SAS Solutions OnDemand Business Customer Privacy Policy

Commitment to privacy

SAS is the leader in business analytics software and services and the largest independent vendor in the business intelligence market. SAS Solutions OnDemand (“SSOD”, “we”, “us”, and “our”) is a SAS business unit offering software-as-a-service (SaaS) and enterprise-hosting solutions and the subject-matter experts to manage them. We provide hosted software to organizations (“you” and “your”) and your employees, consumers, patients, and students (“data subjects”) around the world.

The privacy of your data subjects is important to us. We are providing this policy to describe and explain our information practices and the measures we take to protect their privacy and comply with applicable law and our obligations.

Scope of policy

We are a global organization that has developed global data practices designed to assure the personal data of your data subjects is appropriately protected. This Safe Harbor Privacy Policy describes how SAS’ SSOD business unit collects, uses, and discloses certain personal data that it receives in the United States from the European Union and Switzerland ("EU and Swiss Personal Data") in connection with its enterprise hosting and SaaS offerings, and governs SSOD’s use of personal data to which we may be provided access in order to provide those offerings. This Safe Harbor Privacy Policy does not apply to information collected by SAS from visitors to, information collected by SAS in connection with individuals’ creation of a SAS Profile, or information collected by SAS through other offerings. For information about how SAS collects, uses and discloses information through, the SAS Profile and other SAS offerings, please see the SAS Privacy Statement.

Safe Harbor

SSOD recognizes that the European Union and Switzerland have established strict protections regarding the handling of EU and Swiss Personal Data. Our privacy practices comply with the U.S.-EU Safe Harbor framework and the U.S.-Swiss Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries and Switzerland. From an EU perspective, we operate as a data processor, while you function as a data controller. SAS has certified that its SSOD business unit adheres to the Safe Harbor Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. Please note that SAS’ certification does not cover personal information that may be collected through or other SAS offerings, such as those that are accessed using the SAS Profile. For more information about the Safe Harbor Principles and program or to access our certification statement, please visit the U.S. Department of Commerce's website at

Notice principle

We operate under the assumption that it is generally your obligation as data controller to notify individuals about the purposes for which you collect and use information about them, how they can contact you with any inquiries or complaints, the types of third parties to which you disclose their information, and the choices and means you offer for limiting your use and disclosure. As your data processor, we make available to you this privacy policy so that you can better understand our data practices and whether they are consistent with privacy notices you have made available to your data subjects.

Data integrity principle

We only collect the Customer Information that you provide to us or direct us to collect. Customer Information is information that we receive from you, or from a third party at your direction, about your data subjects. We have no direct relationship with the data subjects. In general, SSOD may obtain EU and Swiss Personal Data in the United States about several different types of individuals, including: consumers, employees, patients, students, donors, volunteers, business clients, suppliers, and other business partners. Such data may include basic contact information such as name, postal address, email address, and phone number, as well as sensitive personal information such as payment card information, personal health information, clinical-trial data, demographic information, purchase information, market-research information, and employee and student performance information. Indeed, SSOD may obtain any type of data about any type of individual that you upload to our products, send to us through online or offline mechanisms, or direct us to collect from third-party aggregators such as Dun & Bradstreet. In this regard, we do not control what Customer Information we may receive and host, nor what steps you as data controller have taken to ensure that the data is reliable for its intended use, accurate, complete, and current. We will retain Customer Information for the duration stipulated in our agreement with you, or longer as necessary to comply with our legal obligations, resolve disputes, or enforce our agreements.

In certain situations, we may supplement Customer Information provided by you with information from other sources. This is done only when you specifically request and we agree to such supplementation. This supplementation of Customer Information is for the sole purpose of providing services to you.

We also collect Client Information. Client Information is personal information about people in your organization, such as account managers and users, who interact with SSOD. Client Information usually is limited to name, work email address, work phone number, and job title, and we collect it through the email, phone, and other written means through which you provide it to us. We use this information to support your account, maintain our business relationship with you, respond to your inquiries, and perform accounting functions. Additionally, for SSOD offerings that are accessed using a SAS Profile, Client Information collected through the SAS Profile may also be used as described in the SAS Privacy Statement.

Some Client Information includes User Information. User Information is information about computers that interact with our systems. This includes:

Web server logs. In the process of administering this site, we maintain and track usage through Web server logs. These logs provide information such as what types of browsers are accessing our sites, what pages receive high traffic, and the times of day our servers experience significant load. We use this information to improve the content and navigation features of our sites. Anonymized or aggregated forms of this data may be used to identify future features and functions to develop for the site and to provide better customer service.

Cookies. There are various technologies, including one called "cookies" which can be used to provide tailored information from a website. A cookie is an element of data that a website can send to your browser, which may then store it on your system. Some SSOD systems may use cookies for authentication and security and/or to remember user settings so that we can better serve you when you return to those systems. By using those systems, you agree that we can place these types of cookies on your system. You can set your browser to notify you when you receive a cookie, giving you the chance to decide whether to accept it. For more information, please refer to user information provided with your web browser. If you reject cookies, you may still use SSOD systems but your ability to use some features or areas of those systems may be limited.

We may also use User Information to help us prevent and detect security threats, fraud or other malicious activity, and to ensure the proper functioning of our products and services.

SSOD may additionally use Customer and Client information for the following purposes:

To maintain and upgrade a system. Our technical staff may require periodic access to services data to monitor system performance, test systems, and develop and implement upgrades to systems. Any temporary copies of services data created as a necessary part of this process are only maintained for time periods relevant to those purposes.

To address performance and fix issues. On occasion, we may develop new versions, patches, updates, and other fixes to our programs and services, such as security patches addressing newly discovered vulnerabilities. In accordance with the terms of your order for services, we may remotely access a user’s computer while that user observes in order to troubleshoot a performance issue.

To meet legal requirements. SSOD may be required to provide personal data to comply with legally mandated reporting, disclosure or other legal process requirements when we believe, in our sole discretion, that disclosure is necessary to protect our rights, or to respond to a government request.

If you provide any personal data about your data subjects to SSOD, you are responsible for providing any notices and obtaining any consents necessary for SSOD to access and use that data.

If requested by you and agreed to by SSOD, SSOD’s systems may include links to other third-party websites whose privacy practices may differ from those of SAS and SSOD. If you or your data subjects submit personal data to any of those websites, such information is governed by their privacy statements. We encourage you and your data subjects to carefully read the privacy statement of any website you or your data subjects visit.

Data access principle

The U.S.-EU Safe Harbor requires that data subjects must have access to personal information about them that an organization holds, and that they be able to correct, amend, or delete that information where it is inaccurate. We operate under the assumption that it is generally your obligation as data controller to provide your data subjects a means of accessing their data. Under our current business model, we have no direct interaction with your data subjects and so have no direct way for them to submit data access requests to us. If you receive a data-access request from a data subject about whom we host data and you would like our assistance in responding to that request, please contact or Legal Division / Privacy Officer, SAS Campus Drive, Cary, NC 27513. We will respond to requests within 30 days of receipt.

Security principle

We take reasonable measures to protect personal information from loss, misuse, and unauthorized access, disclosure, alteration and destruction. Some of our security measures include:

Security policies. We design and support our products and services according to documented security policies. Each year, we assess our policy compliance and make necessary improvements to our policies and practices.

Employee training and responsibilities. We take certain steps to reduce the risks of human error, theft, fraud, and misuse of our facilities. We train our personnel on our privacy and security policies. We also require our employees to sign confidentiality agreements. We also have assigned to an individual the responsibility to manage our information security program.

Access control. We limit access to Customer Information to only those individuals who have an authorized purpose for accessing that information. We terminate those access privileges following job change or termination.

Data encryption. All electronic transfers of Customer Information between you and SSOD (including sensitive personal information and login credentials) are done through encrypted connections.

If we confirm that your Customer Information has been accessed or used by unauthorized individuals, we will contact your designated representative to coordinate our response to the incident.

Onward transfer principle

SSOD may disclose EU and Swiss Personal Data to business partners and subcontractors as necessary in connection with the performance of requested services or solutions, or as otherwise appropriate in connection with a legitimate business need. Transfers to subsequent third parties are covered by the provisions in this policy and our contractual agreements with you. We may also disclose EU and Swiss Personal Data as necessary in connection with the sale or transfer of all or part of our business. In these situations, we will require the recipient of the data to protect the data in accordance with the relevant principles in the Safe Harbors or otherwise take steps to ensure that the EU and Swiss Personal Data is appropriately protected. If SSOD is involved in a or sale or transfer of all or part of our business, you will be notified via email and/or a prominent notice on our website of any changes to SSOD’s ownership or uses of your personal information, and of choices you may have regarding your personal information.

We may share the personal data you provide with other SAS entities and/or business partners for purposes related to those described above. We will not sell, rent, or lease to others your personal data. We will only share personal data with third parties in ways that are described in this policy.

SSOD may also disclose EU and Swiss Personal Data as required or permitted by law, or when we believe in our sole discretion that disclosure is necessary or appropriate to protect our rights or to comply with a judicial proceeding, court order, law-enforcement request, or other legal process.

SAS is a global corporation with subsidiaries and business partners in over 80 countries and with technical systems that cross borders. Personal information collected on SSOD systems may be transferred across state and country borders and stored or processed in the United States or any other country in which SAS, its subsidiaries, affiliates, or business units maintain facilities for the purposes of data consolidation, storage, and information management. By using our systems, your organization consents to any such transfer of information outside of your country of residence. SAS, its subsidiaries, affiliates, and business units will handle your information collected by our systems in a consistent manner, as described here, even if the laws in some countries may provide less protection for your information. Our privacy practices are designed to protect your personal information all over the world.

Choice principle

The US-EU Safe Harbor requires that members offer end users a choice to opt out of uses and disclosures of their data that are incompatible with the purposes for which that data was originally collected or subsequently authorized. We operate under the assumption that it is generally your obligation as data controller to obtain from your data subjects the appropriate consent to transfer their data to us and to process their data using our products for defined purposes. As your data processor, we will not share, sell, rent, or trade with third parties for their marketing purposes any Customer Information collected by us, unless you direct us to do so and have the appropriate authorization to do so. If your data subject would no longer like to be contacted by you or by SAS at your direction, please inform the data subject to contact you, as SSOD’s customer, directly.

Enforcement principle

SAS has received TRUSTe's Privacy Seal signifying that this privacy policy and our practices have been reviewed for compliance with the TRUSTe program viewable on the validation page available by clicking the TRUSTe seal.

The TRUSTe certification covers our collection, use and disclosure of information we collect through our SSOD business unit in connection with enterprise hosting and software-as-a-service offerings that are governed by this Safe Harbor Privacy Policy. The use of information collected through those offerings shall be limited to the purpose of providing the services for which the Client has engaged SAS.

In order to view our relationship with TRUSTe, please visit the validation page visible by clicking on the TRUSTe seal.

If you have questions or concerns regarding this Safe Harbor Privacy Policy, you should first contact us by sending an email to or by regular mail to the attention of:

Legal Division/Privacy Officer
SAS Campus Drive
Cary, NC 27513

If you do not receive acknowledgement of your inquiry or your inquiry has not been satisfactorily addressed, please contact TRUSTe at:

Web Address:
Fax: 415-520-3420
Mailing Address: TRUSTe Safe Harbor Compliance Department - 835 Market Street Suite 800, Box 137, San Francisco, CA 94103

If you are faxing or mailing TRUSTe to lodge a complaint, you must include the following information: the name of company, the alleged privacy violation, your contact information, and whether you would like the particulars of your complaint shared with the company. For information about TRUSTe or the operation of TRUSTe's dispute-resolution process, see at any of the addresses listed above. The TRUSTe dispute-resolution process will be conducted in English. TRUSTe will then serve as a liaison with SAS to resolve your concerns.

Should you have comments or questions about this policy, you may email us at:

You may also contact us via postal mail at the following address:

SAS Institute Inc.
SAS Campus Drive
Cary, NC 27513
ATTN: Legal Division/Privacy Officer

Changes to this policy

We reserve the right to modify this Policy at any time. When we make only minor modifications, we may do so without notifying you. When we make material modifications, we will notify the person you have designated to us to receive such notifications 30 days in advance of the changes. It is your responsibility to keep current the contact information we have on file for that designated representative.

Revised Feb. 1, 2016.

TRUSTe Certified Privacy

Back to Top