Commitment to privacy
SAS is the leader in business analytics software and services and the largest independent vendor in the business-intelligence market. SAS Solutions OnDemand (“SSO”, “we”, “us”, and “our”) is a SAS business unit offering software-as-a-service (SaaS) and enterprise-hosting solutions and the subject-matter experts to manage them. We provide hosted software to organizations (“you” and “your”) and your employees, consumers, patients, and students (“data subjects”) around the world.
The privacy of your data subjects is important to us. We are providing this policy to describe and explain our information practices and the measures we take to protect their privacy and comply with applicable law and our obligations.
Scope of policy
SSO recognizes that the European Union and Switzerland have established strict protections regarding the handling of EU and Swiss Personal Data. Our privacy practices comply with the U.S.-EU Safe Harbor framework and the U.S.-Swiss Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries and Switzerland. From an EU perspective, we operate as a data processor, while you function as a data controller. SAS has certified that its SSO business unit adheres to the Safe Harbor Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. Please note that SAS’ certification does not cover personal information that may be collected through sas.com. For more information about the Safe Harbor Principles and program or to access our certification statement, please visit the U.S. Department of Commerce's website at http://export.gov/safeharbor/.
Data integrity principle
We only collect the Customer Information that you provide to us or direct us to collect. Customer Information is information that we receive from you, or from a third party at your direction, about your data subjects. In general, SSO may obtain EU and Swiss Personal Data in the United States about several different types of individuals, including: consumers, employees, patients, students, donors, volunteers, business clients, suppliers, and other business partners. Such data may include basic contact information such as name, postal address, e-mail address, and phone number, as well as sensitive personal information such as payment-card information, personal health information, clinical-trial data, demographic information, purchase information, market-research information, and employee and student performance information. Indeed, SSO may obtain any type of data about any type of individual that you upload to our products, send to us through online or offline mechanisms, or direct us to collect from third-party aggregators such as Dun & Bradstreet. In this regard, we do not control what Customer Information we may receive and host, nor what steps you as data controller have taken to ensure that the data is reliable for its intended use, accurate, complete, and current. We will retain Customer Information for the duration stipulated in our agreement with you, or longer as necessary to comply with our legal obligations, resolve disputes, or enforce our agreements.
We also collect Client Information. Client Information is personal information about people in your organization, such as account managers and users, who interact with SSO. Client Information usually is limited to name, work e-mail address, work phone number, and job title, and we collect it through the e-mail, phone, and written means through which you provide it to us. We use this information to support your account, maintain our business relationship with you, respond to your inquiries, and perform accounting functions.
Some Client Information includes User Information. User Information is information about computers that interact with our systems. This includes:
Web server logs. In the process of administering this site, we maintain and track usage through Web server logs. These logs provide information such as what types of browsers are accessing our sites, what pages receive high traffic, and the times of day our servers experience significant load. We use this information to improve the content and navigation features of our sites. Anonymized or aggregated forms of this data may be used to identify future features and functions to develop for the site and to provide better customer service.
We may also use User Information to help us prevent and detect security threats, fraud or other malicious activity, and to ensure the proper functioning of our products and services.
SSO may additionally use Customer and Client information for the following purposes:
To maintain and upgrade a system. Our technical staff may require periodic access to services data to monitor system performance, test systems, and develop and implement upgrades to systems. Any temporary copies of services data created as a necessary part of this process are only maintained for time periods relevant to those purposes.
To address performance and fix issues. On occasion, we may develop new versions, patches, updates, and other fixes to our programs and services, such as security patches addressing newly discovered vulnerabilities. In accordance with the terms of your order for services, we may remotely access a user’s computer while that user observes in order to troubleshoot a performance issue.
To meet legal requirements. SSO may be required to provide personal data to comply with legally mandated reporting, disclosure or other legal process requirements.
If you provide any personal data about your clients to SSO, you are responsible for providing any notices and obtaining any consents necessary for SSO to access and use that data.
Data access principle
The U.S.-EU Safe Harbor requires that data subjects must have access to personal information about them that an organization holds, and that they be able to correct, amend, or delete that information where it is inaccurate. We operate under the assumption that it is generally your obligation as data controller to provide your data subjects a means of accessing their data. Under our current business model, we have no direct interaction with your data subjects and so have no direct way for them to submit data-access requests to us. If you receive a data-access request from a data subject about whom we host data and you would like our assistance in responding to that request, please contact email@example.com or Legal Division / Privacy Officer, SAS Campus Drive, Cary, NC 27513. We will respond to requests within 30 days of receipt.
We take reasonable measures to protect personal information from loss, misuse, and unauthorized access, disclosure, alteration and destruction. Some of our security measures include:
Security policies. We design and support our products and services according to documented security policies. Each year, we assess our policy compliance and make necessary improvements to our policies and practices.
Employee training and responsibilities. We take certain steps to reduce the risks of human error, theft, fraud, and misuse of our facilities. We train our personnel on our privacy and security policies. We also require our employees to sign confidentiality agreements. We also have assigned to an individual the responsibility to manage our information security program.
Access control. We limit access to Customer Information to only those individuals who have an authorized purpose for accessing that information. We terminate those access privileges following job change or termination.
Data encryption. All electronic transfers of Customer Information between you and SSO are done through encrypted connections.
If we confirm that your Customer Information has been accessed or used by unauthorized individuals, we will contact your designated representative to coordinate our response to the incident. We limit retention of personal information to no longer than commercially necessary to carry out its business purpose, or for legitimate law enforcement purposes.
Onward transfer principle
SSO may disclose EU and Swiss Personal Data to business partners and subcontractors as necessary in connection with the performance of requested services or solutions, or as otherwise appropriate in connection with a legitimate business need. We may also disclose EU and Swiss Personal Data as necessary in connection with the sale or transfer of all or part of our business. In these situations, we will require the recipient of the data to protect the data in accordance with the relevant principles in the Safe Harbors or otherwise take steps to ensure that the EU and Swiss Personal Data is appropriately protected.
We may share the personal data you provide with other SAS entities and/or business partners for purposes related to those described above. We will not sell, rent, or lease to others your personal data.
SSO may also disclose EU and Swiss Personal Data as required or permitted by law, or when we believe in our sole discretion that disclosure is necessary or appropriate to protect our rights or to comply with a judicial proceeding, court order, law-enforcement request, or other legal process.
SAS is a global corporation with subsidiaries and business partners in over 80 countries and with technical systems that cross borders. Personal information collected on SSO systems may be transferred across state and country borders and stored or processed in the United States or any other country in which SAS, its subsidiaries, affiliates, or business units maintain facilities for the purposes of data consolidation, storage, and information management. By using our systems, your organization consents to any such transfer of information outside of your country of residence. SAS, its subsidiaries, affiliates, and business units will handle your information collected by our systems in a consistent manner, as described here, even if the laws in some countries may provide less protection for your information. Our privacy practices are designed to protect your personal information all over the world.
The U.S.-EU Safe Harbor requires that members offer end users a choice to opt out of uses and disclosures of their data that are incompatible with the purposes for which that data was originally collected or subsequently authorized. We operate under the assumption that it is generally your obligation as data controller to obtain from your data subjects the appropriate consent to transfer their data to us and to process their data using our products for defined purposes. As your data processor, we will not share, sell, rent, or trade with third parties for their marketing purposes any Customer Information collected by us, unless you direct us to do so and have the appropriate authorization to do so.
If you have questions or concerns regarding this Safe Harbor Privacy Statement, you should first contact us by sending an e-mail to firstname.lastname@example.org or by regular mail to the attention of:
Legal Division/Privacy Officer
SAS Campus Drive
Cary, NC 27513.
If you do not receive acknowledgement of your inquiry or your inquiry has not been satisfactorily addressed, please contact TRUSTe at:
Web Address: https://feedback-form.truste.com/watchdog/request
If you are faxing or mailing TRUSTe to lodge a complaint, you must include the following information: the name of company, the alleged privacy violation, your contact information, and whether you would like the particulars of your complaint shared with the company. For information about TRUSTe or the operation of TRUSTe's dispute-resolution process, see https://feedback-form.truste.com/watchdog/request at any of the addresses listed above. The TRUSTe dispute-resolution process will be conducted in English. TRUSTe will then serve as a liaison with SAS to resolve your concerns.
Should you have comments or questions about this policy, you may e-mail us at: email@example.com.
You may also contact us via postal mail at the following address:
SAS Institute Inc.
SAS Campus Drive
Cary, NC 27513
ATTN: Legal Division / Privacy Officer
Changes to this policy
We reserve the right to modify this Policy at any time. When we make only minor modifications, we may do so without notifying you. When we make material modifications, we will notify the person you have designated to us to receive such notifications 30 days in advance of the changes. It is your responsibility to keep current the contact information we have on file for that designated representative.
Revised May 10, 2012