Shield Framework
SAS participates in, and has certified its compliance with, the EU-US Privacy Shield Framework, with respect to personal data received from European Union (EU) member countries by its SAS Solutions OnDemand business unit in the United States, in connection with SAS Solutions OnDemand’s enterprise hosting, SaaS, remote managed services and other analytics solution offerings (such personal data, “EU Personal Data”). SAS Solutions OnDemand is committed to subjecting all EU Personal Data received in reliance on the Privacy Shield Framework to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the US Department of Commerce’s Privacy Shield List. Please note that our Privacy Shield Framework certification does not apply to information collected by SAS from visitors to SAS.com, information collected by SAS in connection with individuals’ creation of a SAS Profile, or information collected by SAS through other offerings.
SAS Solutions OnDemand is responsible for the processing of EU Personal Data it receives under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. SAS Solutions OnDemand complies with the Privacy Shield Principles for all onward transfers of EU Personal Data, including the onward transfer liability provisions.
With respect to EU Personal Data received by or transferred to SAS Solutions OnDemand, pursuant to the Privacy Shield Framework, SAS Solutions OnDemand is subject to the regulatory enforcement powers of the US Federal Trade Commission. In certain situations, SAS Solutions OnDemand may be required to disclose EU Personal Data in response to lawful requests by public authorities, including meeting national security or law enforcement requirements.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our US-based third-party dispute resolution provider (free of charge), at https://feedback-form.truste.com/watchdog/request.
Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
US-Swiss Safe Harbor Framework
SAS also participates in, and has certified its compliance with, the US-Swiss Safe Harbor Framework, as set forth by the US Department of Commerce, with respect to personal data received from Switzerland by its SAS Solutions OnDemand business unit in the United States in connection with SAS Solutions OnDemand’s enterprise hosting, SaaS, remote managed services and other analytics offerings (“Swiss Personal Data”). SAS has certified that its SAS Solutions OnDemand business unit adheres to the Safe Harbor Principles of notice, choice, onward transfer, security, data integrity, access and enforcement, with respect to Swiss Personal Data. Please note that SAS’ US-Swiss Safe Harbor certification does not cover personal data that may be collected through SAS.com, information collected by SAS in connection with individuals’ creation of a SAS Profile, or information collected by SAS through other offerings. For more information about the US-Swiss Safe Harbor Principles and program, or to access our certification statement, please visit the US Department of Commerce's US-Swiss Safe Harbor website.
Data Processed and Purposes of Processing
SAS Solutions OnDemand collects and processes two kinds of personal data: Customer Information and Client Information.
Customer Information is information that we receive from you, or from a third party at your direction, about your data subjects. We collect only the Customer Information that you provide to us or direct us to collect in order to provide services to you. Customer Information may include personal data about different types of individuals, including: consumers, employees, patients, students, donors, volunteers, business clients, suppliers and other business partners. Such personal data may include basic contact information, such as name, postal address, email address and phone number, as well as more sensitive personal information, such as financial information, personal health information, clinical trial data, demographic information, purchase information, market-research information, and employee and student performance information. Indeed, SAS Solutions OnDemand may obtain any type of data about any type of individual that you upload to our products, send to us through online or offline mechanisms, or direct us to collect from third-party aggregators, such as Dun & Bradstreet.
We operate under the assumption that it is your obligation as a data controller to notify individuals whose personal data may be included in your Customer Information about the personal data you collect and the purposes for which you collect it, to obtain their consent to our processing of their personal data, where required, and to ensure that such personal data is reliable for its intended use, accurate, complete and current. We have no direct relationship with the individuals whose personal data is included in Customer Information we process.
We collect and process Customer Information only for the purpose of providing services to you and in accordance with our agreements with you. In certain situations, we may supplement Customer Information provided by you with information from other sources. This is done only when you specifically request, and we agree to, such supplementation. This supplementation of Customer Information is for the sole purpose of providing services to you. We will retain Customer Information for the duration stipulated in our agreement with you, or longer, as necessary to comply with our legal obligations, resolve disputes or enforce our agreements.
Client Information is personal data about people in your organization, such as account managers and users, who interact with SAS Solutions OnDemand and its systems. Client Information usually is limited to name, work email address, work phone number and job title. We collect Client Information through online forms, email, phone and other written means that you use to provide it to us. We use Client Information to support your account, maintain our business relationship with you, respond to your inquiries and perform accounting functions.
Client Information may also include User Information. User Information is information generated by computers that interact with our systems. User Information may be collected through the following:
- Web server logs. In the process of administering this site, we maintain and track usage through web server logs. These logs provide information, such as what types of browsers are accessing our sites, what pages receive high traffic and the times of day our servers experience significant load. We use this information to improve the content and navigation features of our sites. Anonymized or aggregated forms of this data may be used to identify future features and functions to develop for the site and to provide better customer service.
We may also use User Information to help us prevent and detect security threats, fraud or other malicious activity, and to ensure the proper functioning of our products and services.
SAS Solutions OnDemand may additionally use Customer Information and Client Information for the following purposes:
- To maintain and upgrade a system. Our technical staff may require periodic access to services data that may include Customer Information or Client Information, to monitor system performance, test systems, and develop and implement upgrades to systems. Any temporary copies of such services data created as a necessary part of this process are maintained only for time periods relevant to those purposes.
- To address performance and fix issues. On occasion, we may develop new versions, patches, updates and other fixes to our programs and services, such as security patches addressing newly discovered vulnerabilities. In accordance with the terms of your order for services, we may remotely access a user’s computer, while that user observes, in order to troubleshoot a performance issue.
- To meet legal requirements. SAS Solutions OnDemand may be required to provide personal data to comply with legally mandated reporting, disclosure or other legal process requirements when we believe, in our sole discretion, that disclosure is necessary to protect our rights, or to respond to a government request.
If requested by you, and agreed to by SAS Solutions OnDemand, SAS Solutions OnDemand’s systems may be configured to enable you and your users to access other third-party websites whose privacy practices may differ from those of SAS and SAS Solutions OnDemand. If you or your data subjects submit personal data to any of those websites, such information is governed by their privacy statements. We encourage you and your data subjects to carefully read the privacy statement of any website you or your data subjects access through our systems.
Data Access and Correction; Choices for Limiting Use and Disclosure
The EU-US Privacy Shield Framework requires that EU data subjects have rights to access personal data about themselves that an organization holds, and more specifically, a right to: (1) obtain confirmation whether personal data about them is being processed; (2) have the data communicated to them so they may verify its accuracy and the lawfulness of the processing; and (3) have the data corrected, amended or deleted.
With respect to Customer Information, we operate under the assumption that it is your obligation as data controller to provide your data subjects a means of accessing their data and requesting that such data be corrected, amended or deleted. Under our current business model, we have no direct interaction with your data subjects and so have no direct way for them to submit these requests to us. If you are a SAS Solutions OnDemand customer, and you receive such a request from a data subject about whom we host personal data, and you would like our assistance in responding to that request, please contact our privacy office at firstname.lastname@example.org or Legal Division/Privacy Officer, SAS Campus Drive, Cary, NC 27513. We will respond to requests within 30 days of receipt.
With respect to Client Information, certain SAS Solutions OnDemand systems enable users to access and amend or correct their own personal data. Otherwise, if you or your users would like to request access to or correction of Client Information, please contact our privacy office at email@example.com or Legal Division/Privacy Officer, SAS Campus Drive, Cary, NC 27513. We will respond to requests within 30 days of receipt.
The EU-US Privacy Shield Framework requires that participants offer data subjects a choice to opt out of uses and disclosures of their data that are materially different from the purposes for which that data was originally collected or subsequently authorized. For data that is considered “sensitive data” under EU data protection rules (for example, EU Personal Data relating to medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or sex life), Privacy Shield participants must obtain an affirmative opt-in from data subjects for disclosures of such data or for the use of such data for purposes other than those for which it was originally collected or subsequently authorized.
With respect to Customer Information, we operate under the assumption that it is your obligation as data controller to obtain from your data subjects the appropriate consent to transfer their data to us and for us to process their data, to provide agreed-upon services to you and to disclose their data to third parties, consistent with this Policy and our agreements with you. We will not share, sell, rent or trade with third parties for their marketing purposes any Customer Information collected by us, unless you direct us to do so and have the appropriate authorization to do so. If your data subject would no longer like to be contacted by you or by SAS at your direction, please inform the data subject to contact you, as SAS Solutions OnDemand’s customer, directly.
We will not use or disclose Client Information for purposes that are materially different than those described in this Policy, or subsequently authorized, without offering data subjects a choice to opt out of such uses or disclosures.
We take reasonable measures that are designed to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction. Some of our security measures include the following:
- Security policies. We design and support our products and services according to documented security policies. Each year, we assess our policy compliance and make necessary improvements to our policies and practices.
- Employee training and responsibilities. We take certain steps to reduce the risks of human error, theft, fraud and misuse of our facilities. We train our personnel on our privacy and security policies, and we require our employees to sign confidentiality agreements. We also have assigned to an individual the responsibility to manage our information security program.
- Access control. We limit access to Customer Information to only those individuals who have an authorized purpose for accessing that information. We terminate those access privileges following job change or termination.
- Data encryption. All electronic transfers of non-public Customer Information between you and SAS Solutions OnDemand (including sensitive personal information and logon credentials) are required by SAS to be done through encrypted connections.
If we confirm that your Customer Information has been accessed or used by unauthorized individuals, we will contact your designated representative to coordinate our response to the incident. If you have any questions about the security of your personal information, you can contact us at firstname.lastname@example.org or Legal Division/Privacy Officer, SAS Campus Drive, Cary, NC 27513.
Onward Transfers to Third Parties
SAS Solutions OnDemand may disclose personal data to business partners and subcontractors, as necessary, for the purpose of providing our offerings and performing other requested services, or as otherwise appropriate in connection with a legitimate business need. These companies are authorized to use your personal information only as necessary to provide these services to us. We may also disclose personal data you provide to other SAS entities and/or business parties for purposes compatible with those described in this Policy and in accordance with our agreements with you. We will not disclose personal data to third parties for purposes other than those described in this Policy, except at your direction and with your authorization. Disclosures of EU Personal Data will be carried out in accordance with Privacy Shield requirements relating to onward transfers. We will not sell, rent or lease your personal data to others.
We may also disclose personal data to a third party, as necessary, in connection with the sale or transfer of all or part of our business. In these situations, we will require the recipient of the data to protect the data in accordance with this Policy or otherwise take steps to ensure that the personal data is appropriately protected. If SAS Solutions OnDemand is involved in a sale or transfer of all or part of our business, you will be notified via email and/or a prominent notice on our website of any changes to SAS Solutions OnDemand’s ownership or uses of your personal data, and of choices you may have regarding your personal data.
SAS Solutions OnDemand may also disclose personal data as required or permitted by law, such as in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, or when we believe in our sole discretion that disclosure is necessary or appropriate to protect our rights or to comply with a judicial proceeding, court order, law-enforcement request or other legal process.
SAS is a global corporation with subsidiaries and business partners in more than 80 countries and with technical systems that cross borders. Personal data collected on SAS Solutions OnDemand systems may be transferred across state and country borders and stored or processed in the United States or any other country in which SAS, its subsidiaries, affiliates or business units maintain facilities for the purposes of data consolidation, storage and information management. By using our systems, your organization consents to any such transfer of information outside of your country of residence. SAS, its subsidiaries, affiliates and business units will handle your information collected by our systems in a consistent manner, as described here, even if the laws in some countries may provide less protection for your information. Our privacy practices are designed to protect your personal data all over the world.
Inquiries and Complaints
If you have questions or concerns regarding this Policy or our handling of your personal data, you should first contact us by sending an email to email@example.com or by regular mail to the attention of:
Legal Division/Privacy Officer
SAS Campus Drive
Cary, NC 27513
We will respond within a reasonable time frame.
If you do not receive acknowledgement of your inquiry, or your inquiry has not been satisfactorily addressed, please contact TRUSTe at:
Web Address: https://feedback-form.truste.com/watchdog/request
Mailing Address: TRUSTe Safe Harbor Compliance Department, 835 Market Street, Suite 800, Box 137, San Francisco, CA 94103
For information about TRUSTe, or the operation of TRUSTe's dispute-resolution process, see https://feedback-form.truste.com/watchdog/request. The TRUSTe dispute-resolution process will be conducted in English. TRUSTe will then serve as a liaison with SAS to resolve your concerns.
Changes to This Policy
We reserve the right to modify this Policy at any time. When we make only minor modifications, we may do so without notifying you. When we make material modifications, we will notify the person you have designated to us to receive such notifications 30 days in advance of the changes. It is your responsibility to keep current the contact information we have on file for that designated representative.
Effective Date: September 26, 2016