In this Services Privacy Statement (“Statement”), NetSuite Inc. and its worldwide subsidiaries (collectively, the “NetSuite Group”, explains how Customer Data is collected, used, maintained, disclosed and transferred by us. As a data processor, we will process all Customer Data strictly on behalf of our customers in accordance with our contractual agreements with them and/or as required or permitted by law.
Customer Data is defined as personal information our customers and their end-users input or upload into the Services (“Customer Data”). It does not include data we collect from visitors to our Websites, nor data we collect about our customers or prospective customers, vendors, service providers, professional advisors, consultants and other third parties otherwise in the course of doing business; for example, to manage our customer’s accounts or communicate with them, or to engage our vendors. Our use of the term Services in this Statement has the same definition as in your applicable Services agreement with us (“Services”).
References in this Statement to “we,” “us” or “our” are references to the NetSuite Group entity defined in your Services agreement with us. Statements referring to “you” or “your” are references to the customer for which we process Customer Data.
If you have any questions regarding this Statement, please email us at email@example.com, or contact us as described in the “How to Contact Us” section below.
This Statement applies to Customer Data only.
For purposes of clarity, this Statement does not apply to Business Data as defined in the NetSuite Privacy Statement.
Customer Data may be processed by us as a result of customer’s use of the Services when our customers, or their end-users, input or upload information into the Service. For example, customers who use our Enterprise Resource Planning tools may upload Customer Data about themselves or their employees for the purposes of their HR administration and planning.
We act as a data processor with respect to this Customer Data. The use of Customer Data will be limited to the following purposes:
We only process Customer Data on behalf of our customers and in accordance with their instructions provided in the applicable Services agreement with us. Our customers are responsible as data controllers for ensuring (i) their end-users receive proper notice of customer’s privacy practices, and (ii) Customer Data is obtained in accordance with all applicable laws. Because the Customer Data is under the customer’s control, the customer is responsible for providing appropriate notice and choice to its end users regarding our processing of Customer Data on its behalf. If a customer’s end-user has any questions or concerns related to our handling of Customer Data, the end-user may contact us as described in the How to Contact Us section and we will work with the customer to address the concern.
We do not sell Customer Data to any third-parties; however, we may share Customer Data with third-parties as follows:
Under certain circumstances, we may be required to disclose Customer Data in response to valid requests by public authorities, including to meet national security or law enforcement requirements.
We may disclose Customer Data if required to do so by law in order to (for example) respond to a subpoena or request from law enforcement, a court or a government agency, or in the good faith belief that such action is necessary (a) to comply with a legal obligation, (b) to protect or defend our rights, interests or property or that of third parties, (c) to prevent or investigate possible wrongdoing in connection with the site or our Services, (d) to act in urgent circumstances to protect the personal safety of users of the site, our Services or the public; or (e) to protect against legal liability.
Where it relates to Customer Data, we will attempt to refer any request for disclosure of personal information by public authorities, including those received for national security or law enforcement reasons, to the customer. We may, where legally obligated to do so, disclose personal information to law enforcement or other government authorities, in which case we will notify our customer of such a request (unless prohibited by law to do so).
We maintain reasonable and appropriate security measures to protect Customer Data from loss, misuse, and unauthorized access, disclosure, alteration, and destruction.
While we employ security measures to protect Customer Data in our Services, our customers, and their end users, should only access the Services within a secure environment and take appropriate steps to always ensure that login credentials and passwords are kept safe at all times. You should notify us as soon as possible if you become aware of any misuse of your password or your account, and immediately change your password within the Services.
Customer Data may be stored and processed in any country where we have facilities or in which we engage service providers, such as the United States, including countries outside of the country where you are located which may have different data protection rules than those of your country.
NetSuite Inc., Bronto Software, LLC, Monexa LLC and Order Motion, Inc. have certified compliance with the EU-US Privacy Shield, as data processors, for Customer Data provided by customers, or their end users, from the European Economic Area (EEA) (“Privacy Shield Customer Data”). We commit to adhere to the Privacy Shield Principles applicable to our handling of Privacy Shield Customer Data.
(This Statement does not apply to Privacy Shield Business Data – see NetSuite Privacy Statement for information about our Privacy Shield Certification for Business Data.)
References in this EU-US Privacy Shield section to “we,” “us” or “our” are references to NetSuite Inc., Bronto Software, LLC, Monexa LLC or Order Motion, Inc. only.
To access the Privacy Shield List and to find out details of our certification, please see https://www.privacyshield.gov/.
We are subject to the investigation and enforcement powers of the Federal Trade Commission.
If one of our third party service provider’s processes Privacy Shield Customer Data in a manner inconsistent with the Privacy Shield Principles, we will be liable unless we can prove that we are not responsible for the event giving rise to the damage.
If a customer’s end-user has a question, complaint or request to limit the processing of Privacy Shield Customer Data under the Privacy Shield, we can be contacted as described in the How to Contact US section below. However, as we are a data processor of the Privacy Shield Customer Data, we encourage your end-users to first contact you as the data controller of your Privacy Shield Customer Data.
We have further committed to cooperate and comply with the panel of European data protection authorities (DPAs) in the resolution of any Privacy Shield complaints. If you have an unresolved privacy or data use concern related to Privacy Shield Customer Data that we have not addressed satisfactorily, please contact your local DPA and they will investigate your complaint free of charge. Their contact details can be found here: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm. A binding arbitration option will also be made available to you, in accordance with the Privacy Shield Principles, to address complaints not resolved by other means.
We will also cooperate and comply with any investigation, decision or advice made or given by the U.S. Department of Commerce and the Federal Trade Commission.
For transfers of Customer Data from Switzerland to the US, we have certified our compliance with the US-Swiss Safe Harbor framework and will apply the Safe Harbor Principles of Notice, Choice, Onward Transfer, Security, Data Integrity, Access and Enforcement, to the extent that they apply to us as a data processor. Details of our certification can be found here: https://safeharbor.export.gov/companyinfo.aspx?loc=swiss&id=34154.
You may raise any concerns about the processing of your Customer Data under the US-Swiss Safe Harbor framework by contacting us directly, or by contacting the Swiss Federal Data Protection and Information Commissioner.
We retain Customer Data and any other data collected through the Services in accordance with the timeframes set out in the relevant Services Agreements with our customers.
Similarly, an individual who seeks to access Customer Data, or to correct, amend, or delete Customer Data that is inaccurate, should direct their query to the customer. If the customer asks us to retrieve, amend or remove the Customer Data, we will do so in accordance with our Services Agreement with them and our Privacy Shield commitments.
Alternatively, if you are a customer and want to find out more about the data security settings on your account, you can refer to your Services agreement or other applicable contractual documents with us, or contact us directly for further information.
If you have any questions regarding this Statement, you can contact us as follows:
Alternatively, by regular mail addressed to:
Senior Director, Lead Privacy Counsel
2955 Campus Drive, Suite 100
San Mateo, CA 94403
We reserve the right to change, modify, add or remove portions of this Statement from time to time and in our sole discretion, but will alert you that changes have been made by indicating on this Statement the date it was last updated. When you visit this site, you are accepting the current version of this Statement as posted on the site at that time. We recommend that users revisit this Statement on occasion to learn of any changes.