Politica de Confidențialitate

Hero Bg Image

Effective: November 1, 2024

To see previous versions, click here.

I. GENERAL PRINCIPLES

This Privacy Policy (“Privacy Policy”) outlines how OfficeRnD Limited, with a registered address at 69 Church Way North Shields NE29 0AE, United Kingdom and its global group of entities (the “OfficeRnD Group”), each of which is a separate legal entity, jointly referred to as “OfficeRnD”, “we”, “us” and/or “our” collects, uses, stores and otherwise processes personal data in relation to the provision of Services as defined in our Engagement Terms and what rights data subjects have with regard to such processing.

At OfficeRnD, we highly value your privacy and aim to follow strictly the applicable data protection legislation (the “Data Protection Laws”):

  1. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (”the GDPR”);
  2. the UK-GDPR;
  3. Any other local data protection, privacy laws or privacy regulations adopted in the countries where OfficeRnD operates and provides its Services.

Any processing of Personal Data relating to an identified or an identifiable individual (natural person) may only be processed in accordance with this Privacy Policy.

When we provide Services to our Subscribers and in terms of fulfilling our contractual obligations towards our clients, we act as a Data Controller. Processing of any information and personal data provided by our Subscribers or other content collected and uploaded by the Subscribers in the accounts (including any information regarding Subscribers’ Users or any other individuals the Subscriber has provided personal data of) is processed by us as a Data Processor where the Subscriber is the Data Controller.

The relation between OfficeRnD in its capacity as a Data Processor and a subscriber acting as a Data Controller is governed by a separate agreement – the Data Processing Addendum.

In certain cases, another user (such as a company/workspace administrator, etc.) may create an account on your behalf, or on another individual’s behalf, and may provide your information, including Personal Data (most commonly when your company requests that you use our Services). Additionally, such companies/workspace administrators, etc. can request that you enter different categories of Personal Data in custom fields they create within our Services. It is the company administrator’s responsibility to configure the privacy settings of the fields containing such information. In such cases, we collect Information under the direction of our Subscribers and often have no direct relationship with the individuals whose personal data we process.

If you are an employee or visitor of one of our Subscribers, you should always review the policies of our Subscribers to make sure you are comfortable with the ways in which they collect and use your Personal Data. If you are providing information (including Personal Data) about someone else, for example, a visitor, you must have the authority to act for them and to consent to the collection and use of their Personal Data as described in this Privacy Policy.

Third-Party Products & Services. You may choose to integrate third-party products with OfficeRnD Services. If you choose to do so, you shall always review the policies of these third-party providers to make sure you are well aware of how they process personal data, what your rights are regarding this processing and whether you agree to the processing.

This Privacy Policy does not govern the process of collecting and processing Personal Data from job applicants and employees. Such Personal Data is collected and processed under the provisions of specific privacy policies.

II. Definitions

All capitalized terms that are not explicitly defined herein have the meaning ascribed to them in the Engagement Terms.

ConsentIt is any freely given, specific, informed and unambiguous indication of the data subject by which they agree with the processing of their Personal Data.CookiesCookies are small text files that are placed on your computer by websites that you visit. They are widely used to make websites work, or work more efficiently, as well as to provide information to the owners of the websites.Data ControllerThe natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of Personal Data.Data SubjectMeans the natural person, whose data is being processed by the Data Controller and/or the Data Processor.Data ProcessorNatural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller.DeviceAny medium used to access the OfficeRnD Services, including without limitation a desktop, laptop, mobile phone, tablet, IoT, or another consumer electronic deviceDPOData Protection OfficerJoint ControllersEntities that jointly determine the “means and purposes” of the processing of Personal Data.OfficeRnD GroupOffceRnD Limited and its wholly owned subsidiaries – OfficeRnD Inc. (incorporated in the US) and OfficeRnD EOOD (incorporated in Bulgaria).Personal DataAny information that relates to an identified or identifiable living individual (“Data Subject”). Different pieces of information, which are collected together can lead to the identification of a particular person and also constitute personal data. Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data.Processing of Personal DataAny operation or set of operations performed on Personal Data or sets of Personal Data, whether by automated means, such as collecting, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.RecipientRecipient is a natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed, whether a Third-Party or not.Sub-ProcessorThe legal or natural person appointed by the processor to process Personal Data on behalf of the Controller.Third-PartyAn individual or a company (i.e. consultants, agents, intermediaries, representatives, subcontractors, suppliers) that performs work, provides a service or sells goods to OfficeRnD.

III. SCOPE AND PURPOSE OF THE PRIVACY POLICY

This Privacy Policy applies to the processing of personal data when our Services are provided through:

  1. our SaaS Platforms.
  2. the Mobile Application developed by us.
  3. our Websites (https://www.officernd.com/ and https://flexworld.io) (the “Websites” and each of them separately referred to as the “Website”).

OfficeRnD Group (each of its entities acting as a Data Controller or as a Data Processor as the case may be) globally applies this Privacy Policy as a minimum standard for protecting the Personal Data of its Subscribers and any individual whose Personal Data needs to be processed in conformity with this Privacy Policy. OfficeRnD entities ensure that the appropriate data privacy and protection rules are embedded into relevant business processes and procedures.

IV. DATA SUBJECTS CATEGORIES

When OfficeRnD provides and/or promotes its Services in accordance with our Engagement Terms, we may process the personal data of the following categories of Data Subjects:

  1. Our Subscribers’ authorized representatives (incl. managers, directors, proxies, legal representatives, UBOs) – “Subscriber’s Representatives”;
  2. Our Subscribers’ employees, contractors and third-party users such as visitors, etc. – “Subscriber’s Users”;
  3. Any individual who has provided feedback (registered a complaint, submitted a request, asked a question or engaged in any other type of correspondence in relation to the Services) – “Other Individuals”;
  4. Visitors of our Websites – “Website Visitors”;
  5. Prospects we contacted to promote our Services to – “Prospects”.
V. LEGAL GROUNDS FOR PROCESSING

We process the Personal Data of the Data Subjects on one of the following legal grounds outlined below. The ground for processing depends on the context and in some cases there could be more than one legal ground for processing.

  1. Processing based on a signed agreement – Most commonly, OfficeRnD processes Personal Data to fulfil its contractual obligations under a concluded agreement for the Services provided to its clients. Such processing is essential for the provision of Services and without it – we will not be able to provide you with the Services you have subscribed for.
  2. Processing based on legitimate interest – We process your Personal Data when the processing is in our legitimate business interests and not overridden by privacy or other fundamental rights and freedoms. For example, we may process Personal Data to respond to queries, improve our offerings continuously, for marketing our new products and features, for fraud detection and legal compliance purposes. We may have other legitimate interests and if appropriate, we will inform you timely what reason requires the Personal Data processing.
  3. Processing based on the Data Subject’s Consent – We will ask for your consent to use your Personal Data for certain specific and explicit reasons – for example, to participate in our Services improvement efforts. We will provide you with relevant information for the processing and you may withdraw your consent at any time by contacting us at privacy@officernd.com or by navigating through the Privacy Preferences on our Websites.
  4. Processing based on other legal obligations – In some cases, we may also have a legal obligation to collect Personal Data. If we ask you to provide Personal Data to comply with a legal requirement, we will make this clear at the relevant time. We will advise you whether providing your Personal Data is mandatory. We will also inform you of the possible consequences if you do not provide your Personal Data.
VI. TYPES OF PERSONAL DATA COLLECTED AND PURPOSE FOR THE PROCESSING

In the table below you will find the types of Personal Data we process, the purpose for such processing, which Data Subjects the processing affects and what is the legal ground for the processing of each data category.

We would like to inform you that we do not collect or otherwise process special categories of Personal Data.

102550100 entries per page

Search:

PURPOSETYPES OF PERSONAL DATADATA SUBJECT CATEGORYLEGAL GROUNDAccount RegistrationInformation you provide us with -username and password, business, or Personal Data, such as name, email address, phone number and other information that you choose to provide us with;Subscriber’s Representatives, Subscriber’s UsersPerformance of our contractual obligations under the concluded agreement for Services; Explicit Consent; Legitimate interest to provide our Subscribers with seamless, consistent, high-quality ServicesFill Out Profile Information – to tailor your account to your needsInformation you provide us with - address, personal description and photograph, skills, interests, occupation, job title, links to your accounts with third-party applications such as LinkedIn, Facebook, Twitter, and Google and other information that you choose to provide us;Subscriber’s Representatives, Subscriber’s UsersPerformance of our contractual obligations under the concluded agreement for Services; Explicit Consent; Legitimate interest to provide our Subscribers with seamless, consistent, high-quality ServicesOrder PlacingInformation you provide us with - your order information and, if applicable, financial account information (! We do not collect payment card information – it is collected and processed by a third-party payment card processor);Subscriber’s Representatives, Subscriber’s UsersPerformance of our contractual obligations under the concluded agreement for Services; Explicit Consent; Legitimate interest in providing our Subscribers with seamless, consistent, high-quality ServicesIntegration of our Service with your corporate email calendarInformation you provide us with - our services integrate with your corporate email calendar (e.g., Gmail or Microsoft Outlook) and collect data regarding your seating choices and the conference rooms you book; we do not collect or otherwise have access to information contained on your calendar or email contentSubscriber’s Representatives, Subscriber’s UsersExplicit ConsentTo participate in promotions, surveys, etc.Information you provide us with – when you participate in promotions, surveys or focus groups, you give us your insights into our products, services, or other initiatives, as well as other information which you may decide to give us.Subscriber’s Representatives, Subscriber’s Users, Other Individuals, Website Visitors, ProspectsExplicit Consent; Legitimate interest in providing our Subscribers with seamless, consistent, high-quality ServicesObtain information or register for eventsInformation you provide us with - when you fill out an online form to register to attend one of our webinars, marketing, training, and other events, or request information from us, we collect the information in the form and other information you may give us. This may include information such as first name, last name, place of work, job title, country, email, phone number, etc.Subscriber’s Representatives, Subscriber’s Users, Other Individuals, Website Visitors, ProspectsExplicit Consent; Legitimate interest in providing our Subscribers with seamless, consistent, high-quality ServicesTo provide information for our ServicesInformation you provide us with - If you contact our sales, customer success or support teams, we collect the information you give us during the interactions. Sometimes, we record these interactions for training purposes and for quality assurance. If we are recording your interaction, we will provide a notice, prior to the beginning of the recording. You can always ask the person on the call to stop recording the interactions.Subscriber’s Representatives, Subscriber’s Users, Other Individuals, Website Visitors, ProspectsExplicit Consent; Legitimate interest in providing our Subscribers with seamless, consistent, high-quality Services; Legitimate interest to attract, identify and source new clients and promote OfficeRnD’s Services.When you post or upload ContentInformation you provide us with - We collect and store Content that you create, input, submit, post, upload, transmit, store, or display in the process of using our SaaS Platforms or Websites (Announcements, Instructions, Manuals, How-to Guides). It is your responsibility to make sure such Content does not contain Personal Data when it is visible to everyone in the workspace. In case such Content includes any Personal Data or other sensitive information that you choose to include (“accidentally-collected Personal Data”) with publishing that content you give us your consent to process it.Subscriber’s Representatives, Subscriber’s UsersPerformance of our contractual obligations under the concluded agreement for Services; Explicit Consent; Legitimate interest in providing our Subscribers with seamless, consistent, high-quality ServicesInformation collected from the use of OfficeRnD ServiceInformation we collect about you - Information about bookings you make using our services, technical information, including the Internet protocol (IP) address used to connect your Device to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system, platform, and device type.Information we collect about you - Information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our Sites (including date and time); products you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call our customer service number. We also use applications which take anonymised recordings of user sessions.Subscriber’s Representatives, Subscriber’s UsersPerformance of our contractual obligations under the concluded agreement for Services; Explicit Consent; Legitimate interest to provide our Subscribers with seamless, consistent, high-quality ServicesInformation collected from other sourcesInformation collected from other sources - Information from third-party services: We also obtain information from Third-Parties and combine that with Information we collect through OfficeRnD Services.For example, we may have access to certain information from a third-party social media or authentication service if you log into OfficeRnD Services through the service or otherwise provide us with access to information from the service. Any access that we may have to such Information from a third-party social or authentication service is in accordance with the authorization procedures determined by that service.By authorizing us to connect with a third-party service, you authorize us to access and store your name, email address(es), phone number(s), current city, profile picture URL, and other information that the third-party service makes available to us, and to use and disclose it in accordance with this Privacy Policy.You should check your privacy settings on these third-party services to understand and change the information sent to us through these services.Subscriber’s Representatives, Subscriber’s UsersPerformance of our contractual obligations under the concluded agreement for Services; Explicit Consent; Legitimate interest to provide our Subscribers with seamless, consistent, high-quality Services

Showing 1 to 10 of 10 entries

‹1›

When we act as a Data Processor, we rely on the lawful processing of personal data of the Data Controller, and we expect that the Subscriber has a valid legal ground for processing the personal data of the individuals whose data we are provided with. If we are aware or if we have any doubts that the processing might not be based on a valid legal ground, we will reach out to the Data Controller immediately.

VII. HOW WE USE YOUR PERSONAL DATA

We use the information held in the following ways:

Information you provide us with (see reference in the table above).

We will use this information to:

  1. Perform our obligations arising from any contracts entered between you as a Subscriber and us as a provider of the Services.
  2. Provide you with the information, products, and services that you request from us; to provide you with information about additional services we offer that are subordinate or correspond to those that you have already purchased or inquired about.
  3. Send transactional messages, including responding to your comments, questions, and requests; providing customer service and support; to send you technical notices, updates, security alerts, and support and administrative messages.
  4. Provide you with information about services we feel may interest you. If you are an existing customer, we will only contact you by electronic means (e-mail) with information about services similar to those which were the subject of a previous sale or negotiations of a sale to you. If you are a new customer, we will contact you by electronic means only if you have consented to this.
  5. Notify you about changes to our Services.
  6. Ensure that content from our Websites is presented in the most effective manner for you and for your Device.

Information we collect about you (see reference in the table above).

We will use this information to:

  1. Administer our Websites and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes.
  2. To improve our Websites to ensure that content is presented most effectively for you and for your computer.
  3. As part of our efforts to keep our Websites safe and secure.
  4. Measure or understand the effectiveness of advertising we serve to you and others, and deliver relevant advertising to you.
  5. Make suggestions and recommendations to you and other users of our Websites about services that may interest you or them.
  6. Investigate and prevent fraudulent transactions, unauthorized access to OfficeRnD Services, and other illegal activities.
  7. To comply with our compliance and legal obligations and enforce our legal rights, such as, among other things, to exercise contractual rights, to comply with financial reporting obligations, court orders, warrants, or subpoenas in accordance with applicable law.

Information we receive from other sources.

We may combine this information with the information you provide us with and the information we collect about you. We may use this information and the combined information for the purposes set out above (depending on the types of information we receive).

VIII. WHO WE CAN SHARE YOU PERSONAL DATA WITH?

We use information held about you in the following ways:

We may share your Personal Data with any member of OfficeRnD Group, which means our subsidiaries, our ultimate holding company, and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006 and any other applicable legislation.
We will not share or disclose any of your Personal Data or Content with Third-Parties except as described in this Privacy Policy. We do not sell your Personal Data or any of the information regarded as Content.
OfficeRnD may share Personal Data collected through the Services as follows:

  1. Your Use: When you use OfficeRnD Services, the Content you provide will be displayed back to you. Certain features of OfficeRnD Services allow you or your administrator to make some of your Content public, in which case it will become readily accessible to anyone. We urge you to consider the sensitivity of any data you input into OfficeRnD Services.
  2. Our Service Providers and Vendors (Sub-Procesors): We work with third-party service providers and vendors to provide our Websites, hosting, security monitoring, back-up, storage, virtual infrastructure, payment processing, analysis, transactional email sending, push notifications, accounting, support, customer success management, e-signing and other services for us. These service providers may have access to or process your Personal Data for the purpose of providing those services for us. Please be aware that you are providing your Personal Data to these Third-Parties acting on behalf of OfficeRnD.
  3. Third-Party Integrations: You may choose to make use of third-party integrations in conjunction with OfficeRnD Services. Third-party integrations are Services developed by Third-Parties to which you grant access privileges to your Content (which may include your Personal Data) or Personal data (depending on the integration, that Personal data may include, but not limited to, name, email, device and location). When access is granted, your Content and Personal Data are shared with a Third-Party. Third-Party Integrations Privacy Policies and procedures are not controlled by OfficeRnD even though the Third-Party integration may be available through OfficeRnD Services. This Privacy Policy does not cover the collection or use of your data by third-party integrations, and we urge you to consider the Privacy Policies governing third-party integrations. If you object to your Personal Data being shared with these Third-Parties, please deactivate the integration.
  4. Access by your system administrator: You should be aware that the administrator of your instance of OfficeRnD Services may be able to:
    1. Access information in and about your OfficeRnD Services account.
    2. Disclose, restrict, or access information that you have provided or that is made available to you when using your OfficeRnD Services account, including your Content; and
    3. Control how your OfficeRnD Services account may be accessed or deleted.
  5. Testimonials: We may display personal testimonials of satisfied customers on the OfficeRnD Websites. With your consent, we may post your testimonial along with your name. If you wish to update or delete your testimonial, you can contact us using the information below.
  6. Compliance with Laws; Protection of Our Rights: We may disclose your Information (including your Personal Data) to a Third-Party if (a) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request, (b) to enforce our agreements, policies, and terms of service, (c) to protect the security or integrity of OfficeRnD’s products and services, (d) to protect OfficeRnD, our customers or the public from harm or illegal activities, or (e) to respond to an emergency which we believe in the good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person.
  7. Business Transfers: We may share or transfer your Information (including your Personal Data) in connection with or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. You will be notified via email and/or a prominent notice on the OfficeRnD Services of any change in ownership or uses of your Personal Data, as well as any choices and rights you may have regarding your Personal Data.
  8. Aggregated or Anonymized Data: We may also share aggregated or anonymized information that does not directly identify you with the Third-Parties described above. OfficeRnD may aggregate information collected through the Services and remove identifiers so that the information no longer identifies or can be used to directly identify an individual or Device. OfficeRnD may share Aggregated Information with Third-Parties and does not limit Third-Parties’ use of the Aggregated Information. The most common example is our Flex Index quarterly report. The Flex Index is a composite index that provides visibility into the coworking and flex space industry’s health, post-lockdown recovery, and global trends. The index is composed of 5 components (or KPIs), which represent critical business aspects of both small and large flex operators.
  9. With Your Consent: We will share your Personal Data with Third-Parties when we have your consent to do so.

Sub-Processors are in each case subject to the terms and conditions laid down by OfficeRnD, which are no less protective than those set out in this Privacy Policy. OfficeRnD will inform you in advance of any intended changes concerning the addition or replacement of Sub-Processors and thereby give the Data Subject the opportunity to object to such changes. If you do not object in writing within ten (10) days of receipt of the notice, the Data Subject is deemed to have accepted the new Sub-Processor. If you do object in writing within ten (10) days of receipt of the notice, OfficeRnD will discuss possible resolutions.

You can see an up-to-date list of our Sub-Processors here.

IX. PERSONAL DATA TRANSFER, STORAGE AND RETENTION

Personal Data Transfer
The Personal Data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA“). It may also be processed by staff operating outside the EEA who work for one of the entities within the OfficeRnD Group, or for one of our Sub-Processors. Such staff may be engaged in, among other things, the fulfilment of your order, the processing of your payment details or the provision of marketing, support or other services. By submitting your Personal Data, you agree to this transfer, storing or processing outside of the EEA. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy.
When OfficeRnD engages in such transfers of Personal Data, it relies on:

Adequacy Decisions, as adopted by:

  1. UK Secretary of State, based on Article 45 of the UK GDPR and Section 17A of the Data Protection Act 2018;
  2. European Commission, based on Article 45 of Regulation (EU) 2016/679 (GDPR);

or

Standard Contractual Clauses as issued by:

  1. Information Commissioner’s Office (ICO);
  2. European Commission.

Data Transfer Impact Assessment (DTIA) is completed by our Security and Compliance Team for any case of transfer of Personal Data outside the EEA.

Personal Data Storage

OfficeRnD hosts data on Amazon Web Services (AWS) in their Ireland, Singapore and Australia (Sydney) regional data centres for the Flex Product and in their Ireland and Australia (Sydney) regional data centres for the Hybrid Product. The servers on which Personal Data is stored are kept in a controlled environment. All data is encrypted in transit and in rest using industry-standard encryption protocols. While we make our best efforts to guard your Personal Data, no security system is impenetrable and due to the inherent nature of the Internet as an open global communication lane, we cannot guarantee that information, during transmission through the Internet or while stored on our systems or otherwise in our care, will be safe. In addition, we cannot guarantee that any accidentally collected Personal Data you choose to store in our SaaS Platforms are maintained at levels of protection to meet specific needs or obligations you may have relating to that information. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access. Among other practices, your account is protected by a password for your privacy and security. You must prevent unauthorized access to your account and Personal Data by selecting and protecting your password appropriately and limiting access to your Device.

We may suspend your use of all or part of the Services without notice if we suspect or detect any breach of security. If you believe that the information you provided to us is no longer secure, please notify us immediately at privacy@officernd.com.

Personal Data Retention

Personal Data is kept for the duration of the business relationship with OfficeRnD and the years afterwards stipulated on local regulations for complying with all legal, regulatory, and internal policy purposes. After the expiration of this retention period, the corresponding data are routinely deleted and any hard copies of them are destroyed.

We would delete information in your account to which we have access no later than 60 /sixty/ days of Service termination unless we are obliged to keep it to comply with applicable law or due to an issue, claim or dispute that is not yet resolved.

Personal Data is stored in our backups as well. Those backups are maintained for security and disaster recovery purposes, but the Personal Data stored within them is not actively processed. That data is automatically disposed of no later than 150 days of Service termination.

X. SAFEGUARDING MEASURES

To secure the Personal Data processed, OfficeRnD uses industry best practices, including:

  1. Access Control
    1. Preventing Unauthorized Product Access:
      Outsourced processing: OfficeRnD hosts its Service with outsourced cloud infrastructure providers. Additionally, OfficeRnD maintains contractual relationships with vendors in order to provide the Service in accordance with our Data Processing Agreement. OfficeRnD relies on contractual agreements, privacy policies, and vendor compliance programs to protect data processed or stored by these vendors.Physical and environmental security: OfficeRnD hosts its product infrastructure with a multi-tenant, outsourced infrastructure provider. The physical and environmental security controls are audited for compliance with the Trust Service Criteria (TSC) and have SOC 2 Type II report and EN ISO 27001 compliance, among other certifications. Authentication: OfficeRnD implemented a uniform password policy for its customer products. Subscribers who interact with the products via the user interface must authenticate before accessing non-public customer data. Authorization: Subscriber data is stored in multi-tenant storage systems accessible to Subscribers via only application user interfaces and application programming interfaces. Subscribers are not allowed direct access to the underlying application infrastructure. The authorization model in each of OfficeRnD’s products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed by validating the user’s permissions against the attributes associated with each data set.API access: Public product APIs may be accessed using an access token.
    2. Preventing Unauthorized Product Use: OfficeRnD implements industry-standard access controls and detection capabilities for the internal networks that support its products.Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and would include various techniques, including, but not limited to: Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall and Web Application Firewall (WAF) rules. External vulnerability testing: OfficeRnD maintains relationships with industry-recognized vulnerability testing service providers for bi-monthly vulnerability tests. The intent of the vulnerability tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios. Annual penetration tests are conducted on the applications and the API. Identified vulnerabilities are remediated based on their severity and according to internal policies and procedures.
    3. Limitations of Privilege & Authorization Requirements: Product access: A subset of OfficeRnD’s employees have access to the products and Subscriber data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, troubleshoot potential problems, detect and respond to security incidents and implement data security. Employees are granted access by role following the “least privileged” principle. Employee roles and access are reviewed on a quarterly basis.Background checks: All OfficeRnD employees undergo a background check prior to starting employment, in accordance with the applicable laws. All employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
  2. Transmission ControlIn-transit: OfficeRnD makes Hypertext Transfer Protocol Secure (HTTPS) encryption (also referred to as Secure Sockets Layer (SSL) or Transport Layer Security (TLS)) available on every one of its login interfaces. OfficeRnD’s HTTPS implementation uses industry-standard algorithms and certificates (TLS 1.2 or above). At-rest: OfficeRnD stores customer data following best practices – Advanced Encryption Standard (AES)-256 encryption for all data at-rest. Stored credentials are hashed and salted.
  3. Input controlDetection: OfficeRnD designed its infrastructure to log extensive information about the system behaviour, traffic received, system authentication, and other application requests. Internal systems aggregate log data and alert appropriate employees of malicious, unintended, or anomalous activities. OfficeRnD personnel, including security, operations, and support personnel, are responsive to known incidents.Response and tracking: OfficeRnD maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, OfficeRnD will take appropriate steps to minimize product and Subscriber damage or unauthorized disclosure.
  4. Availability ControlInfrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Subscriber data is backed up to multiple durable data stores and replicated across multiple availability zones.Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using the latest industry-standard methods. OfficeRnD’s products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected to prevent single points of failure. This design assists OfficeRnD operations in maintaining and updating the product applications and backend while limiting downtime.
XI. RIGHTS OF THE DATA SUBJECTS

OfficeRnD takes appropriate measures to comply with data protection laws in order to ensure Data Subjects’ rights. In case Data Subjects have any questions, requests or complaints regarding their rights, they are encouraged to contact us via privacy@officernd.com or dpo@officernd.com.

Any written question, request or complaint should have a clear subject related to the rights of the Data Subjects.

Subject to the applicable local legislation, all Data Subjects will have at least the following rights with respect to their Personal Data:

Right to Access

You may request that you be provided with copies of your Personal Data, including the description of the processing purposes. If you are a Subscriber or registered user of our Services, you can access certain Personal Data by logging into your account. If you are not a Subscriber or registered user, OfficeRnD may take reasonable steps to verify your identity before providing access to Personal Data. If OfficeRnD receives requests related to the Subscriber’s Personal Data directly from Data Subjects (where OffceRnD acts as a Data Processor for this specific category), OfficeRnD will notify and redirect such requests to the Subscriber. We may not allow you to review certain data for legal, security or other reasons.

Right to Rectification

If you are a Subscriber or registered user for our Services, you can edit certain Personal Data by logging in to your account. You have the right to request that OfficeRnD correct any information you believe is inaccurate. You also have the right to request OfficeRnD to complete information you believe is incomplete. If OfficeRnD receives requests related to the Subscriber’s Personal Data directly from Data Subjects (in the event that OffceRnD acts as a Data Processor for this specific category), OfficeRnD will notify and redirect such requests to the Subscriber.

Right to Erasure

You have the right to request that OfficeRnD erase your Personal Data. If OfficeRnD receives requests related to the Subscriber’s Personal Data directly from data subjects, OfficeRnD will notify and redirect such requests to the Subscriber.

Right to Restrict Processing

You have the right to withdraw previously given consent for the collection and processing of your Personal Data for that specific purpose.

You may withdraw your consent at any time by contacting us at privacy@officernd.com or dpo@officernd.com  or by navigating through the particular Privacy Preferences menu.

If OfficeRnD receives requests related to the Personal Data of the Subscriber’s Users where OfficeRnD acts as a Data Processor, OfficeRnD will notify and redirect such requests to the Subscriber.

Right to Object to Processing

You have the right to object to OfficeRnD’s processing of your Personal Data, under certain conditions. If OfficeRnD receives requests related to the Subscriber’s Users Personal Data directly from Data Subjects (where OffceRnD acts as a Data Processor for this specific category), OfficeRnD will notify and redirect such requests to the Subscriber.

Right to Data Portability

If you are a Subscriber, you can export certain Personal Data that you provided to OfficeRnD by logging in to your account. You have the right to request that OfficeRnD transfer the data that we have collected to another organization, or directly to you, under certain conditions. If OfficeRnD receives requests related to the Subscriber’s Personal Data directly from Data Subjects (where OffceRnD acts as a Data Processor for this specific category), OfficeRnD will notify and redirect such requests to the Subscriber.

Additional Rights

You may opt out of receiving communications from OfficeRnD by using the unsubscribe link within each email or within your OfficeRnD Services account settings menu or by emailing us to have your contact information removed from our promotional email list or registration database. Although opt-out requests are usually processed immediately, please allow ten (10) business days for a removal request to be processed. Even after you opt out from receiving promotional messages from us, you will continue to receive transactional messages from us regarding OfficeRnD’s Services. You can opt out of some notification messages in your account settings.

If OfficeRnD Services Subscribers want to deactivate their OfficeRnD Services accounts they need to contact our Support/Customer Success team. OfficeRnD Users who want to deactivate their OfficeRnD Services account need to contact their employer or workspace administrator.

We will retain your account information for as long as your account is active, as reasonably useful for commercial purposes, or as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. If your account is managed by an administrator, that account administrator may have control over how your account information is retained and deleted.

XII. PERSONAL DATA BREACH

A Personal Data Incident is any event that involves or could involve Personal Data and which has the potential to become a Personal Data Breach. Personal Data Incidents are all potential Data Breaches that have not yet materialized.

A Personal Data Breach exists in case of accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Personal Data Incidents and Personal Data Breaches are handled according to the Data Protection Laws and in accordance with OfficeRnD’s internally established procedures.

XIII. COOKIES

We use cookies on our Websites and our SaaS Platforms. More details about the usage of cookies can be found in our Cookie Policy.

XIV. ACCOUNTABILITY

If you believe that OfficeRnD has not adhered to this Privacy Policy, please contact us at one of the following emails: privacy@officernd.com, dpo@officernd.com or legal@officernd.com. We will investigate the matter and will try to resolve any issues that may be present.

Data Subjects have the right to lodge a complaint to the respective data protection authority in their country.

If you are in the European Economic Area or United Kingdom and wish to report a complaint or if you feel that OfficeRnD has not addressed your concern in a satisfactory manner, you may contact the Information Commissioner’s Office at:

https://ico.org.uk/make-a-complaint/.

If you are located in the state of California and wish to report a complaint or if you feel that OfficeRnD has not addressed your concern in a satisfactory manner, you may contact California’s Office of the Attorney General at:

https://oag.ca.gov/contact/consumer-complaint-against-business-or-company.

If you are located in the state of Australia and wish to report a complaint or if you feel that OfficeRnD has not addressed your concern in a satisfactory manner, you may contact the Office of the Australian Information Commissioner at:

https://www.oaic.gov.au/privacy/privacy-complaints.

You can also lodge your complaint in particular in the country where you live, your place of work or a place where you believe we infringed your right(s).

The list of all data protection supervisory authorities for each EU member state is available here:

https://edpb.europa.eu/about-edpb/about-edpb/members_en

XV. CHILDREN’S PRIVACY

Our Services are not intended for and shall not be used by anyone under the age of 18. OfficeRnD does not process children’s personal data on any legal grounds and under no circumstances. If we learn that we have received any information directly from a child, we will use that information only to respond directly to that child (or his or her parent or legal guardian) to inform the child that he or she cannot use the Services.

XVI. CHANGES TO THIS PRIVACY POLICY

We’ll post any changes we make to our Privacy Policy on this page and, if they’re significant changes we’ll let you know by email. We are constantly trying to improve our Services and need to comply with all the changes in the applicable data protection legislation, so we may need to change this Privacy Policy from time to time as well, but we will alert you to changes by placing a notice on: https://officernd.com, by sending you an email, and/or by some other appropriate means.

If you disagree with any changes to this Privacy Policy, we will not be able to continue providing the OfficeRnD Services and you will need to stop using them and deactivate your account(s), as outlined below.

If you have any questions regarding the Privacy Policy changes you can contact us as outlined in the “Contact Us” section of this Policy.

XVII. CONTACT US

Questions, comments, and requests regarding this Privacy Policy are welcomed.

OfficeRnD Limited’s registered address is 69 Church Way, NE29 0AE, North Shields, England.

OfficeRnD EOOD’s registered address is 31 Aleksandar Malinov Boulevard, 1729 Sofia Bulgaria.

OfficeRnD Inc.’s registered address is 3500 S Dupont HWY, Dover, DE.

Our preferred address for direct communication is 31 Aleksandar Malinov Boulevard, 1729 Sofia Bulgaria.

You can also contact our Data Protection Officer at privacy@officernd.com or dpo@officernd.com or our legal department at legal@officernd.com.