SAS® Institute Inc.'s Hosted Managed Services Privacy Policy

Commitment to Privacy

SAS ("SAS", “we”, “us” and “our”) offers Hosted Managed Services, which includes software as a service (SaaS), enterprise hosting, remote managed services and other analytics solutions, and the subject-matter experts to manage them. We provide these solutions to organizations (“you” and “your”) and your employees, consumers, patients and students (“Data Subjects”) around the world.

The privacy of your Data Subjects is important to us. This policy describes and explains SAS' practices and the measures we take to protect their privacy and comply with applicable laws and our obligations. This policy also describes your choices regarding use, access and correction of your data subjects’ personal data so you can better understand SAS' practices and ensure they are consistent with any privacy notices you have made available to them.

Scope of Policy

This Privacy Policy describes how SAS collects, receives, accesses, uses and discloses certain personal data received in connection with SAS Hosted Managed Services including enterprise hosting, SaaS, remote managed services and other analytics solution offerings, and governs SAS’ use of such personal data to provide those offerings to you pursuant to our agreements.

This Privacy Policy does not apply to information collected by SAS from visitors to SAS.com, information collected by SAS in connection with an individual's creation of a SAS Profile, for purposes unrelated to SAS Hosted Managed Services, or information collected by SAS through other offerings. For information about how SAS collects, uses and discloses information through SAS.com, the SAS Profile and other SAS offerings, please see the SAS Privacy Statement.

International Data Transfers

Due to the global nature of our operations, some data recipients may be located in countries outside the European Economic Area (EEA), Switzerland, or the United Kingdom (UK), which do not provide an adequate level of data protection as defined by data protection laws in the EEA, Switzerland, and the UK Transfers among SAS affiliates or to third parties located in such third countries take place using a valid data transfer mechanism, such as the EU Standard Contractual Clauses (SCCs) (as well as the corresponding Swiss annex and UK Addendum, as appropriate), on the basis of permissible statutory derogations, or any other valid data transfer mechanism issued or approved by the EEA, Swiss, or UK authorities. Certain third countries have been officially recognized by the EEA, Swiss, and UK authorities as providing an adequate level of protection, and no further safeguards are necessary.

The SCCs are a contractual terms template that have been pre-approved by the European Commission and serve as a legal transfer mechanism. SAS uses these SCCs and supplemental measures in accordance with European Commission and European Data Protection Board guidance. These updated SCCs, as well as the corresponding Swiss annex and UK Addendum, are an integral part of the SAS Data Processing Agreements (DPAs) that SAS executes with its customers, sub-processors and partners when applicable. The terms of SAS’ DPA apply to transfers of personal data originating in the European Economic Area (EEA), Switzerland, and/or the UK from you, as the data exporter, to SAS and its affiliates that are located in third countries, as the data importers.

EU-US Data Privacy Framework with UK Extension, and Swiss-US Data Privacy Framework

SAS’ Hosted Managed Services environments comply with the EU-US Data Privacy Framework (EU-US DPF), the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF) as set forth by the US Department of Commerce.

  • SAS has certified to the US Department of Commerce that its Hosted Managed Services environments adhere to the EU-US Data Privacy Framework Principles (EU-US DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-US DPF and from the United Kingdom (and Gibraltar) under the UK Extension to the EU-US DPF.
  • SAS has certified to the US Department of Commerce that its Hosted Managed Services environments adhere to the Swiss-US Data Privacy Framework Principles (Swiss-US DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-US DPF.

If there is any conflict between the terms in this privacy policy and the EU-US DPF Principles and/or the Swiss-US DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov.

SAS is responsible for the processing of the personal data it receives within its Hosted Managed Services environments, under the DPF, and subsequent transfers to a third party acting as an agent on its behalf.  SAS Hosted Managed Services environments comply with the DPF Principles for all onward transfers of personal data from the EU, UK, and Switzerland, including the onward transfer liability provisions.

The Federal Trade Commission has jurisdiction over SAS Hosted Managed Services environments’ compliance with the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF. In certain situations, SAS may be required to disclose personal data from its Hosted Managed Services environments in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF, SAS commits to refer unresolved complaints concerning its handling of personal data in its Hosted Managed Services environments that are received in reliance on the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF to TRUSTe, an alternative dispute resolution provider based in the United States.  If you do not receive timely acknowledgment of your DPF Principles-related complaint from SAS, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://feedback-form.truste.com/watchdog/request for more information or to file a complaint.  These dispute resolution services are provided at no cost to you.

For complaints regarding DPF compliance not resolved by any of the other DPF mechanisms, you have the possibility, under certain conditions, to invoke binding arbitration. Further information can be found on the official DPF website.

Data Processed and Purposes of Processing

SAS Managed Hosted Services collects and processes two kinds of personal data: Customer Information and Client Information.

Customer Information is information that we receive from you, or from a third party at your direction, about your Data Subjects. We collect only the Customer Information that you provide to us, direct us to collect, or access to provide services to you. Customer Information may include personal data about different types of individuals, including: consumers, employees, patients, students, donors, volunteers, business clients, suppliers and other business partners. Such personal data may include basic contact information, such as name, postal address, email address and phone number, as well as more sensitive personal data, such as financial information, personal health information, clinical trial data, demographic information, purchase information, market-research information, and employee and student performance information. Indeed, SAS may, upon your instruction, obtain any type of data about any type of individual that you upload to our products, send to us through online or offline mechanisms, or direct us to collect from third-party aggregators, such as Dun & Bradstreet.

We operate under the assumption that it is your obligation as a data controller to notify individuals whose personal data may be included in your Customer Information about the personal data you collect and the purposes for which you collect it, to obtain their consent to our processing of their personal data, where required, and to ensure that such personal data is reliable for its intended use, accurate, complete and current. We have no direct relationship with the individuals whose personal data is included in the Customer Information we process.

We collect and process Customer Information only for the purpose of providing services to you and in accordance with our agreements with you. In certain situations, we may supplement Customer Information provided by you with information from other sources. This is done only when you specifically request, and we agree to, such supplementation. This supplementation of Customer Information is for the sole purpose of providing services to you. We will retain Customer Information for the duration stipulated in our agreement with you, or longer, as necessary to comply with our legal obligations, resolve disputes or enforce our agreements.

Client Information is personal data about people in your organization, such as account managers and users, who interact with SAS’ Hosted Managed Services and its systems. Client Information usually is limited to name, work email address, work phone number and job title. We collect Client Information through online forms, email, phone and other written means that you use to provide it to us. We use Client Information to support your account, maintain our business relationship with you, respond to your inquiries and perform accounting functions.

Client Information may also include User Information. User Information is information generated by computers that interact with our systems. User Information may be collected through the following:

  • Web server logs/web analytics. In the process of administering our site, we maintain and track usage through web server logs and may use web analytic tools to review log information. These logs provide information, such as what types of browsers are accessing our sites, what country the access request is originating from, what pages receive high traffic and the times of day our servers experience significant load. We use this information to improve the content and navigation features of our sites.
  • Cookies and other tracking technologies. There are various tracking technologies, including "cookies," which can be used by us to provide tailored information from a website. A cookie is an element of data that a website can send to your browser, which may then store it on your system. Some SAS Hosted Managed Services systems may use cookies for authentication and security and/or to remember user settings so that we can better serve you when you return to those systems. By using those systems, you agree that we can place these types of cookies on your system. You can set your browser to notify you when you receive a cookie, giving you the chance to decide whether to accept it. You can control the use of cookies at the individual browser level. For more information, please refer to the user information provided with your web browser. If you reject cookies, you may still use SAS Hosted Managed Services systems, but your ability to use some features or areas of those systems may be limited.

We may also use User Information to help us prevent and detect security threats, fraud or other malicious activity, to manage billing for those subscription services based on usage and to ensure the proper functioning of our products and services.

SAS may additionally use Customer Information and Client Information for the following purposes:

  • To maintain and upgrade a system. Our technical staff may require periodic access to services data that may include Customer Information or Client Information, to monitor system performance, test systems, and develop and implement upgrades to systems. Any temporary copies of such services data created as a necessary part of this process are maintained only for time periods relevant to those purposes.
  • To address performance and fix issues. On occasion, we may develop new versions, patches, updates and other fixes to our programs and services, such as security patches that address newly discovered vulnerabilities. In accordance with the terms of your order for services, we may remotely access a user’s computer, while that user observes, to troubleshoot a performance issue.
  • To meet legal requirements. SAS may be required to provide personal data to comply with legally mandated reporting, disclosure or other legal process requirements when we believe, in our sole discretion, that disclosure is necessary to protect our rights, or to respond to a government request.

Third-Party Websites

If requested by you, and agreed to by SAS, SAS Hosted Managed Services systems may be configured to enable you and your users to access other third-party websites whose privacy practices may differ from those of SAS. If you or your data subjects submit personal data to any of those websites, such information is governed by their privacy statements. We encourage you and your data subjects to carefully read the privacy statement of any website you or your data subjects access through our systems. Depending on your country, you may also have the right or choice to: (1) restrict or object to processing of the data, (2) receive the data to transmit it to another company (3) withdraw any consent provided, and/or (4) lodge a complaint with your supervisory authority.

Data Access and Correction; Choices for Limiting Use and Disclosure

The EU General Data Protection Regulation (GDPR), Swiss Federal Act on Data Protection and UK GDPR/Data Protection Act require that data subjects have rights to access personal data about themselves that an organization holds and, more specifically, a right to: (1) obtain confirmation whether personal data about them is being processed; (2) have the data communicated to them so they may verify its accuracy and the lawfulness of the processing; and (3) have the data corrected, amended or deleted.

With respect to Customer Information, we operate under the assumption that it is your obligation as data controller to provide your data subjects a means of accessing their data and requesting that such data be corrected, amended or deleted. Under our current business model, we have no direct interaction with your data subjects, and, therefore, have no direct way for them to submit these requests to us. If you are a SAS Hosted Managed Services customer, and you receive such a request from a data subject about whom we host personal data, and you would like our assistance in responding to that request, please contact our privacy office at privacy@sas.com or Legal Division/Privacy Officer, SAS Campus Drive, Cary, NC 27513. We will respond to requests within 30 days of receipt.

With respect to Customer Information, we operate under the assumption that it is your obligation as data controller to obtain from your data subjects the appropriate consent to transfer their data to us and for us to process their data, to provide agreed-upon services to you and to disclose their data to third parties, consistent with this Policy and our agreements with you. We will not share, sell, rent or trade with third parties for their marketing purposes any Customer Information collected by us, unless you direct us to do so and have the appropriate authorization to do so. If your data subject would no longer like to be contacted by you or by SAS at your direction, please inform the data subject to contact you, as SAS’ customer, directly.

With respect to Client Information, certain SAS Hosted Managed Services systems enable users to access and amend or correct their own personal data. Otherwise, if you or your users would like to request access to or correction of Client Information, please contact our privacy office at privacy@sas.com or Legal Division/Privacy Officer, SAS Campus Drive, Cary, NC 27513. We will respond to requests within 30 days of receipt.

You have the option to use cloud environments based on a  “within-EU principle.” This means, upon your request and mutual written agreement, the cloud environments (physical and logical IT infrastructure) SAS provides for Hosted Managed Services resides within the EU. Our standard setup (depending on the cloud infrastructure provider deployed) is an Availability Zone (“AZ”) in Frankfurt (Germany) or Dublin (Ireland) drawing on infrastructure physically located around these cities. Currently, when SAS operates customer cloud services for EU-only customers (those customers who request “EU-only” resources), SAS does not move or store customer data outside the EU and agreed-to AZ. Backup facilities associated with the AZ also reside within the EU.

We will not use or disclose Client Information for purposes that are materially different than those described in this Policy, or subsequently authorized, without offering data subjects a choice to opt out of such uses or disclosures.

Data Security

We take reasonable measures that are designed to protect personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction. Some of our security measures include the following:

  • Security policies. We design and support our products and services according to documented security policies. Each year, we assess our policy compliance and make necessary improvements to our policies and practices.
  • Employee training and responsibilities. We take certain steps to reduce the risks of human error, theft, fraud and misuse of our facilities. We train our personnel on our privacy and security policies, and we require our employees to sign confidentiality agreements. We also have assigned to an individual the responsibility to manage our information security program.
  • Access control. We limit access to Customer Information to only those individuals who have an authorized purpose for accessing that information. We terminate those access privileges following job change or termination.
  • Data encryption. All electronic transfers of non-public Customer Information between you and SAS (including sensitive personal data and sign-on credentials) are required by SAS to be done through encrypted connections.

For more information regarding our security measures, please visit the SAS Trust Center website regarding Technical and Organizational Security Measures (TOMS) at: Trust Center - TOMS.

If we confirm that your Customer Information has been accessed or used by unauthorized individuals, we will contact your designated representative to coordinate our response to the incident. If you have any questions about the security of your personal information, you can contact us at privacy@sas.com or Legal Division/Privacy Officer, SAS Campus Drive, Cary, NC 27513.

We keep your personal data for as long as necessary to fulfill the purposes outlined in this Policy, to adhere to our policies, and for any period as legally required or permitted by applicable law.

Onward Transfers to Third Parties

SAS may disclose personal data to business partners and subcontractors, as necessary, for the purpose of providing our offerings and performing other requested services, or as otherwise appropriate in connection with a legitimate business need. These companies are authorized to use your personal data only as necessary to provide these services to us. We may also disclose personal data you provide to other SAS entities and/or business parties for purposes compatible with those described in this Policy and in accordance with our agreements with you. We will not disclose personal data to third parties for purposes other than those described in this Policy, except at your direction and with your authorization. Disclosures of personal data will be carried out in accordance with SCCs and applicable data protection laws relating to onward transfers. We will not sell, rent or lease your personal data to others.

We may also disclose personal data to a third party, as necessary, in connection with the sale or transfer of all or part of our business. In these situations, we will require the recipient of the data to protect the data in accordance with this Policy or otherwise take steps to ensure that the personal data is appropriately protected. If SAS is involved in a sale or transfer of all or part of our business, you will be notified via email and/or a prominent notice on our website of any changes to SAS’s ownership or uses of your personal data, and of choices you may have regarding your personal data.

SAS may also disclose personal data as required or permitted by law, such as in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, or when we believe in our sole discretion that disclosure is necessary or appropriate to protect our rights or to comply with a judicial proceeding, court order, law enforcement request or other legal process.

SAS is a global corporation with subsidiaries and business partners in more than 80 countries and with technical systems that cross borders. Personal data collected on SAS Hosted Managed Services systems may be transferred across state and country borders and stored or processed in the United States or any other country in which SAS, its subsidiaries, affiliates or business units maintain facilities for the purposes of data consolidation, storage and information management. By using our systems, your organization consents to any such transfer of information outside of your country of residence. SAS, its subsidiaries, affiliates and business units will handle your information collected by our systems in a consistent manner, as described here, even if the laws in some countries may provide less protection for your information. Our privacy practices are designed to protect your personal data all over the world.

TRUSTe

Inquiries and Complaints

If you have questions or concerns regarding this Policy or our handling of your personal data, you should first contact us by sending an email to privacy@sas.com or by regular mail to the attention of:

SAS Institute Inc.
Legal Division/Privacy Officer
SAS Campus Drive
Cary, NC 27513

We will respond within a reasonable time frame.

Changes to This Policy

We reserve the right to modify this Policy at any time. When we make only minor modifications, we may do so without notifying you. When we make material modifications, we will notify the person you have designated to us to receive such notifications 30 days in advance of the changes. It is your responsibility to keep current the contact information we have on file for that designated representative.

Effective Date: July 7, 2017
Latest Revised Date: October 1, 2023