Privacy Policy LAST MODIFIED: SEPTEMBER 4, 2024 At Thoropass, respect for the privacy of personal and other information is extremely important to us. This privacy policy describes our collection of personal information from users of our Web site (“Website” or “Site”), our Platform, as well as all related applications, widgets, software, tools, and other services provided by us and on which a link to this Policy is displayed (collectively, together with the Website, our “Service”). This Policy also describes our use and disclosure of such information. The Thoropass Service is intended for and provided to businesses and other organizations, and not individual consumers or end-users. In providing the Service we may process personal information of consumers or end-users at the direction of our enterprise customers. When we do, we do so as a service provider or a “data processor” to those organizations, but we do not control and are not responsible for the privacy practices of those organizations. This Policy does not apply to personal information we process as a service provider or data processor on behalf of our enterprise customers. If you are a consumer end-user of one of those organizations, you should read that organization’s privacy statement and direct any privacy inquiries to that organization. Thoropass complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Thoropass has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Thoropass has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/ Thoropass is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). Thoropass is held liable in cases of onward transfers to third parties. COLLECTION OF PERSONAL INFORMATION The personal data we collect depends on how you interact with us, the services you use, and the choices you make. Note that we do not “sell” personal information as defined by the CCPA and have not done so in the past. We collect information about you from different sources and in various ways when you use our services, including information you provide directly, information collected automatically, third-party data sources, and data we infer or generate from other data. Consent is obtained where required by law, and contractual necessity applies to processing that is necessary to fulfill our obligations in providing our services to you. We limit our processing to what is necessary for these specific purposes. Additionally, we may process your personal data for compliance with legal obligations, protecting vital interests, performing tasks in the public interest, and pursuing legitimate interests (subject to certain conditions). Information you provide directly. We collect personal data you provide to us. For example: CONTACT INFORMATION. We collect name, username or alias, email address, postal address, phone number, fax number. DEMOGRAPHIC AND PREFERENCE DATA. In some cases, such as when you register or participate in surveys, we request that you provide details on your interests, preferences, or other demographic information. PAYMENT INFORMATION. If you make a purchase or other financial transaction, we collect credit card numbers, financial account information, and other payment details. CONTENT AND FILES. We collect documents or other files you upload to the Service or otherwise provide to us; and if you send us email messages or other communications, we collect and retain those communications. Information we collect automatically. When you use our services, we collect some information automatically. For example: IDENTIFIERS AND DEVICE INFORMATION. When you access the Service, our web servers automatically log your internet protocol (IP) address and information about your device, including device identifiers (such as MAC address); device type; and your device’s operating system, browser, and other software including type, version, language, settings, and configuration. As further described in the cookies and similar technologies section below, our Service stores and retrieves cookie identifiers and other data. GEOLOCATION DATA. Depending on your device and browser settings, we collect geolocation data when you use the Service. USAGE DATA. We automatically log your activity on the Service, including the URL of the website from which you came to the Service, pages you viewed, how long you spent on a page, cursor movements, text input, access times, and other details about your use of and actions on the Service. INFORMATION WE OBTAIN FROM THIRD-PARTY SOURCES. We may receive personal information about you from data brokers, partners, service providers, social networks, including publicly available sources. We may combine this information with other personal information we maintain about you. When you are asked to provide personal information, you may decline and you may use web browser or operating system controls to prevent certain types of automatic data collection, but if you choose not to provide or allow information that is necessary for the Service, the Service or certain aspects of it may not be available or fully functional. COOKIES AND SIMILAR TECHNOLOGIES What are cookies and similar technologies? We use cookies, web beacons, and similar technologies to operate our Service and to help collect data, including usage data, identifiers, and device information. Cookies are small text files placed by a website and stored by your browser on your device. A cookie can later be read when your browser connects to a web server in the same domain that placed the cookie. The text in a cookie contains a string of numbers and letters that may uniquely identify your device and can contain other information as well. This allows the web server to recognize your browser over time, each time it connects to that web server. Web beacons are electronic images (also called single-pixel or clear GIFs) that are contained within a website or email. When your browser opens a webpage or email that contains a web beacon, it automatically connects to the web server that hosts the image (typically operated by a third party). This allows that web server to log information about your device and to set and read its own cookies. In the same way, third-party content on our Site (such as embedded videos, plug-ins, or ads) results in your browser connecting to the third-party web server that hosts that content. We may also include web beacons in email messages to tell us if you open and act on them. How do we and our partners use cookies and similar technologies? We, and our analytics and advertising partners, use these technologies on our Service to collect information (such as the pages you visit, the links you click on, and similar usage information, identifiers, and device information) when you use the Service. This information is used to store your preferences and settings, enable you to sign-in, analyze how our Service performs, track your interaction with the Service, develop inferences, show you advertising about the Service after you visit our Website, combat fraud, and fulfill other legitimate purposes. What controls are available? ADVERTISING CONTROLS. Our advertising partners may participate in associations that provide simple ways to opt out of ad targeting, which you can access at: United States: Network Advertising Initiative (NAI) (HTTP://optout.networkadvertising.org) and Digital Advertising Alliance (DAA) (HTTP://optout.aboutads.info/) Canada: Digital Advertising Alliance of Canada (HTTPS://youradchoices.ca/) Europe: European Digital Advertising Alliance (HTTP://www.youronlinechoices.com/) These choices are specific to the browser you are using. If you access the Service from other devices or browsers, take these actions from those systems to ensure your choices apply to the data collected when you use those systems. BROWSER COOKIE CONTROLS. Most web browsers are set to accept cookies by default. If you prefer, you can go to your browser settings to learn how to delete or reject cookies. If you choose to delete or reject cookies, this could affect certain features or services of our website. If you choose to delete cookies, settings and preferences controlled by those cookies, including advertising preferences, may be deleted and may need to be recreated. EMAIL WEB BEACONS. Most email clients have settings which allow you to prevent the automatic downloading of images, including Web Beacons, which prevents the automatic connection to the web servers that host those images. DO NOT TRACK. Some browsers have incorporated “Do Not Track” (DNT) features that can send a signal to the websites you visit indicating you do not wish to be tracked. Because there is not a common understanding of how to interpret the DNT signal, our Service does not currently respond to browser DNT signals. Instead, you can use a range of other tools to control data collection and use, including the cookie controls and advertising controls described above. USE OF PERSONAL INFORMATION We use the personal data we collect for purposes described in this Policy or otherwise disclosed to you. For example, we use each of the categories of personal information for the following purposes: PRODUCT AND SERVICE DELIVERY. To provide and deliver our Service, including troubleshooting, improving, and personalizing the services. BUSINESS OPERATIONS. To operate our business, such as billing, accounting, improving our internal operations, securing our systems, detecting fraudulent or illegal activity, and meeting our legal obligations. PERSONALIZATION. To understand you and your preferences to enhance your experience and enjoyment using the Service. CUSTOMER SUPPORT. To provide customer support and respond to your questions. COMMUNICATIONS. To send you information, including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages. MARKETING. To communicate with you about new services, offers, promotions, rewards, contests, upcoming events, and other information about our Services and those of our selected partners (see the Choice and Control section of this Policy for how to opt out from promotional communications). ADVERTISING. To display advertising to you (see the Cookies section of this Privacy Statement for information about personalized advertising and your advertising choices). DISCLOSURE OF PERSONAL INFORMATION We will disclose your personal information to third parties with your consent or as necessary to complete your transactions or provide the services you have requested or authorized. For example, when you provide payment data to make a purchase, we will share that data with banks and other entities as necessary for payment processing, fraud prevention, credit risk reduction, or other related financial services. In addition, we share each of the categories of personal data described above for the following business purposes: We may disclose personal information to third-party service providers (e.g., data storage and processing facilities, third-party vendors, consultants) that assist us in our work. We limit the personal information provided to these service providers to that which is reasonably necessary for them to perform their functions. We may also disclose personal information, including to law enforcement or other government agencies, if we believe that doing so is legally required or is in our interest to protect our property or other legal rights (including, but not limited to, enforcement of our agreements), or the rights, property, or safety of others. In addition, we may disclose personal information about our users as part of any merger, acquisition, debt financing, sale of company assets, or similar transaction, as well as in the event of an insolvency, bankruptcy, or receivership in which personal information could be transferred to third parties as one of our business assets. Third-party analytics and advertising companies, acting on our behalf as our service providers, also collect personal information through our Service as described in the Cookies section of this Policy. For example, we use an analytics tool from FullStory to help us better understand how our Service is used. Likewise, we use Google Analytics on our website to help us understand how users interact with our website; you can learn how Google collects and uses information at www.google.com/policies/privacy/partners. Finally, we may share de-identified information in accordance with applicable law. Please note that the Service may contain links to other Websites, products, or services that we do not own or operate. If you choose to visit or use any third-party products or services, please be aware that this Policy will not apply to your activities or any information you disclose while using third-party products or services or otherwise interacting with third parties. We maintain a list of our subprocessors here: https://trust.thoropass.com/?itemUid=e3fae2ca-94a9-416b-b577-5c90e382df57&source=click CHOICE & CONTROL OF PERSONAL INFORMATION ACCESS, CORRECTION, AND DELETION. You can access, correct, or delete certain personal information you have provided logging into the Service with your account. If you are unable to access certain personal information via your account, you can request access by contacting us as described at the bottom of this Policy; however, to the extent permitted by applicable law, we reserve the right to decline requests that are unreasonable or excessive, where providing the data would be prohibited by law or could adversely affect the privacy or other rights of another person, where deleting data would interfere with a legal or business obligation that requires retention of the data, or where we are unable to authenticate you as the person to whom the data relates. COMMUNICATIONS PREFERENCES. If you receive commercial email from us, you may unsubscribe at any time by following the instructions contained within the email. You may also opt-out from receiving commercial email from us by sending us an email or by writing to us at the address given at the end of this policy. CHOICES FOR COOKIES AND SIMILAR TECHNOLOGIES. See the Cookies section of this Policy for choices about cookies and other analytics and advertising controls. EUROPEAN DATA PROTECTION RIGHTS If the processing of personal data about you is subject to European Union data protection law, you have certain rights with respect to that data: You can request access to, and rectification or erasure of, personal data; If any automated processing of personal data is based on your consent or a contract with you, you have a right to transfer or receive a copy of the personal data in a usable and portable format; If the processing of personal data is based on your consent, you can withdraw consent at any time for future processing; You can object to, or obtain a restriction of, the processing of personal data under certain circumstances; and For residents of France, you can send us specific instructions regarding the use of your data after your death. To make such requests, please use the contact information at the bottom of this Policy. When we are processing data on behalf of another party that is the “data controller,” you should direct your request to that party. You also have the right to lodge a complaint with a supervisory authority, but we encourage you to first contact us with any questions or concerns. We rely on different lawful basis for collecting and processing personal data about you, for example, with your consent and/or as necessary to provide the services you use, operate our business, meet our contractual and legal obligations, protect the security of our systems and our customers, or fulfill other legitimate interests. Thoropass complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Thoropass has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Thoropass has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/ We maintain an independent dispute resolution body designed to address complaints and provide appropriate recourse free of charge to individuals from an alternative dispute resolution provider based in the U.S. If you believe your concerns were not addressed by contacting us directly, you can contact The International Centre for Dispute Resolution® (ICDR®) (the international division of the American Arbitration Association® (AAA®)) at https://go.adr.org/dpf-annexi-fund.html to file a complaint. You can also file a case by mail or email completing the appropriate Notice of Arbitration Form and forwarding it to the International Centre for Dispute Resolution: International Centre for Dispute Resolution Case Filing Services 1101 Laurel Oak Road, Suite 100 Voorhees, NJ 08043 United States Phone: +1.212.484.4181 Email box: [email protected] In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Thoropass commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship. CALIFORNIA PRIVACY RIGHTS If you are a California resident and the processing of personal information about you is subject to the California Consumer Privacy Act (“CCPA”), you have certain rights with respect to that information. RIGHT TO KNOW. You have a right to request that we disclose to you the personal information we have collected about you. You also have a right to request additional information about our collection, use, disclosure, or sale of such personal information. Note that we have provided much of this information in this Policy. You may make such a “request to know” by contacting us using the email address at the bottom of this Policy. RIGHT TO REQUEST DELETION. You also have a right to request that we delete personal information under certain circumstances, subject to a number of exceptions. You can exercise this right by logging in to the Service and removing information you have previously provided or by contacting us with your request using the email address at the bottom of this Policy. RIGHT TO OPT-OUT. You have a right to opt-out from future “sales” of personal information. Note that we do not “sell” personal information as defined by the CCPA and have not done so in the past. You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights under the CCPA. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, and we may need you to verify your identity directly with us. Further, to provide or delete specific pieces of personal information we will need to verify your identity to the degree of certainty required by law. We will verify your request by asking you to send it from the email address associated with your account or requiring you to provide information necessary to verify your account. Finally, you have a right to receive notice of our practices at or before collection of personal information, and you have a right to not be discriminated against for exercising these rights set out in the CCPA. Additionally, under California Civil Code section 1798.83, also known as the “Shine the Light” law, California residents who have provided personal information to a business with which the individual has established a business relationship for personal, family, or household purposes (“California Customers”) may request information about whether the business has disclosed personal information to any third parties for the third parties’ direct marketing purposes. Please be aware that we do not disclose personal information to any third parties for their direct marketing purposes as defined by this law. California Customers may request further information about our compliance with this law by emailing [email protected]. Please note that businesses are required to respond to one request per California Customer each year and may not be required to respond to requests made by means other than through the designated email address. RETENTION OF PERSONAL INFORMATION We retain personal information for as long as necessary to provide the Service and fulfill your transactions, comply with our legal obligations, resolve disputes, fulfill our contractual obligations, enforce our agreements, and other legitimate and lawful business purposes. LOCATION OF PERSONAL INFORMATION Our Service is hosted in the United States and all personal information collected in connection with the Service is stored in the United States. If you are visiting our Site, using our Service, or otherwise providing personal information to us from outside the United States, please be aware that you are transferring personal information to the United States. Thoropass complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Thoropass has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Thoropass has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/ We are subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). We are held liable in cases of onward transfers to third parties. DATA SECURITY Thoropass protects the personal information it collects with reasonable and appropriate physical, electronic, and procedural safeguards. We use reasonable security measures that are designed to protect personal information from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. Please note, however, that no data security measures can be guaranteed to be completely effective. Consequently, we cannot ensure or warrant the security of any personal information or other information. You transmit information to us at your own risk. If you have an account with us, to help us protect personal information, we request that you use a strong password and never share your password with anyone or use the same password with other sites or accounts. AI USE Thoropass utilizes artificial intelligence (AI) technologies, specifically Google Vertex AI and Azure OpenAI, to enhance and improve our platform and services. The AI models are trained using customer-provided documents, such as policies, procedures, and audit reports, to enable features like automated question answering and relevant information extraction. Purpose of AI Use The primary purpose of using AI is to facilitate and assist customers in navigating the compliance process. By training AI models on customer-provided documents, we aim to automate the extraction of relevant information and provide accurate responses to questionnaire items, thereby reducing the manual effort required by our customers. Data Used for AI Training To train our AI models, we use customer-provided documents that may contain personal information. However, we strive to follow data protection principles with respect to the use of personal data in the training process and encourage our customers to provide sanitized versions of their documents whenever possible. The types of personal data that may be present in these documents include names, email addresses, phone numbers, addresses, and other employee-related information. Such data is used in accordance with applicable data protection laws and Thoropass’s data governance practices. Data Processing and Storage All AI-related data processing and storage is performed within the Google Vertex AI platform, which is hosted in Google Cloud Platform data centers located in the United States and OpenAI, which is hosted in Azure within Microsoft’s data centers in the United States. Learn more about Google Cloud’s and Azure OpenAI’s Data Processing & Security measures here: https://cloud.google.com/terms/data-processing-addendum and https://learn.microsoft.com/en-us/legal/cognitive-services/openai/data-privacy,respectively. We have implemented appropriate technical and organizational measures to ensure the security and confidentiality of the data processed by our AI models. Customer Control and Consent By uploading documents to our platform, customers consent to the use of their data for the purpose of improving our services, as outlined in our Terms of Service (https://thoropass.com/terms-and-conditions/) and Master Service Agreement ( https://thoropass.com/master-subscription-agreement/). However, customers may opt-out of having their documents used for AI training by contacting our support team. Transparency and Fairness We are committed to being transparent about our AI use and using our AI models in a fair and unbiased manner. We regularly monitor and assess our AI systems for potential biases or discriminatory outcomes and take appropriate measures to mitigate any identified issues. Any disclosures about any modifications will be made in accordance to applicable law and in a manner that balances transparency with the protection of Thoropass’s intellectual property and confidential information. Limitations and Human Oversight While we strive for accuracy and reliability when using AI-powered features, we acknowledge that AI technology is still evolving and may have limitations. Therefore, we provide human oversight and review mechanisms to validate the outputs generated by our AI models. This validation process is to allow for the continuous appropriate use of the AI system’s outputs and to mitigate potential risks. Customers are encouraged to review and approve all AI-generated responses before relying on them for compliance purposes. Privacy and Security Safeguards We have implemented robust privacy and security safeguards to protect the data used for AI training and the personal information of our customers. These safeguards include: Access controls and strict data access policies based on the principle of least privilege Encryption of data in transit and at rest Regular security audits and assessments Employee training on data privacy and security best practices Contracts with subprocessors that include data protection obligations For more information about our privacy and security practices, please refer to our Trust Center at https://trust.thoropass.com/. UPDATES TO THIS POLICY We may occasionally update this policy. When we do, we will also revise the “last updated” date at the beginning of the policy. If we make material changes to the statement, we will provide notice or obtain consent regarding such changes as may be required by law. Your continued use of this Service after such changes will be subject to the then-current policy. CONTACTING US If you have any questions, comments, or concerns about this privacy policy or your personal information, please contact us at [email protected]. Our mailing address is 228 Park Ave S, PMB 41082, New York, NY 10003, United States. Independent/Alternative Dispute Resolution Provider We maintain an independent/alternative dispute resolution provider designed to address complaints and provide appropriate recourse free of charge to individuals from an alternative dispute resolution provider based in the U.S. If you believe your concerns were not addressed by contacting us directly, you can contact The International Centre for Dispute Resolution® (ICDR®) (the international division of the American Arbitration Association® (AAA®)) at https://go.adr.org/dpf-annexi-fund.html to file a complaint. You can also file a case by mail or email completing the appropriate Notice of Arbitration Form and forwarding it to the International Centre for Dispute Resolution: International Centre for Dispute Resolution Case Filing Services 1101 Laurel Oak Road, Suite 100 Voorhees, NJ 08043 United States Phone: +1.212.484.4181 Email box: [email protected] Thoropass provides the possibility, under certain conditions, for individuals to invoke binding arbitration. In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Thoropass commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.