Data Privacy Framework

1.    Introduction

XTIUM, INC. (“XTIUM”) is dedicated to protecting the privacy of our clients and their data. As a leading provider of cloud solutions and services, including Desktop as a Service (“DaaS”), Backup as a Service (“BaaS”), Unified Communications as a Service (“UCaaS”), and Call Center as a Service (“CCaaS”), we comply with the General Data Protection Regulation (“GDPR”), California Consumer Privacy Act (“CCPA”), California Privacy Rights Act (“CPRA”), Virginia Consumer Data Protection Act (“VCDPA”), and he EU-U.S. Data Privacy Framework (“DPF”). 

2.    Scope of this Statement

This Privacy Policy applies to all personal data processed by XTIUM, including data received from individuals and clients in the European Union (“EU”), United Kingdom (“UK”), Switzerland, and the United States (“U.S.”).

3.    Key Definitions

Personal Data: Data about an identified or identifiable individual that is within the scope of the GDPR received by XTIUM from the EU, recorded in any form. 
Controller: An organization that determines the purposes and means of processing personal data. 
Processor: An agent acting on behalf of a controller

4.    Data Processing Roles

XTIUM acts as a data processor for UCaas and CCaaS services, handing data such as phone numbers, agent usernames, IP addresses, and email addresses. For DaaS, BaaS, and DRaaS services, XTIUM accesses personal data only when legally required. XTIUM is a controller for its EU/UK employee data, governed by a separate HR Privacy Policy.

5.    Lawfulness of Processing

XTIUM processes data only to fulfill its contractual obligations, ensuring adherence to data minimization principles. This includes data necessary for providing XTIUM services, setup, and support. 

Types of Data Collected

UCaas and CCaaS Services:

• Phone Numbers
• Agent Usernames
• Agent IP Addresses
• Agent Email Addresses
• Call Recordings (with Customer consent)
  
  

DaaS, BaaS and DRaaS Services:

• Usernames
• Passwords
• Login Behavior into VMS

6. Purposes of Processing

XTIUM processes personal data for:

• Setting up and managing XTIUM Offerings
• Providing customer support and technical assistance
• Enhancing and improving XTIUM Offerings
  
  

7.    Data Retention

XTIUM adheres to data minimization and limits retention to what is necessary:

• UCaaS and CCaaS; Call Detail Records are retained for seven (7) years.
• DaaS, BaaS, and DRaaS; Personal data deletes immediately after support sessions. 
• General: Retention periods are based on service necessity, legal obligations, and business practices. 
  
  

8.    International Data Transfers & Data Privacy Framework Program

XTIUM complies with the EU-U.S. Data Privacy Framework (“DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. XTIUM adheres to the respective framework principles for data transferred from the EU, UK, and Switzerland o the U.S.. XTIUM’s commitment includes cooperating and complying with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) regarding unresolved complaints concerning XTIUM’s handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. 

For more information about the DPF program, please visit the Data Privacy Framework website. 

Relevant Data Protection Authorities:

XTIUM informs data subjects about the relevant European Data Protection Authorities designated to address complaints concerning XTIUM’s handling of personal data. XTIUM provides appropriate recouse free of charge to the affected individual:

• EU/EEA Data Subjects:
  Autoriteit Persoonsgegevens: Bentinck Huis, Hoge Nieuwstraat 8, The Hague, Netherlands.
• Swiss Data Subjects:
  The Data Protection Authority of Switzerland: Eidgenössischer Datenschutzund Öffentlichkeitsbeauftragter, Feldeggweg 1, 3003 Bern, Switzerland.
• UK Data Subjects:
  The UK Data Protection Supervisory Authority: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom.

Investigatory and Enforcement Powers:

XTIUM informs all data subjects that XTIUM is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”). 

Binding Arbitration:

Data subjects have the possibility, under certain conditions, to invoke binding arbitration. XTIUM is obligated to arbitrate claims and follow the terms set forth in Annex I of the DPF Principles, provided that the data subject has invoked binding arbitration by delivering notice to XTIUM and following the procedures and subject to conditions set forth in Annex I of the Principles.

For more information on invoking binding arbitration, please visit the DPF Annex I Introduction. 

Liability for Onward Transfers:

XTIUM informs all data subjects about XTIUM’s liability in case of onward transfers to third parties. XTIUM ensures that any third party to which personal data is disclosed provides the same level of protection as required under the DPF Principles. 

Cooperation with Data Protection Authorities: 

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, XTIUM commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner's Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. 

Handling of Human Resource Data:

XTIUM has a separate, internal HR Privacy Policy that governs the handling of human resource data. In the context of the employment relationship, XTIUM commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (“DPAs”), and the UK Information Commissioner’s Office (“ICO”), with regard to unresolved complaints concerning XTIUM’s handling of human resource data received in reliance on the EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF. 

9.    Data Disclosure Policy

XTIUM does not disclose an individual’s personal data to third parties except when one or more of the following conditions is true:

• XTIUM has the individual’s permission to make the disclosure.
• The disclosure is required by lawful request, by public authorities, including to meet national security or law enforcement requirements.
• The disclosure is required by law or mandatory professional standards.
• The disclosure is reasonably related to the sale or other disposition of all or parts of XTIUM’s business. 
• The information in question is publicly available. 
• The disclosure is reasonably necessary for the establishment of legal claims. 
• The disclosure is to another XTIUM entity or to persons or entities providing services on XTIUM’s or the individual’s behalf (each a transferee), consistent with the purpose for which the information was obtained, if the transferee, with respect to the information in question:
  • Is subject to law providing an adequate level of privacy protection.
  • Has agreed to provide an adequate level of privacy protection.

XTIUM may transfer personal data from one jurisdiction to another. Privacy laws vary by jurisdiction, some may provide less or different legal protection than others. However, XTIUM will protect personal data in accordance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, regardless of the jurisdiction in which the data resides. 

XTIUM is responsible for the third-party acts within its control that result in the processing of personal data inconsistent with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. 

10.    Individual Rights

Individuals have rights including access, rectification, deletion, restriction, portability, objection to processing, and rights related to automated decision-making and profiling. Complaints can be logged with a Data Protection Authority. Contact us at [INSERT EMAIL HERE] to exercise these rights. 

11.    Data Sharing and Onward Transfer

XTIUM may share and disclose your personal information (as identified in Section 5. Types of Data Collected) solely for legitimate business or legal purposes as described in this Privacy Statement and in accordance with applicable law, with the following third parties 

• XTIUM and its Affiliates: XTIUM or any of its worldwide affiliates. 
• Business Partners: Resellers and other authorized third-party agents to market or sell our services.
• Service Providers, Contractors, Vendors, or Agents: Entities who operate on our behalf to:
  • Provide support and technical services.
  • Send marketing and other operational communications related to our services.
  • Enforce our acceptable use policy.
  • Conduct analytics to improve your experience using XTIUM Offerings.
  • Provide offers and advertisements to Customers based on their interests and interactions with us.
• Corporate Transactions: Any third parties as part of, or in connection with, an actual or prospective corporate business transaction, such as a sale, merger, acquisition, joint venture, financing, corporate change reorganization, insolvency, bankruptcy, or receivership. 
• Legal and Regulatory Authorities: Law enforcement agencies, regulatory or governmental bodies, or other third parties to respond to legal processes, comply with any legal obligations, protect or defend XTIUM rights, interests or property or that of third parties, or prevent or investigate wrongdoing in connection with XTIUM Offerings. 
• Other Third Party with Consent: Any other third parties with Customer’s consent. 

For personal information that we collect through XTIUM’s website, Customer has the right to opt-out of having their personal information disclosed to third parties or used for purposes materially different from those originally collected or subsequently authorized. To exercise this right, please email us at [INSERT EMAIL HERE] or raise a request through the contact form on our website [INSERT WEBSITE LINK]. 

For sensitive information collected through our website, XTIUM will obtain your affirmative express consent (“opt-in”) before any disclosure or different use. Sensitive information includes personal data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships, or information specifying the sex life of the individual. XTIUM will also treat any information received from a third party as sensitive if the third party identifies and treats it as such. 

12.    How XTIUM respects your privacy rights

XTIUM provides the Customer with the opportunity to access, review, modify, and delete their personal information that XTIUM processes. 

Requestor from end users regarding personal information XTIUM processes on behalf of the Customer as a Data Processor. 

Generally, when XTIUM processes the content of communications such as voicemails, faxes, recordings, etc., in connection with XTIUM Offerings, XTIUM does so on behalf of their customers and in accordance with their instructions as data processors. This means that XTIUM acts strictly under the direction of their customers, who are the data controllers. 

If a Customer believes that XTIUM may have collected or stored personal information about them on behalf of an XTIUM customer, or if they wish to access, review, modify, or delete any content of their communications under applicable law, they should direct their request to the respective customer. As the data controller, the customer has the authority and responsibility to address such request. 

Additional Privacy Rights as an EEA/UK/Swiss Resident 

• Access: A request for more information about the personal information XTIUM holds about you. Customer can request to download a copy of the personal information. 
  
• Rectification: If anyone believes that any personal information XTIUM holds is incorrect or incomplete, they can request that XTIUM changes, corrects, or supplements the data. As a Customer, you may correct some of the information directly by logging into their XTIUM Offerings account. Please contact XTIUM as soon as possible if there are any noticeable inaccuracies or incompleteness. 
• Objection: You can let us know that you object to the collection or processing of your personal information for certain purposes. 
• Restriction of Processing: You can ask XTIUM to restrict further processing of personal information. This means that you can ask XTIUM to stop using it for the reasons they have been using it. This may mean that XTIUM must delete your account. 
• Erasure: You can request that XTIUM erase some of all of your information from their systems. You can also delete some of this information directly by logging into your XTIUM Offerings account if you are a Customer. 
• Portability: You can ask for a downloadable copy of your personal information in a machine-readable format. You can also request that we transmit the data to someone else when possible. 
• Withdrawal of Consent: If you have consented to XTIUM’s use of personal information for specific purpose, you have the right to change your mind at any time. Any such decision will not affect any processing that has already occurred, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent. Withdrawing your consent may mean your access to the XTIUM Offerings will be limited or suspended, and the account may be terminated, as applicable. Where you withdraw your consent, XTIUM is using your information because XTIUM, or a third party (e.g. your employer) has a legitimate interest in doing so, or XTIUM has a different legal basis for using your information (e.g. fulfilling a contract with you), XTIUM may continue to process the information subject to your rights to access and control your information. 
• Right to File Complaint: You have the right to lodge a complaint about XTIUM’s practices with respect to your personal information with your supervisory authority.
  No Automated Decision Making: XTIUM does not undertake decision-making about you based solely on automated processing, including profiling; however, certain features of XTIUM’s Offerings could be used by our customers for decision-making purposes. 

For personal data gathered through our website, you can email us at [INSERT EMAIL HERE] to exercise your privacy rights. For data XTIUM processes on behalf of our customers, please contact the respective customer directly. 

Additional Privacy Rights as a Resident of Certain U.S. States

The rights described in this section only apply if you are a resident of a state within the United States that has an appliable and effective privacy law providing the below rights:

• Data Portability: You can ask for a downloadable copy of your personal information in a machine-readable format. You can also request that we transmit the data to someone else where it is possible. 
• Knowledge and Access: You may have the right to know more about personal information that we have collected and disclosed in the preceding twelve (12) months. You may be able to access, receive details on collection, the purpose of processing, and any sharing that may have occurred. 
• Deletion: You have the right to request XTIUM delete your personal information they have collected about you under certain circumstances. 
• Non-Discrimination for the Exercise of Your Privacy Rights: You have the right to not receive discriminatory treatment by XTIUM for the exercise of your privacy rights. 
• Rectification: If you believe that any personal information, we hold about you is incorrect or incomplete, you can request that we change, correct, or supplement the data. You can also correct some of this information directly by logging into your account if you are a XTIUM Customer. Please contact XTIUM as soon as possible if you notice any inaccuracy or incompleteness. 
• Opt-Out of Selling or Sharing Your Personal Information: You have the right to request XTIUM stop sharing your personal information for the purposes of cross-context behavioral advertising or targeted advertising. You may opt-out of having your cookie identifiers used for this type of sharing by turning on the Global Privacy Control at the browser level. XTIUM does not sell your personal information as may be commonly understood, however you may opt-out of having your personal information shared with certain vendors that we use for providing insights about user interactions with our website and for delivering ads to you. 
• No Automated Decision Making: XTIUM does not undertake any decision-making about you based solely on automated processing, including profiling, however certain features of XTIUM Offerings could be used by our customers for decision-making purposes. 

XTIUM will not share your personal information with third parties for the third partie’s direct marketing purposes unless you have agreed to such disclosure. 

XTIUM will verify your request using your name and email. Depending on the nature of your request, XTIUM may need additional information to verify your identity. You may authorize an agent to make a request on your behalf to exercise your privacy rights under applicable California privacy laws.

If you are a Colorado resident, you may have the right to appeal XTIUM’s denial of an individual rights request. 

To exercise your rights or to allow your authorized agent to exercise your rights, please submit, or have your authorized agent submit, a ticket through the Data Subject Access Request portal, or contact our Privacy Team at [INSERT EMAIL HERE]. 

13.    Data Security

XTIUM employs robust safeguards to protect personal data against loss, misuse, unauthorized access, disclosure, alteration and destruction. 

14.    Data Breach Notification Procedure

In the event of a data breach, XTIUM will promptly notify affected individuals and relevant authorities, providing information about the breach and measures taken. 

15.    Employee Data Privacy

XTIUM values employee privacy and has an internal policy governing the handling of employee personal data. 

16.    Children’s Privacy

XTIUM services are not directed at children under the age of sixteen (16). If a minor has provided XTIUM with personal information without consent, please contact XTIUM at [INSERT EMAIL HERE]. 

17.    Changes to This Privacy Statement

XTIUM reserves the right to modify this Privacy Policy. The current version will be posted on our site with an effective date. Continued use of our Services after notification of changes implies consent to the updated policy. 

18.    Contact Us

For queries or concerns, contact our Data Protection Officer at [INSERT EMAIL HERE] or by mail at XTIUM 4025 Tampa Road, Oldsmar, FL 34677 Attn: Data Protection Officer.