Effective from January 1st, 2023

Data Protection and Privacy

Do you have a Privacy Policy?

Yes, our Privacy Policy can be found here.

Do you have a Cookie Policy?

Yes, our Cookie Policy can be found here.

Does EON collect minors’ personal data?

Our services are not intended for the use by minors.  We do not knowingly collect personal data from users who are considered minors under applicable national laws.  Under our Terms and Conditions, minors under the age of 16 are not permitted to use our Services, register, or provide us with personal data.  If we learn we have collected personal data from anyone under 16 years of age, we will delete that information as quickly as possible.

What personal data is collected by EON as part of EON Product Cloud?

EON requires commonly used personal data for secure access to client and partner accounts.  This processing of personal data is limited, and subject to a data processing agreement and our privacy policy.  Specifically, we process work email, name, work title, and work phone number in support of secure platform access and to respond to support requests.  Otherwise, only IP Address is regularly collected for fraud monitoring purposes and is automatically scheduled for erasure.  All other personal data collection is at the direction of the client or partner by means of a Data Processing Agreement.

What personal data is collected by EON as part of the EON Exchange?

The EON Exchange captures information about the physical products and not personal data, therefore there is no collection of personal data unless specifically required by a client.  In such cases, any personal data collection would be at the direction of the client and/or partner by means of a Data Processing Agreement.

What personal data is collected by EON as part of the customer scan experience?

EON consumer experiences utilize cookies to provide visitors with a functional and relevant experience.  This collection is subject to the client’s privacy policy.  Any other personal data collection is at the direction of the client and would be part of the relevant Data Processing Agreement.

What are data protection laws?

Data protection laws are a set of laws that govern the way that businesses collect, use, and share personal data about individuals.  Among other things, they require businesses to process individuals' personal data fairly and lawfully, to allow individuals to exercise legal rights in respect of their personal data (for example, to access, correct or delete their personal data), and to have in place appropriate security protections in order to protect the personal data that they process.

What is personal data?

Personal data is any information relating to an identified or identifiable natural person (data subject).  In more practical terms, it is any information that could be used to identify a specific human being, with some information being more obvious about who it relates to than other information.  Some of the more obvious types of personal data include: name, email address, phone number, home address, twitter handle, social security number, passport number, driver’s license number, etc.  Less obvious examples include IP address, device ID, postal code, and birth date.  Of key importance is that a data point does not need to be by itself directly attributable to a specific individual to be considered personal data.  When used in combination with other data points, if it can be used to reasonably identify an individual, or a very small group of individuals, then it is most likely personal data.  As an example, birth date, postal code, and gender by themselves generally cannot identify an individual, but together they could in some circumstances, and are therefore considered personal data.

What are EON’s data privacy practices?

EON takes data privacy seriously and we always seek to evolve our data security policies and practices in accordance with applicable data privacy laws and regulations.

What is EON's lawful basis for processing personal data?  The lawful basis for processing personal data, per Article 6 of the General Data Protection Regulation (“GDPR”) depends on the audience.

  • Client Users and Partner Users:  Processing is done on the basis of performing a contract (1.b; i.e. secure access to EON’s Services) or our legitimate interests (1.c; i.e. logging access for audit purposes).  Other lawful bases may apply depending on the specific service or client/partner requirements.
  • Consumers:  Processing based on informed consent (1.a) and for the purposes of the legitimate interests pursued by the controller (1.f; fraudulent traffic detection).

Other information that relates to physical, physiological, genetic, mental, economic, cultural, or social identity is also considered personal data.  Sensitive examples of personal data are designated as “Special Categories” of personal data and include things like religious and political affiliation, sexual orientation, union membership, biometric data, genetic data, ethnicity and race, etc.  EON never processes special categories of personal data from clients, partners, or consumers.

What transfer mechanism does EON rely on for the international transfer of EU/EEA personal data to "Third Countries"?

When the provision of services by EON to its clients and partners may some cases involve the international transfer of EU/EEA personal data to “Third Countries” (such as countries, organizations, or territories not acknowledged by the EEA/EU under Article 45 of the GDPR as a safe country with an adequate level of protection), EON relies on Standard Contractual Clauses (SCC) as issued by the European Commission to legitimize such transfers that are part of our Data Processing Agreements.

In December 2022, the EU and US released a draft data privacy framework to support international data transfers with the expectation that it would allow the United States to receive a favorable adequacy decision that would remove the need for Standard Contractual Clauses.  However, until such a framework is approved and implemented, EON will continue to rely on SCCs.

What supplementary measures does EON offer to protect personal data following the Schrems II decision?

The supplementary measures identified in the final recommendations stemming from the Schrems II decision helps ensure compliance with the level of protection of personal data required by the European Data Protection Board (EDPB).  Specifically with regard to transfer mechanisms (such as the SCCs) that are designed to provide an “essentially equivalent” level of protection.

The EDPB’s recommendations divide supplementary measures into three groups: 1) technical, 2) organizational, and 3) contractual measures.  EON has measures in place designed to address all three groups that protect personal data against unauthorized processing and accidental disclosure, access, loss, destruction, or alteration.  EON has implemented controls, policies, and procedures in support of this obligation.

The EDPB guidance also describes the need for contractual commitments to provide transparency about, for example, processing locations, applicable laws, and government demands for data.  These requirements are addressed in EON’s existing agreements and DPAs.

Will client, partner, or consumer personal data ever be transferred outside Europe?

Depending on the EON services being used, their personal data may be transferred outside of Europe unless otherwise agreed to in writing.  Depending on where a data subject is located, some approved 3rd parties with access to your personal data may be located outside your country or have offices in countries where data protection laws may provide a different level of protection than the laws in your country.  When transferring personal data to such recipients, we contractually require appropriate safeguards (ex DPA, SCCs, etc.).  These safeguards include technical, physical, and organizational ways in which we minimize their access to personal data and ways it can be misused.

How does EON handle government requests to access consumers’ data?

As a business-to-business enterprise solutions provider predominantly focused on product data, EON expects to receive very few requests from government agencies or similar parties (“Requesting Party”) requiring EON to produce or disclose information that contains or includes any personal data or confidential information (“Request”).  To the extent permitted by law, EON will advise the Requesting Party that all personal data or confidential information stored in any EON system belongs to the client or partner as the controller, not to EON in its role as a processor, and that such data is confidential, and that EON cannot produce or disclose any such information to the Requesting Party without first complying with its contractual obligation to provide notice to the client or partner about the Request to give the client or partner an opportunity to consent, or to object and seek an appropriate protective order.

How long does EON retain personal data?

EON’s personal data retention varies by data subject type as the applications of that data, and the lawful basis of the processing, are fundamentally different.

Client and partner users’ personal data is generally retained for as long as the client or partner grants their individual approved users’ access to their client or partner account within EON’s services.  Upon data subject request and controller direction (a controller executes data subjects rights themselves), or termination of the associated client or partner agreement, all personal data not necessary for closure of the account, completion of contractual requirements, or as required by law, will be deleted.  In some cases, a user who works for a client or partner may have their request rejected by the controller.  Resolution of data subjects’ rights will be at the direction of the controller, which for client or partner uses will be the respective client or partner, not EON.

Where consumer personal data is collected, it is retained until one of three criteria are met, unless otherwise required or permitted, by law.

  • Fraud Monitoring:  IP Address is used to monitor for fraudulent traffic.  This is automatically placed in a queue for erasure within 30 days of collection.  This data may be retained longer if it is part of an active investigation.
  • Data Subject Erasure Request:  Upon notice from the controller, EON will erase the personal data that is part of the rights request.
  • Termination of Agreement:  Upon the termination of a relationship with a controller, any associated personal data will be erased from our systems.

Does EON use a data classification system?

Yes, EON’s data classification system addresses multiple aspects of each data attribute to address risk level, applications, access restrictions, type, source, identification level, owner, export permissions, legislation subjectivity, public information status, etc.

Does EON sell personal data?  No. We have never sold personal data and it does not make sense for the kinds of services we offer to clients.  As there is no sale of data to opt-out of, you will not see a “Do Not Sell My Data” opt-out option as outlined under the California Consumer Privacy Act.

Data and System Security

Do you have terms for the use of your websites?

Yes, our website Terms and Condition can be found here.

Do you have required Terms of Service for users of your services?

Yes, our Terms of Service can be found here.  Our Terms of Service are limited to changes that all technology providers need to make to provide a secure environment and fulfill obligations to protect personal data including, without limitation, the right to:

  1. Maintain compliance with relevant legislation and associated court decisions which clarify how compliance should be implemented.
  2. Evolve our security profile and support security best practices.
  3. Address previously unforeseen abuses of our Services or any data which we process.
  4. Account for new Services, features, or functionality not addressed by these Security and Compliance Terms of Service, Privacy Policy, Master Service Agreement, and Exchange Partner Agreement.

Does EON have information security policies in place?

Yes, EON maintains several plans and policies that support our overall information security.  These plans and policies include, but are not limited to: Information Security Policy, Data Processing & Controls Policy, Incident Response Plan & Policy, and Data Breach Response Plan & Policy.

Does EON have an Incident Response Plan and Policy?

Yes.  EON’s Incident Response Plan and Policy provides guidance to Employees, Consultants, or incident responders who believe they have discovered, or are responding to, an Information Security incident.  Incident events include, but are not limited to: loss of service, systems malfunction or overload, human error, non-compliance with policy or guidelines, malfunction of software or hardware, access violation, and new releases or patches.

EON’s response plan includes escalation paths, severity levels and definitions, severity based response times, communications requirements, mitigation guidelines, and post-incident reporting and analysis.

How does EON evaluate and retain sub-processors?

EON evaluates the security, privacy, and confidentiality practices of a sub-processor prior to retention based on standards including ISO 27001 criteria and GDPR requirements.  All EON sub-processors enter into a written agreement with EON that includes data privacy and security terms.  EON also provides lists with sub-processors by EON services, which clients and partners can access on a self-service basis at any time through the EON Trust Center.  These lists include details on the location and country of each sub-processor per service.

What security measures does EON apply to protect personal data?  EON utilizes a wide variety of industry standard best practice measures to provide the best protections for personal data.  For a summary of our information security policy, please reach out to our team at privacy@eongroup.co.

Does EON utilize role-based security measures?  Yes, access to EON’s services is supported by role-based access (RBAC), attributed-based (ABAC), and least privileged security approaches to reduce risk of accidental or intentional misuse of personal data and other confidential information.

Does EON require staff to undergo security training?  Yes, we have a team of experienced information security experts that drives awareness, engagement, and education of our staff around security best practices and security feature adoption across our services.  Our programs include new employee onboarding, annual security training, and role-based awareness education.  We train staff to identify often-used attacks such as phishing emails and how to report them.  This applies to every employee, contractor, and intern working for EON.  Dedicated training is required for developers to ensure proper knowledge of OWASP top security risks, common attack vectors, and Azure security controls.

What is Zero-Trust?  Zero-trust is a relatively new security model that more effectively adapts to the complexity of the modern environment, embraces the hybrid workplace, and protects people, devices, apps, and data wherever they’re located.  It is based on three principles:

  • Explicit Verification:  Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
  • Least-Privileged Access:  Limit user access with “just-in-time” and “just-enough-access” (JIT/JEA), risk-based adaptive policies, and data protection to help secure both data and productivity.
  • Breach Assumption:  Minimize blast radius and segment access.  Verify end-to-end encryption and use analytics to gain visibility, drive threat detection, and improve defenses.

For more on Zero-Trust, click here.