Welcome to www.talenttools.com.au ("Site"). Your access to and use of this Site are subject to the terms and conditions contained herein. By accessing and using this Site, you accept these terms and conditions, without limitation or qualification.

If you are under the age of 18, you must only use this Site with parental or caregiver consent, provided that your parent or caregiver is over the age of 18 and they accept these terms and conditions on your behalf.

1. USE OF OUR SITE

1.1 As a condition of use of the Website, you agree:

(a) Not to disrupt activity online;

(b) To ensure that the Site is not used for any illegal activity or which may expose us to potential litigation including (but not limited to) copyright and trade mark infringement, the publication of obscene or defamatory information or material, the publication of information or material that infringes the rights of third parties, or the publication of information or material that is likely to be misleading or deceptive or otherwise breaches the Fair Trading Act 1986;

(c) Not to use anybody else's computer system, communications services or data, including by hacking or by attempting to circumvent user authentication or other security measures;

(d) Not to post or use any software or device which may facilitate a continued connection or degrade or impede the service of another user, such as pinging, mail bombs or war dialling;

(e) Not to run network scanning software or use open relay to distribute messages; and

(f) Not to introduce anything harmful or destructive (such as viruses, worms, Trojan horses, time bombs or bots) to, or interfere in any way with anyone person's computer system or communications services.

2. APPLICATION FOR INFORMATION ON PRODUCTS

2.1 Where you wish to request further information on the products contained on our Site from us, you must do so in accordance with the instructions on the Site.

2.2 We have the absolute discretion to decline your request for further information on the products contained on our Site for any reason whatsoever without reference to you. We may require the provision of additional information/verifications before providing you with the further information.

3. PRODUCTS

3.1 Where you proceed to acquire products contained on our Site from us, the terms and conditions relating to your acquisition and use of all products are those specifically set out in your agreement with us in relation to the products offered or supplied by us ("Other Agreement"). Where there is any inconsistency or conflict between these terms and conditions and those set out in the Other Agreement then the terms and conditions of the Other Agreement will prevail.

4. WARRANTY, GUARANTEES & LIMITATION OF LIABILITY

4.1 The content on the Site is general information of interest which is provided "as is" without any warranties or conditions of any kind, express or implied by law, statute or otherwise.

4.2 While we have made every attempt to ensure that the content contained on this Site is complete, timely, and accurate, we make no representation or warranty of any kind with respect to the Site and the content provided herein. You acknowledge that you have not relied on any representation or statement made by us other than the express provisions of these terms and conditions.

4.3 Certain links in this Site connect to websites maintained by third parties. We make no representations or warranties as to any content contained in these third party sites and take no responsibility for such sites. Our link to another site is not an endorsement of that site.

4.4 The content provided on the Site is supplied on the condition that you will make your own determination as to its fitness or suitability for your purposes prior to use of the Site and/or any products from us you subsequently decide to acquire. Nothing contained in this website should be construed as a recommendation to use any particular product.

4.5 We will not be liable for any damages, losses, costs, expenses or liabilities including, but not limited to, any failure of performance, inability to use this Site or the information, or any error, omission, interruption, defect, delay in operation of transmission, computer virus, communication line or system failure.  We will not be liable for any damages, loss or injury including, but not limited to, special, indirect or consequential damages that result from the use of, or the inability to use, the content on the Site and any products.

4.6 Under no circumstances will we be liable to you or any third party claiming through you for any loss of profits, contract, indirect or consequential loss of any kind whatsoever, nor for any special, indirect, consequential or punitive damages resulting from or caused by the use of this Site or the information contained herein (or any information on a linked website).

5. INTELLECTUAL PROPERTY

5.1 You acknowledge that the Site contains copyrighted materials as well as trademarks and service marks that are owned by Talent Tools or third parties.

5.2 Nothing contained in this Site shall be construed as conferring any right to any copyright, trademark, or other proprietary interest of Talent Tools or any third party.

5.3 You agree not to:

(a) Infringe upon any copyright, trademark or other intellectual property right contained on the Site;

(b) Reproduce, distribute, modify, publish, upload, post or otherwise transmit any content from our Site without our prior written consent; or

(c) Alter or remove any copyright, trademark, or any other notice from any authorised copy of the content on this Site

5.4 Any unauthorised use of the content appearing on the Website may violate copyright, trade mark and other applicable laws and could result in criminal or civil penalties.

6. APPLICABLE LAWS

6.1 These terms and conditions shall be governed by and construed in accordance with the laws of New Zealand and will be subject to the exclusive jurisdiction of the New Zealand Courts.

6.2 The Site is controlled and operated by us, from our offices within New Zealand. We make no representation or warranty that the content on the Site is appropriate or available for use in other locations. We accept no liability whatsoever to you in respect of such matters.

6.3 If you choose to access the Site from outside of New Zealand, you are solely responsible for compliance with applicable local laws and we make no warranty or representation that the information complies with any laws, rules, regulations, procedures, codes or governmental directives, outside of the jurisdiction of New Zealand. You indemnify us absolutely in respect of any liability arising for us as a result of your non-compliance.

6.4 You may not use or export the content in the Site in violation of New Zealand laws and regulations.

7. GENERAL

7.1 If any clause of these terms and conditions is held by any competent authority to be invalid or unenforceable in whole or in part, the validity of the other clauses of these terms and conditions and the remainder of the clause in question will not be affected.

7.2 The headings to the clauses of these terms and conditions are for ease of reference only and will not affect the interpretation or construction of these terms and conditions.

7.3 If the performance of our obligations under these terms and conditions is prevented by reason of "force majeure" (which shall include prevention because of fire, casualty, accident, act of God, natural disaster, any law, order, proclamation, regulation, demand or requirement of any government or government agency, strikes, labour disputes, shortage of labour or lack of skilled labour, electricity or communications failures or other causes whatsoever (whether similar to the foregoing or not) beyond our reasonable control) we will be excused from such performance to the extent of such prevention.

7.4 We may change the content at any time without notice and will not be liable for errors or omissions in the content. Your continued access and use of the Site after the terms and conditions have been changed indicates your acceptance of those changes.

8. GENERAL DATA PROTECTION REGULATION COMPLIANCE

8.1 Talent Tools is committed to full compliance with the European Union's General Data Protection Regulation (GDPR). To learn more about  Talent Tools's GDPR compliance including your right to access data, right to be informed about the collection and use of data, right to rectify incorrect data, right to restriction of process, right to data portability and right to be forgotten and data erasure, please contact us at team@talenttools.com.au.

Privacy Policy

This Data Privacy Statement describes how Talent Tools collects, uses, and protects personally identifiable information. At Talent Tools, protecting personally identifiable information about you is important to us. We strive to protect the personal information under our control and take certain precautions to help maintain the security and integrity of that data.

Our website ("Site") is not intended for children and we do not knowingly collect data relating to children. Please contact us at team@talenttools.com.au if you believe we have inadvertently collected information from a child.

1. HOW TALENT TOOLS RECEIVES YOUR INFORMATION

1.1 Most of the personally identifiable information we receive relates to an employer's human resources plans or programs. There are several ways that we could receive personal information:

(a) You might provide the information directly as a participant;

(b) Your employer or service providers (such as payroll processors, insurers', or mutual funds) that have a part in administering your employer's plans or programs might provide the information;

(c) You might provide information as a visitor to Talent Tools' websites, including this Site, or choose to participate in some type of information exchange, including inquiries about employment with Talent Tools, requests about Talent Tools' products and services and queries about Talent Tools' sponsored seminars and events;

(d) We may also receive personal information from companies that choose to participate in surveys;

(e) As you interact with our Site, we will automatically collect technical information about your equipment, browsing actions and patterns. We collect this technical personal information by using cookies and other similar technologies. Please see our cookie policy below for further details; and

(f) We may also receive personal information about you from other third parties and publically available sources from time to time. 

1.2 The types of personal information we receive, use and store may include:

(a) Contact information and other identifiers, such as name, address, phone number, email address, government assigned identification, or bank account number as required to provide our services;

(b) Demographic information, such as date of birth, gender, and marital status;

(c) Employment information, such as date of employment, employment status, payroll history, tax deduction information, performance records, and date of termination;

(d) Transaction information, such as details about payments to and from you and other details of products you have purchased from us;

(e) Technical information, such as internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this Site;

(f) Usage information, such as information about how you use our Site, products and services, and your preferences, feedback and survey responses; and

(g) Marketing and communications information, such as your preferences in receiving marketing from us and our third parties, your communication preferences and information relating to your use of our products and services and interactions with our staff including phone and email communications.

1.3 We also collect, use and share aggregated data such as statistical or demographic information for any purpose. Aggregated data could be derived from your personal information but is not considered personal information in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage information to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal information so that it can directly or indirectly identify you, we treat the combined data as personal information which will be used in accordance with this Data Privacy Statement.

1.4 We do not collect any special categories of personal information about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

2. IF YOU FAIL TO PROVIDE PERSONAL INFORMATION

2.1 Where we need to collect personal information by law, or under the terms of any agreement we have with you, and you fail to provide that information when requested, we may not be able to provide our services to you or grant you with access to our products and services. In this case, we may have to cancel the arrangements or any account you have with us, but we will notify you if this is the case at the time.

3. HOW WE USE YOUR PERSONAL INFORMATION  

3.1 We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

(a) Where we need to perform the agreement we are about to enter into or have entered into with you or your employer, including but not limited to, administering any of your employer's plans or programs;

(b) Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.  Legitimate interests for our business includes conducting and managing our business to enable us to give you the best service and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal information for our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us;

(c) Where it is necessary to protect the property, interests and rights of Talent Tools and/or your employer;

(d) Where we need to comply with a legal obligation that we are subject to and 

(e) Where such use of the data has been authorised by you.

4. PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL INFORMATION  

1.1 We have set out below, in a table format, a description of the ways we plan to use your personal information, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

1.2 Note that we may process your personal information for more than one lawful ground depending on the specific purpose for which we are using your personal information. Please contact us if you need details about the specific legal ground we are relying on to process your personal information where more than one ground has been set out in the table below.

Purpose/ActivityType of dataBasis for processing including basis of legitimate interest
To register you to a plan or program and verify your identity Contact, Demographic,  Employment                     (a) Performance of a contract

To provide our services and products to you including (but not limited to):

(a) Manage payments, fees and charges

(b) Maintain your account with us

(c) Collect and recover money owed to us

(d) Undertake credit checks (if necessary)

(e) Enforce our rights under our agreement with you

Contact, Demographic, Employment, Transaction, Usage, Marketing and Communications

(a) Performance of a contract

(b) Necessary for our legitimate interests (to recover debts due to us and protect our business)

To manage our relationship with you which will include, but is not limited to:

(a) Responding to communications or enquiries from you in relation to the products and services, including any complaints
Contact, Demographic, Usage, Marketing and Communications

(a) Performance of a contract

(b) Necessary to comply with a legal obligation

(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products and services, to develop our website, products and services and grow our business)

To enable you to complete a survey Contact, Demographic, Usage, Marketing and Communications

(a) Performance of a contract

(b) Necessary for our legitimate interests (to study how customers use our products and services, to develop them and grow our business)
To administer and protect our business and this Site (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) Contact, Technical

(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud)

b) Necessary to comply with a legal obligation
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you Contact, Demographic, Usage, Marketing and Communications, Technical (a) Necessary for our legitimate interests (to study how customers use our products and services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our website, products and services, marketing, customer relationships and experiences and for historical, statistical or research purposes Technical, Usage (b) Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop and improve our business and to inform our marketing strategy)
To make suggestions and recommendations to you about products and services that may be of interest to you Contact, Demographic, Technical, Usage, Profile, Marketing and Communications (a) Necessary for our legitimate interests (to develop our products and services and grow our business)
To comply with our relevant legal obligations (such as where we have a legal obligation to disclose data to a third party) Contact, Demographic, Employment, Transaction, Technical, Usage, Profile, Marketing and Communications (a) Necessary to comply with a legal obligation

 

5. PROMOTIONAL OFFERS FROM US 

5.1 We may use your Contact, Demographic, Technical and Usage information to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products and services and offers may be relevant for you. You will receive marketing communications from us if you have requested information from us, or subscribed to our products and services, and you have not opted out of receiving that marketing.

6. THIRD-PARTY MARKETING 

6.1 We will get your express consent before we share your personal information with any third party for marketing purposes. You can ask us or third parties to stop sending you marketing messages at any time by contacting us at any time. Where you opt out of receiving these marketing messages, this will not apply to personal information provided to us as a result of a product purchase, product experience or other transaction.

7. CHANGE OF PURPOSE 

7.1 We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

7.2 If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

7.3 Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

8. DISCLOSURES OF YOUR PERSONAL INFORMATION 

8.1 We may share your personal information with the parties set out below for the purposes set out in the table above.

(a) External third parties, such as

i) Your employers or service providers or such other third parties that have a part in administering your employer's plans or programs;

ii) Service providers who provide IT, website hosting and system administration services; and

iii) Payment services and credit agencies (where applicable).

(b) Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal information in the same way as set out in this privacy policy;

(c) Professional advisors including lawyers, accountants, bankers, creditors and insurers who provide consultancy, banking, legal, insurance and accountancy services; and

(d) Any other third party, where you have given your express consent for us to do so.

8.2 We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.

8.3 Some of our external third parties may be based outside of Australia, so their processing of your data may involve a transfer of your data overseas.  In such circumstances we may (where we determine it is necessary to do so) enter into specific terms, contracts or otherwise require that third party to give your personal information the same protection it has in Australia.

8.4 We will not sell your personally identifiable information to a third party.

9. TALENT TOOLS' COMMITMENT TO PROTECTING PERSONAL INDENTIFIABLE INFORMATION

9.1 We have implemented various security measures to help reduce the risk of unauthorised processing or disclosure of personal information and accidental loss, destruction, or damage to your personal information. We have implemented a computer security policy and related procedures, and we train our employees about data security issues. Only employees who have a job-related need to access personal information are authorised to do so and they have agreed to protect the confidentiality of that information. In addition to these employees, only your employer and particular service providers are authorised to access your personal information. We also require that our subcontractors enter into confidentiality agreements intended to protect your personal information. Our commitment to protecting personally identifiable information also means that:

10. DATA RETENTION 

10.1 We will only retain your personal information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

10.2 To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

10.3 By law we have to keep basic information about our customers for 6 years after they cease being customers for tax purposes.

10.4 In some circumstances you can ask us to delete your data. Please refer to your legal rights below for further information.

10.5 In some circumstances we will anonymise your personal information (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

11. ACCESSING YOUR DATA 

11.1 You will not have to pay a fee to access your personal information or to exercise any of your other rights including your right to be informed about the collection and use of data, right to rectify incorrect data, right to restriction of process, right to data portability and the right to be forgotten. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

11.2 We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

11.3 We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated as to the progress of your request.

12. MAKING CORRECTIONS

12.1 Talent Tools is committed to accurately maintaining your personally identifiable information. Although we can't guarantee that your personal information will be 100% accurate at all times, we'll take reasonable steps to correct personal information that is properly identified as incorrect. If you need to update or correct your personal information contact team@talenttools.com.au. Please understand that, in some circumstances, only your employer, and not Talent Tools, may have the authority to update or correct your personal information. If this information is the type that only your employer can update or correct, we'll forward your request to your employer.

13. COOKIES

13.1 Talent Tools tracks content usage and traffic on this Site by using "cookies," a feature of your browser. A cookie is a text file that is placed on your hard disk by a Web page server. Talent Tools uses cookies to help it compile aggregate statistics about usage of this Site, such as how many users visit the Site, how long users spend viewing the Site, and what pages are viewed most often. This information is used to improve the content of the Site; it is not shared with any other party for any commercial purposes. You can set your browser to notify you when you are sent a cookie. This gives you the chance to decide whether or not to accept it. If you disable cookies however, you may not be able to take advantage of all the features of this Site.

13.2 Please note that links to third party websites, plug-in and applications may also use cookies, of which we have no control.

14. THIRD-PARTY LINKS

14.1 This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

15. NOTIFICATION OF UPDATES

15.1 Occasionally, we may update this Data Privacy Statement. We'll notify you about material changes in the way we treat personally identifiable information by placing a notice on our Site.

15.2 Any new Data Privacy Statement will apply to the information already collected at the time of the update.

15.3 We encourage you to periodically review this Data Privacy Statement so that you'll always know what information we collect, how we use it, and to whom we disclose your information.

16. CONTACT INFORMATION

16.1 When using our Site, Talent Tools is the controller and is responsible for your personal information.

16.2 Talent Tools reserves the right to modify this Data Privacy Statement at any time. If you have any questions or complaints about Talent Tools use of your personally identifiable information or about this Data Privacy Statement, please send an email to:  team@talenttools.com.au

 

Extended DISC FinxS System Security& Privacy Statement

 

European Union General Data Protection Regulation (GDPR)

In 1980, in an effort to create a comprehensive data protection system throughout Europe, the Organization for Economic Cooperation and Development (OECD) issued its "Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data". The seven principles governing the OECD's recommendations for protection of personal data were:

1.Noticedata subjects should be given notice when their data is being collected;

2.Purposedata should only be used for the purpose stated and not for any other purposes;

3.Consentdata should not be disclosed without the data subject's consent;

4.Securitycollected data should be kept secure from any potential abuses;

5.Disclosuredata subjects should be informed as to who is collecting their data;

6.Accessdata subjects should be allowed to access their data and make corrections to any inaccurate data; and

7.Accountabilitydata subjects should have a method available to them to hold data collectors accountable for not following the above principles.

In January 2012, the European Commission proposed a comprehensive reform of data protection rules in the EU. The completion of this reform is a policy priority for 2015. The objective of this new set of rules was to give citizens back control over of their personal data, and to simplify the regulatory environment for business. The data protection reform was a key enabler of the Digital Single Market which the Commission has prioritized. The reform was to allow European citizens and businesses to fully benefit from the digital economy.

On 27 April 2016 The European Parliament and the Council decided on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) to be in effect on 25 May 2018.

Under GDPR, personal data can only be gathered legally under strict conditions, for a legitimate purpose. Furthermore, persons or organizations which collect and manage personal information must protect it from misuse and must respect certain rights of the data owners which are guaranteed by EU law.

Data may be processed only under the following circumstances. (art. 7):

when the data subject has given their consent.
when the processing is necessary for the performance of or the entering into a contract.
when processing is necessary for compliance with a legal obligation.
when processing is necessary in order to protect the vital interests of the data subject.
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed.
processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject. The data subject has the right to access all data processed about him. The data subject even has the right to demand the rectification, deletion or blocking of data that is incomplete, inaccurate or isn't being processed in compliance with the data protection rules. (art. 12)
To protect the rights and freedom of an individual (data subject), the data subject has been assigned certain rights:

Right of access by the data subject (The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data) art 15
Right to rectification (The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.) 1rt 16
Right to erasure ('right to be forgotten') (The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay) art 17
Right to restriction of processing (The data subject shall have the right to obtain from the controller restriction of processing) art 18
Right to data portability (The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller) art 20
Right to object and automated individual decision-making (The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her) art 21
Automated individual decision-making, including profiling (The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.) art 22
Data Protection Policy

Data protection policy defines the goals, principles, responsibilities and implementation of data protections during the time data is stored on FinxS System. Data protection policy complies with European Union and local legislation.

FinxS Oy Ltd assumes all its partners within European Union align with and commit themselves to complying with the same data protection policy.

High data protection is crucially important for the continuity of the business of FinxS Oy Ltd. FinxS System is used by large amount of clients from all around the world and we must guarantee the protection of their data to best reasonably possible level. Our aim is to guarantee the availability of our services in all situations. Most of the details in data protection are classified information either due to security reasons or requirements by legislation.

The main principles in data protection are:

Data availability and usability (those who are entitled to access the data should be able to do it without unnecessary delay)
Data confidentiality (data is accessed only by persons who have rights to the data)
Data consistency (there are no unauthorized editions to the data and it has not been changed due to irregular errors)
Data non-repudiation (owner or provider of the data cannot deny providing the data)
The purpose of the data protection policy is to:

Guarantee the trust of the user of the FinxS System
Fulfill all legal obligations
Guarantee the continuity of the business
Guarantee the continuity of the production
Data Security Policy

Maintaining data security is an integral part of the business of FinxS Oy Ltd. It is closely connected with data protection and defines in more detail how in different elements of the FinxS System the data security and rights for data subjects are lawfully covered,

Processing personal data

Processing personal data is based on the consent of the data subject and other grounds defined by law. Data can be processed only by persons who need the data in completing their duties and only to the extent required for that. Personal data is processed only for the purpose it was originally collected for, unless otherwise agreed with the data subject. Personal data can be given to third parties only with permission from the data subject or as required by law. Personal data is stored only as long as needed for the purpose it was collected for or longer if required by law or other obligations.

Efforts are made to guarantee the correctness of the data. Data is updated when needed, based on information received from the data subject or other reliable sources. When data is no more needed and also not needed to store by law, it will be removed with appropriate measures.

Responsibility of data protection is held by whom the data is originally collected for. Every person involved needs to be aware and manage the data protection and risks concerned. Data processing is controlled by law and good practices, including being responsible for one's actions.

Personal data is stored in the FinxS System or systems that FinxS Oy Ltd has sub-contracted to. Non-authorized persons do not have access to the system nor are they given any information without consent from data subject.

Rights of data subject

Data subject has the right to check and correct information concerning him/her. Data subject has also (as detailed by law) the right to ask for their data to be removed, to limit the processing of the data, and to transfer the data to another data processor.

Server location

FinxS System Servers are located within European Union. They shall not be moved from EU/EEA without prior written consent from the users.

Server communication

FinxS System Servers are protected against unauthorized access. They use a SSL Certificate to ensure secured internet communication (https protocol). All communication between FinxS and client browser is encrypted. The server has regularly updated firewall and virus protection.

Email security

FinxS System allows users to encrypt email attachment that contain assessment reports of data subject. Passwords are defined and known only by users and can be different for each data collection project.

Development software

All development and maintenance software is updated regularly. All available security fixes are applied immediately.

System software

System software is updated regularly. All available security fixes are applied immediately. Error tracking software is in place to detect any user experienced problems and server-side errors to enable fixing them immediately.

Contingency plan

FinxS System's database is replicated in multiple locations. The possible need to take a back-up copy in use is well documented and the documents are updated annually together with all security policies.

Logs

System keeps log on all main activities to protect the rights of data subjects. Among other activities, logs are created for API communication by client servers, failed login attempts, succeeded and failed data collection, users logins, possibility of different entities to access personal data, deleting of personal data and system errors.

Data breach policy

In case of known or suspected data breach, the entities the data breach may affect will be notified without undue delay and as required by GDPR.

User access

Login to the data collection features of FinxS System is protected by Access Code and Password, and is controlled by the administrative user. Separate login procedure exists for the administration features. The passwords are changed regularly. Users are routinely informed about the risks of not changing their personal passwords. The login time to the system is time limited.

Physical premises

Entry to the building is protected by password control. Entrance is allowed only by registration and acceptance by a contact person. The route to the engine room is controlled by movement detection system and recording cameras. Entry to the engine room is only possible when escorted by a staff member. All visits are to be agreed beforehand. The identity of each person entering the room is checked. The engine room is air conditioned, humidity controlled and power supply is protected by UPS system. Fire plan is accepted by the local fire department and emergency fire system is in place and does not cut off server power supply when in use. 24/7 support center that monitors the server room. External security service is acquired to protect access to the building.

Server room is audited, among other, to be PCI-DSS compatible and the service provider has given ISO 27001 -certificate.

Data connections

All data connections are doubled by using different physical routes and locations. Data is secured by replicated back-up system.

System downtime

Normal system updates do not require system downtime. Operating system updates may require this, but they are limited to no longer than 1% of time. FinxS cannot control force majeure downtimes caused by reasons beyond its control.

Privacy statement

FinxS Oy Ltd is committed to secure all its customers privacy and provide secure and safe solutions. Trustworthy computing under all circumstances is the leading guideline for operations. No compromises need to be taken nor are shortcuts in security controls tolerated.

All user information is confidential. FinxS Oy Ltd will always conform to legal requirements and will never sell, share or hand out any sensitive or personal information of our customer.

Policies, processes, procedures, responsibilities, guidelines and reporting are periodical reviewed and if necessary updated as part of standard operational duties.

Security Vulnerability Disclosure Policy

If you believe you have found a security vulnerability on Nebula website or service, we encourage you to let us know right away by reporting to info@finxs.com. We will investigate all legitimate reports and do our best to quickly fix the problem. Before reporting though, please review this page including our responsible disclosure policy, reward guidelines, and those things that should not be reported.

Responsible Disclosure Policy

If you comply with the policies below when reporting a security issue to FinxS Oy Ltd, we will not initiate a lawsuit or law enforcement investigation against you in response to your report. We ask that:

You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.

You make a good faith effort to avoid security violations and disruptions to FinxS System and services, including (but not limited to) destruction of data and interruption or degradation of our services.

You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk or probing for additional issues.)

You do not violate any other applicable laws or regulations.

For more detailed information, please contact info@finxs.com.

***

We follow the recommendations, policies and law set by the European authorities. We also assume our partners comply with the law and regulations, and we only work with partners who commit themselves to these same principles.

April 10th, 2018

FinxS Oy Ltd