Wellspring Privacy Shield EU-US and Swiss-US Privacy Shield Policy Statement

Wellspring, Inc. (“Wellspring”) has certified certain of our services, for which we act as a data processor, under the EU-U.S. Privacy Shield framework and the Swiss-US Privacy Shield Framework (the certification can be found here).

Definitions: Description of key terms regarding the types of data.

“Data Subject” means the individual to whom any given Personal Data covered by this policy refers.

“Personal Data” means information relating to an identified or identifiable natural person residing in the EU or Switzerland.

“Controller” means a person or organization which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Agent” means any third party that processes personal information pursuant to the instructions of, and solely for the benefit of Wellspring or to which Wellspring discloses personal information for processing on Wellspring’s behalf.

Scope: Wellspring, Inc. adheres to the principles of the Privacy Shield framework with respect to

Personal Data submitted by Wellspring’s customers for the following online enterprise software services: Sophia Knowledge Management System and Wellspring Knowledge Supply Chain system.

Data processed: Wellspring provides software products that our customers use to operate various aspects of their businesses. These products include tools for invention and intellectual property management, investor/client relationship management, technology scouting, research management, deal management, data integration and analysis, contract management, and reporting, among others. In the course of conducting daily operations in Wellspring software products, customers may store Personal Data such as contact information, nationality, employment history, and a Data Subject’s involvement with various contractual arrangements or assignment to research outputs such as research grants, intellectual property, or publications.

Wellspring also stores Personal Data about system end users such as contact information to support the use of the product.

Purpose of data processing: Wellspring processes data submitted by clients, who are the Controllers, for the purpose of providing our online services in accordance with the contracts we have with such customers. In accordance with contracts with have with clients all data would typically be located in the region of the primary location of the client. While Wellspring is the provider of these tools and assists clients to process data, clients remain Controller of the data they store with us and are solely responsible for managing it. Client responsibilities include deciding what Data Subject Personal Data will be stored, how the information will be used, how the information will be categorized, to whom information will be disclosed, and for what purposes.

Wellspring staff will, from time to time, and within the scope of our services and as requested by customers, access or transfer client data. Such access or transfer of client data may include Personal Data associated with the Data Subjects of our clients to potentially update or correct records, provide reports, or help solve technical or service problems.

Wellspring does control and store limited Personal Data about our software system end users, such as emails and requests for help through contact with our organization. We also collect data on user activities within our products to enhance system performance.

Data Security, Limited Disclosure, and Choice: Wellspring shall take reasonable steps to protect the Personal Data in its possession from loss, misuse, unauthorized access, unapproved disclosure, erroneous alteration, and unintended destruction. Wellspring has implemented appropriate physical, electronic, and quality system procedures to safeguard and secure personal information. This includes data encryption, pseudonymization, and access controls to ensure any exposure to Personal Data is limited by our operational procedures.

All employees are trained on these security procedures along with our procedures for Data Subject rights. We will process and support requests to report on, correct, remove, or minimize Personal Data, included HR information, about the system users or Data Subjects in collaboration with Wellspring and system Controller per our contractual obligations. Further, we provide tools to the Controller to identify and find Personal Data for a given individual to support this process. These efforts ensure that Data Subjects have a choice regarding the type of Personal Data is that stored and the purposes for the collection.

Wellspring does not share any Personal data, HR Data, nor data processed about end-user system activities with any third-party agents for any purpose outside of our defined services unless requested by public authorities, including to meet national security or law enforcement requirements. If this were to occur Wellspring would verify with Controller and subsequently the Data Subject about the ability to explicitly consent whether their Personal Data is to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the Data Subject.

Accountability for Onward Transfer and Third-Party Agents: Third parties may receive Personal Data in cases when Wellspring has subcontracted with specific individuals or parties to provide services for our clients. In such cases all consultants, contractors, or other parties are required to have confidential agreements in place along with procedures for training those personal on Wellspring specific policies for handling client data and Data Subject rights. Controllers would be notified about any third parties involved in providing services and the Personal Data would only be provided for the purpose of providing contractually obligated services for the Controller. We do not provide personal data to third parties for any other purposes other than those the Controller has defined and they would be acting as agents of Wellspring.

Wellspring uses a limited number of third-party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and related technology required to provide clients access to software and services. All vendors are reviewed and evaluated for appropriate security and data handling procedures to ensure highly restricted access and compliance with our Privacy Shield obligations for any personal data. The storage of Personal Data on servers and/or on software made available or hosted by third party vendors shall not be considered disclosures of any Personal Data so long as the vendor does not have direct access to the Personal Data stored or hosted. Wellspring is potentially liable should any issues or concerns arise with the Data Subject information provided to these services.

Inquiries and complaints:
EU and Swiss individuals (or other individuals) with inquiries or complaints regarding our Privacy Shield policy (or any privacy concerns) should first contact Wellspring at:

Wellspring Worldwide, Inc. 
954 W. Washington Boulevard, Suite 750
Chicago, IL  60607
Attention: Chief Operating Officer - Privacy

Please put “Privacy Concern” in the subject line or header of your letter, and Wellspring will respond within 30 days

For non-HR related data Wellspring’s has agreed to participate in JAMS independent dispute resolution procedures in the investigation and resolution of complaints to resolve disputes pursuant to the Privacy Shield Principles. Information about how to file a complaint with the JAMS Privacy Shield program can be found at: Wellspring has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU and Switzerland in the context of the employment relationship.

Please note that if your complaint is not resolved through these channels a binding arbitration option may be available before a Privacy Shield Panel.

U.S. Federal Trade Commission enforcement: Wellspring’s commitments under the Privacy Shield are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.