Query.AI Data Processing Policy

Data Processing Policy

Effective as of June 1, 2021 

1 Introduction

1.1 Scope

This policy applies to all users who have legitimate need to access sensitive data including but not limited to the processing of data for customers and colleagues.

1.2 Purpose

In the course of providing services, Query.AI may receive, store, and manage sensitive data on Query.AI systems. Due to contractual, legal, and regulatory obligations, Query.AI must maintain strict confidentiality of such data at all times. This policy communicates Query.AI’s expectations with respect to the transmittal, storage, processing, retention, protection, and disposal of sensitive data provided to Query.AI in the course of doing business. This policy, effective as of June 1, 2021, states the policies of Query.AI, Inc., a Delaware corporation (“Query.AI”), regarding Personal Information.

1.3 Definitions

Users – Query.AI employees, contractors, partners, candidates, or any third party that does business with Query.AI.
Sensitive Data – Any data that is classified as Restricted or as Client data.

2 Policy

The use of Sensitive data should always be treated with the utmost care and is governed according to Query.AI’s Data Classification policy. As the safeguarding of Sensitive Data is critical to Query.AI’s business, all questions regarding proper care of Sensitive Data should be directed to Query.AI’s Data Protection Officer at privacy@query.ai.

3 Sensitive Data

3.1 Data Protection

Query.AI will comply with data protection law and principles outlined in the General Data Protection Regulation(“GDPR”), which means that Sensitive Data will be:

  • Used lawfully, fairly and in a transparent way.
  • Collected only for valid purposes and not used in any way that is incompatible with those purposes.
  • Accurate and kept up to date.
  • Maintained only for as long as necessary.
  • Kept securely and protected against unauthorized or unlawful processing and against loss or destruction using appropriate technical and organizational measures.

Query.AI follows best practices and has processes in place that follow GDPR guidelines. All Sensitive Data held within the company is under the control of Query.AI’s Data Classification Policy which covers the handling of any internal or Sensitive Data within the organization.

3.2 Data Transmittal

When transmitting Sensitive Data in Query.AI systems, the following requirements are adhered to in order to maintain data confidentiality:

  • Process Sensitive Data only for the purposes specifically authorized strictly in accordance with the Services provided and in compliance with Applicable Data Protection Laws
  • Prior to transmittal to Query.AI, Sensitive Data should be scrubbed, to eliminate transmittal of data not pertinent to the original purpose.
  • Sensitive Data containing Personally Identifiable Information (PII) Data or Payment Card Industry (PCI) Data should only be transmitted to Query.AI when it is determined the use of such data is critical to accomplishing a specific task.
  • Sensitive Data must be encrypted at all times using NIST approved encryption algorithms and key lengths.
  • When using symmetric encryption, key exchange must be done in a secure fashion, using a communication channel separate from the channel used for data exchange.
  • Cooperate in any investigation by a governmental or regulatory authority or any internal investigation regarding the processing of sensitive data.

3.3 Data Storage

While engaged in projects that require storage of Sensitive Data on Query.AI systems, data storage should adhere to the following requirements:

  • If not done prior to transmittal, Sensitive Data should be scrubbed immediately upon storage, to eliminate storage of data not related to the original purpose of processing.
  • Sensitive Data must be stored in a manner that ensures it is sufficiently segregated from other data, to ensure proper access controls.
  • Storage systems containing Sensitive Data must use disk level encryption consistent with current industry best practices.
  • All systems housing Sensitive Data must have active Anti-Virus Protection and will have regular scans for vulnerabilities, ensuring high and critical severity vulnerabilities are addressed immediately.
  • Query.AI Colleagues must not store Sensitive Data on their company desktop or mobile device.

3.4 Data Privacy

Query.AI ensures it only uses third parties other personnel who:

  • Are bound to observe data and telecommunications secrecy under Applicable Data Protection Laws,
  • Have received appropriate training on their responsibilities,
  • Are required to keep Sensitive Data strictly confidential and subject to confidentiality obligations that survive the termination of the Representative’s and other personnel’s engagement. Query.AI shall not permit any person to process Sensitive Data who is not under such a duty of confidentiality.
  • Query.AI shall not disclose any Sensitive Data to any third-party without prior written consent.
  • Query.AI shall not engage or permit any third-party or subcontractor to access or process Sensitive Data without prior notice, except that Query.AI may use the specified Query.AI Representatives and Sub processors to provide and support Query.AI in accordance with the provisions in this policy.

3.5 Data Access

To ensure confidentiality of Sensitive Data processed by Query.AI, access to Sensitive Data must be strictly enforced at all times.

  • Access to Sensitive Data must only be granted to Query.AI Colleagues who have a legitimate purpose for such data access.
  • Access to Sensitive Data is to be granted such that only the minimum access rights required to accomplish an assigned task or role is met.
  • Query.AI Colleagues accessing Sensitive Data must use unique credentials and adhere to Query.AI’s Password policy.
  • Query.AI Colleagues should not leave their computers unattended while having an open connection to a system containing Sensitive data.
  • Query.AI Colleagues must terminate connections to systems housing Sensitive Data immediately upon completion of work.
  • All access to PII Data and PCI Data must be logged.

3.6 Data Retention and Destruction

Query.AI recognizes that the efficient management of its data and records is necessary to support its core business functions, to comply with its legal, statutory and regulatory obligations, to ensure the protection of personal information and to enable the effective management of the organization.

This policy and related documents meet the standards and expectations set out by contractual and legal requirements and has been developed to meet the best practices of business records management, with the aim of ensuring a structured approach to document control.

Effective and adequate records and data management is necessary to:

  • Ensure that the business conducts itself in a structured, efficient and accountable manner
  • Ensure that the business realises best value through improvements in the quality and flow of information and greater coordination of records and storage systems
  • Support core business functions and provide evidence of conduct and the appropriate maintenance of systems, tools, resources and processes
  • Meet legislative, statutory and regulatory requirements
  • Deliver services to, and protect the interests of, users in a consistent and equitable manner
  • Assist in document policy formation and managerial decision making
  • Provide continuity in the event of a disaster or security breach
  • Protection personal information and data subject rights
  • Avoid inaccurate or misleading data and minimise risks to personal information
  • Erase data in accordance with the legislative and regulatory requirements

Information held for longer than is necessary carries additional risk and cost and can breach data protection rules and principles. The Company only ever retains records and information for legitimate or legal business reasons and always comply fully with the data protection laws, guidance and best practice.

It is important that Sensitive Data is disposed of properly upon completion of the defined project for which the data was processed.

3.7 What kinds of information does Query.AI process?

We process different kinds of information depending on how you are engaging with us. This data includes Personal Information, Usage Information, and User Generated Information.

  • Personal Information is any data that identifies or describes you or another individual. Personal Information often relates to an individual’s person, communications, movements and surroundings, and behaviors online and in the real world. This information need not directly connect to a known or identifiable individual. Data associated with proxies for individuals like a device serial number or an account number can also be Personal Information when it describes or otherwise relates to the person, communications, movements and surroundings, and behaviors of the person or people who use the device, account, or other proxy. Some examples of Personal Information we may process include your name and contact information. We obtain Personal Information by collecting it directly from you, such as through online forms on our websites or through our product registration and User service systems; through reports created using our products and services; through automated methods integrated into our products, services, and websites; and from third parties we have contracted with.
  • Usage Information is data generated by your use of a Query.AI product, service, or website. When you visit a Query.AI website, your browsing generates information like logs that include information about what pages you visited, what content you interacted with, and when you visit pages and interact with elements on them. Query.AI products and services and their associated software like web portals, desktop applications, and other tools may also generate information when you use them. We may collect this information and use it as described in this policy. This information can include data about how often you use our products, performance related information like crashes and memory consumption, information about how you interact with our user interfaces, and other information related to the way our products and services are performing. 
  • Our websites, products, and services in the use of our platform will collect information provided by you about the platforms in your environment to which you are integrating, users associated with your organization, queries and action performed on the integrated platforms.

    Read our cookies and browser object policies for more in-depth information.

3.8 What do we do with information we process?

When we process information, we do so in order to fulfill our legitimate business purposes. These include:

  • Delivering requested functionality. Many features of our products, services, and websites process information in response to your requests. For example, when you create an account, we collect Personal Information like your email address, password, and profile information, so you can log into our websites and use our products and services. If you use our websites to communicate with us, we collect Personal Information and User Generated information like your name, contact information, and message content and make it available to the people who will be responding to you. When you browse our websites or use our tools, applications, and other software we collect User Generated Information you make available to us in order to incorporate it into your access, investigation, and response activities.
  • Protecting our rights. When we license software services to you, we reserve the right to collect Personal Information like your account credentials and information about the computers and mobile devices you use to access licensed products and Usage Information like the number of unique users logging into our software in order to monitor compliance with the terms of our license agreements with our users.
  • Supporting our users. We collect Usage Information like errors that occur when you use our products, services, and websites and logs that describe when and how you interact with our user interfaces so we can better diagnose and resolve technical problems you may experience.
  • Improving our products, services, and websites. We may use Personal Information we have collected to ask you to participate in surveys, focus groups, and other forums where we will solicit feedback about your user experience. We may also collect and use anonymous Usage Information about errors and interactions with our user interfaces and excerpts from User Generated Information like support and service requests. We use this information to identify, prioritize, and develop patches, enhancements, and other improvements to our products, services, and websites as well as to create new products and services responsive to our users’ needs.
  • Promoting our products, and services. We use Personal Information we collect from our websites, events we sponsor online and in person, from downloads of publications we make available ourselves or through partners to identify potential users for our products and services and to contact them to initiate sales efforts. We also use Personal Information we have collected from existing users along with Usage Information about how their users interact with our products and services and User Generated Information like issues you have raised with our support teams to identify other Query.AI products and services our users might be interested in and to reach out to them to discuss new business. We may supplement Personal Information we have collected with information we get from third parties in order to improve our data about potential leads.

3.9 How do we secure information we process?

When we collect and store information on our systems as described in this policy, we apply reasonable and appropriate administrative, physical, and technical safeguards to detect and prevent unauthorized access, disclosure, use, and loss of Personal and User Generated Information. These safeguards include monitoring and auditing of our IT infrastructure, encryption of files in transit and at rest, strong password policies, limiting access to User Generated and Personal Information to personnel with a legitimate business purpose, and where applicable, data protection training for our personnel. When our users choose to host our products within their own networks, Personal and User Generated Information are wholly User controlled and subject to their individual security practices.

In the event that we discover or reasonably suspect that there has been unauthorized access, disclosure, use, loss, or other processing of your Personal or User Generated Information (a “security incident”) we will notify you by email address we have on file within a reasonable period of time.

No safeguards are 100 percent effective. While our safeguards offer a reasonable and appropriate level of protection to information that we process, we do not warrant or guarantee that data we process will never be affected by a security incident.

3.12 Who do we share information with?

We will make information we have collected available to third parties under the following circumstances:

  • Where required by law. We will make information available to government agencies who serve us with valid legal process. If this information includes Personal Information or your proprietary User Generated Information, we will notify you of governmental requests for information where permitted to do so by law.
  • Where we have relationships with service providers. We may partner with third parties in the ordinary course of our business to perform services or provide product functionality on our behalf. Examples include resellers of our products and services; data brokers who help us supplement our records with publicly available information; and other service providers supporting our User service personnel. Our contracts with service providers require them to implement reasonable and appropriate safeguards for information we share with them and limit their rights to use that information to purposes consistent with this policy.
  • In order to protect our rights or the rights of third parties. We may share information with legal counsel, auditors, and related service providers in the course of evaluating or pursuing potential claims involving enforcement of our or third parties’ contractual and other legal rights. We will take steps to ensure that we disclose only the information necessary for this purpose and impose confidentiality obligations and use restrictions consistent with this policy where appropriate.
  • With Query.AI affiliates around the world. We have personnel and operations in countries around the world who work together to deliver products and services and process information as described in this policy. These affiliates may be located in countries other than the one where you reside, including the United States. Laws governing processing of information, including Personal Information, vary from country to country and may differ from the laws applicable in your home country. All Query.AI affiliates and personnel comply with the terms of this policy when processing information. Your use of our products, services, and websites constitutes your permission for us to share information with our affiliates without restriction.

3.14 What are my rights under this policy?

You have the right to access, modify, and object to the processing of Personal Information we have collected from you. Your Personal Information is available by logging into your account. You can update your information whenever you like. You also have the right to restrict any information we process and can make other changes or delete your account and the Personal Information associated with it by contacting our privacy team via the privacy@query.ai email address.

You have the right to export Personal Information and Customer Generated Information we process for you as a Customer. Your customer care representative can assist you with these requests.

You have the right to lodge a complaint with the supervising authority where applicable.

You have the right to withdraw your consent at any time.

You have a right to be notified of changes to this policy. If we make material changes that affect the rights and/or responsibilities described in this policy, we will publish notice of changes to our websites. Query.AI users will also receive notices via the Query.AI Customer Network. If you continue to use our products, services, or websites we will consider that acceptance of the changes.

3.15 Data Subject Request

Upon request, and to the extent such information is available to Query.AI, Query.AI shall provide reasonable cooperation and assistance reasonably requested to fulfill obligations under the GDPR to perform data protection impact assessment(s) related to the use of services.

3.16 Client Responsibilities

Client shall, as a condition precedent to Query.AI Processing any Sensitive data,

  • Inform all Data Subjects concerned of the Processing of their Personal Data pursuant to the Agreement(s) and, where required by Applicable Data Protection Laws, such Data Subjects have given their unambiguous consent to such processing in accordance with Applicable Data Protection Laws.
  • Grant Query.AI Representatives and Sub processors the right to process Sensitive Data in accordance with the services being carried out

How do I contact you with questions or requests relating to this policy?

You may reach us by emailing our privacy team at privacy@query.ai or by mail at the address below.

Query.AI, Inc.
ATTN: Legal Department
2301 Research Park Way,
Suite 252,
Brookings, SD 57006

Last modified 7/19/2021