Sesam.io AS (also referred to as “SESAM” or ”We”) respects your privacy concerning the collection, usage and storage of Personal Information. Our organization number is 922 409 676.
In this policy, we aim to demonstrate our commitment to protect our Customers´ privacy. The document comprises the processing of Personal Data in relation to the Services provided by the processor SESAM.
To exercise your rights as a Data Subject, please use our Data Access Portal.
Legal basis and purpose for processing
SESAM only processes Personal Data of the Customer necessary for the performance of fulfilling SESAM’s contractual obligations to the Customer according to the Agreement. SESAM will use the data collected for the purpose to perform the Services requested.
Personal Data and Service Personal Data collected
Service data is data that resides on the Sesam systems, to which we are provided access necessary to perform the Services, including Cloud environments, as well as test, development, monitoring and support services. This data may include Personal Information about the company´s employees, customers, partners and suppliers, and will be referred to as Service Personal Data.
Sesam will process data on behalf of its Customers, in accordance with the Data Processing Agreement and on the Customers additional documented instructions in accordance with applicable laws and regulations.
If, in our opinion, an instruction infringes applicable Data Protection law, we will without undue delay inform our Customers.
Rights of the individuals
The Customer is the Controller of the processing of Service Personal Data, hence any individual the Personal Data is relating to, should direct any requests, including the right to access, erasure, restriction, rectification or objection to the processing, directly to the Customer. We will, insofar it´s possible, provide reasonable assistance to the Customer in their obligation to respond to requests from individuals.
SESAM will keep Service Personal Data for as long as necessary to fulfil our contractual obligations towards the Customer, as specified in the Terms of Service Agreement. Service Personal Data will be deleted or anonymized as soon as possible, and within 4 weeks, after termination of the Customer’s account, unless it must be stored in order for SESAM to fulfil obligations in statutory law.
In all cases where SESAM is authorized to engage third party processors, we will ensure that any arrangement between the subprocessors and SESAM will be governed by a written contract, including terms which offer at least the same level of protection for the Service Personal Data as those set out in the Terms of Services Agreement. SESAM is responsible for the subprocessor’s performance with regards to the processing of Service Personal Data in accordance with requirements set out in applicable Data Protection law.
SESAM has implemented and will maintain all technical and organizational measures designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Service Personal Data.
The SESAM Services are ISO/IEC 27001:2013 certified. The certification governs areas of the security applicable to the Services, including physical access, data access, security oversight, and enforcement. Our employees are required to maintain the confidentiality of all Service Personal Data. More specific security measures are set out in the Agreement.
SESAM will immediately investigate any suspicious incidents that constitutes or may constitute a Service Personal Data security breach.
When SESAM becomes aware of an incident qualifying as a breach, SESAM will report such breach to our Customers without undue delay, in accordance with the Agreement with the Customer. In accordance to the Agreement and to the extent permitted by law, we will provide our Customers with all additional, relevant information concerning the breach reasonably known or available to us. We will facilitate for our Customers to meet any obligations to report or inform the applicable Supervisory Authorities and/or the Data Subjects of the Service Personal Data Breach.
Transfers and Cross-border transfers
SESAM will not transfer Service Personal Data, which are undergoing processing or are intended for processing after transfer, to a third country or to an international organization except when
Cross-border Data Transfers are made to adequate jurisdictions authorized by the Commission or if transfers are subject to appropriate safeguards. This may include Binding Corporate Rules, Model Clauses, Standard Data Protection Clauses, Approved Codes of Conduct, or Certifications.
Deletion or return
SESAM will upon your request or within 4 weeks of the date of cessation of any Services return a complete copy of all the Service Personal Data, and/or delete and procure deletion of all copies of those Service Personal Data. We may retain and store the Service Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws.
Jurisdiction and Choice of Law
SESAM takes your privacy seriously.
For more information about SESAM´s privacy practices or if you have any questions, feel free to contact us at email@example.com.