Data Privacy Framework


Wellspring Worldwide Inc. and our subsidiary Wellspring EMEA (together “Wellspring”,” “we,” “our,” and “us”), complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Wellspring has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Wellspring has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

 

Definitions: Description of key terms regarding the types of data.

“Data Subject” means the individual to whom any given Personal Data covered by this policy refers.

“Personal Data” means information relating to an identified or identifiable natural person residing in the EU or Switzerland.

“Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Agent” means any third party that processes personal information pursuant to the instructions of, and solely for the benefit of Wellspring or to which Wellspring discloses personal information for processing on Wellspring’s behalf.

 

Scope: Wellspring adheres to the principles of the Data Privacy Framework with respect to Personal Data submitted by Wellspring’s customers for the following online enterprise software services: Sophia Knowledge Management System and Wellspring Knowledge Supply Chain system.

 

Data processed: Wellspring provides software products that our customers use to operate various aspects of their businesses. These products include tools for invention and intellectual property management, investor/client relationship management, technology scouting, research management, deal management, data integration and analysis, contract management, and reporting, among others. In the course of conducting daily operations in Wellspring software products, customers may store Personal Data such as contact information, nationality, employment history, and a Data Subject’s involvement with various contractual arrangements or assignment to research outputs such as research grants, intellectual property, or publications.

Wellspring also stores Personal Data about system end users such as contact information to support the use of the product.

 

Purpose of data processing: Wellspring processes data submitted by clients, who are the Controllers, for the purpose of providing our online services in accordance with the contracts we have with such customers. In accordance with contracts with have with clients all data would typically be located in the region of the primary location of the client. While Wellspring is the provider of these tools and assists clients to process data, clients remain Controllers of the data they store with us and are solely responsible for managing it. Client responsibilities include deciding what Data Subject Personal Data will be stored, how the information will be used, how the information will be categorized, to whom information will be disclosed, and for what purposes.

Wellspring staff will, from time to time, and within the scope of our services and as requested by customers, access or transfer client data. Such access or transfer of client data may include Personal Data associated with the Data Subjects of our clients to potentially update or correct records, provide reports, or help solve technical or service problems.

Wellspring does control and store limited Personal Data about our software system end users, such as emails and requests for help through contact with our organization. We also collect data on user activities within our products to enhance system performance.

 

Data Security, Limited Disclosure, and Choice: Wellspring shall take reasonable steps to protect the Personal Data in its possession from loss, misuse, unauthorized access, unapproved disclosure, erroneous alteration, and unintended destruction. Wellspring has implemented appropriate physical, electronic, and quality system procedures to safeguard and secure personal information. This includes data encryption, pseudonymization, and access controls to ensure any exposure to Personal Data is limited by our operational procedures.

All employees are trained on these security procedures along with our procedures for Data Subject rights. We will process and support requests to report on, correct, remove, or minimize Personal Data, including HR information, about the system users or Data Subjects in collaboration with Wellspring and system Controller per our contractual obligations. Further, we provide tools to the Controller to identify and find Personal Data for a given individual to support this process. These efforts ensure that Data Subjects have a choice regarding the type of Personal Data is that stored and the purposes for the collection.

Wellspring does not share any Personal data, HR Data, nor data processed about end-user system activities with any third-party agents for any purpose outside of our defined services unless requested by public authorities, including to meet national security or law enforcement requirements. If this were to occur, Wellspring would verify with Controller and subsequently the Data Subject about the ability to explicitly consent whether their Personal Data is to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the Data Subject.

 

Access: Data Subjects whose Personal Data is covered by this DPF Policy have the right to access such Personal Data and to correct, amend, or delete such Personal Data if it is inaccurate or has been processed in violation of the DPF Principles (except when the burden or expense of providing access, correction, amendment, or deletion would be disproportionate to the risks to the Data Subject’s privacy, or where the rights of persons other than the Data Subject would be violated). Requests for access, correction, amendment, or deletion should be sent to: privacy@wellspring.com.

 

Accountability for Onward Transfer and Third-Party Agents: Third parties may receive Personal Data in cases when Wellspring has subcontracted with specific individuals or parties to provide services for our clients. In such cases all consultants, contractors, or other parties are required to have confidential agreements in place along with procedures for training those personal on Wellspring specific policies for handling client data and Data Subject rights. Controllers would be notified about any third parties involved in providing services and the Personal Data would only be provided for the purpose of providing contractually obligated services for the Controller. We do not provide personal data to third parties for any other purposes other than those the Controller has defined and they would be acting as agents of Wellspring.

Wellspring uses a limited number of third-party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and related technology required to provide clients access to software and services. All vendors are reviewed and evaluated for appropriate security and data handling procedures to ensure highly restricted access and compliance with our Data Privacy Framework obligations for any personal data. The storage of Personal Data on servers and/or on software made available or hosted by third party vendors shall not be considered disclosures of any Personal Data so long as the vendor does not have direct access to the Personal Data stored or hosted. Wellspring is potentially liable should any issues or concerns arise with the Data Subject information provided to these services.

 

Inquiries and complaints:

EU, UK and Swiss individuals (or other individuals) with inquiries or complaints regarding our Data Privacy Framework policy (or any privacy concerns) should first contact Wellspring at:

privacy@wellspring.com

Wellspring Worldwide, Inc.
954 W. Washington Boulevard, Suite 750
Chicago, IL 60607
Attention: Chief Operating Officer - Privacy

Please put “Privacy Concern” in the subject line or header of your letter, and Wellspring will respond within 30 days.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Wellspring commits to cooperate and comply with the advice of the panels established as data protection authorities: the EU Data Protection Authorities (DPA’s), the UK Information Commissioner’s Office (ICO) or the Swiss Federal Data Protection and Information Commissioner (FDPIC).

Wellspring further commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF to the EU Data Protection Authorities (EU DPA) as alternative dispute resolution provider. Additionally, in reliance on the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Wellspring commits to refer unresolved complaints concerning our handling of personal data to JAMS as an alternative dispute resolution provider. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit your jurisdiction’s authority, the EU DPA (European Union) or JAMS (United Kingdom and Switzerland), for more information or to file a complaint. The services of the EU DPA and JAMS are provided at no cost to you.

Please note that if your complaint is not resolved through these channels a binding arbitration option may be available before a Data Privacy Framework Panel.

U.S. Federal Trade Commission enforcement: Wellspring’s commitments under the Data Privacy Framework are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.