This Customer Data Protection Policy (“Policy”) is incorporated into and is subject to the terms and conditions of the agreement for the supply of goods and/or services (the “Agreement”) between Wenco International Mining Systems Ltd. (together with its Affiliates, “Wenco”) and the customer entity that is a party to the Agreement (“Customer”).
“Affiliate” means an entity that directly or indirectly controls, is controlled by or is under common control with an entity. The term “control” and correlative terms means ownership, directly or indirectly, of more than fifty (50%) of the voting stock or partnership interests of the controlled entity;
“Applicable Law” means all present and future laws, statutes, ordinances, regulations, judgement, orders, rules, directions of any court or governmental authority that are enforceable in Canada, and includes Applicable Privacy Law;
“Applicable Privacy Law” means all data protection laws and regulations applicable to a party’s processing of Customer Data under the Agreement.
“Confidentiality” means that Customer Data is protected against unauthorized disclosure;
“Customer” means any individual, firm, partnership, company or organization or any other undertaking, which orders or receives from the Wenco any services pursuant to the Agreement.
“Customer Account Data” means data that relates to Customer’s relationship with, including the names or Contact Information of individuals authorized by Customer to access Customer’s account, and billing information of individuals that Customer has associated with its account. Customer Account Data includes any Personal Information Wenco may need to collect for the purpose of identity verification, or as part of its legal obligation.
“Customer Data” means any data, in whatever form, which is held on, entered into, processed by, or retrievable from computer, communication or other systems or equipment of the Customer and data processed by the Customer in providing services to its customers. This data encompasses various types of information voluntarily provided by Customers or collected through their engagement with Wenco's products, services, or digital platforms. It includes, but is not limited to:
Customer Data also includes Customer Account Data, Personal Information, Personal Health Information and Proprietary Information, as defined in this Policy
“Confidentiality Agreement” means a standard agreement between the Wenco and its Personnel, signed as part of the Wenco’s operating procedures, requiring that the Personnel comply with the confidentiality obligations, in a manner which is intended to ensure compliance by the Wenco and its Personnel under this Policy;
“Conflicting Foreign Order” means any order, subpoena, directive, ruling, judgment, injunction, award or decree, decision, request or other requirement issued from a foreign court, agency of a foreign state or other authority outside Canada or any foreign legislation the compliance with which would or could potentially breach Applicable Privacy Law;
“Contact Information” means information to enable an individual at a place of business to be contacted and includes the name, position name or title, business telephone number, business address and business email of the individual;
“Excluded Information” or “Excluded Records” means information, documents or recorded information that (a) relate solely to the Wenco’s internal administration, finances, management, or employment matters, unless they contain Personal Information about an individual other than Personnel or other third parties with whom the Wenco has dealings unrelated to the subject matter of the Agreement; or (b) Customer confirms in writing are excluded from the application of this Policy;
“Integrity” means ensuring the correctness (intactness) of data and the correct functioning of systems. When the term integrity is used in connection with the term "data", it expresses that the data is complete and unchanged;
“Material Breach” means non-compliance by the Wenco to take reasonable steps to cure any material contravention of this Policy to the satisfaction of Customer within 30 days after written notice is given to the Wenco describing the breach in reasonable detail or otherwise within 30 days of the Wenco becoming aware of the breach;
“Permitted Purpose” means access to Records or Customer Data that is necessary for provision of the Services;
“Personal Health Information” means personal health information about an individual as defined by Applicable Privacy Law;
“Personnel” means any employees, officers, directors, contractors, subcontractors, associates, representatives or other persons engaged by the Wenco for the purposes of fulfilling the Wenco’s obligations under the Agreement;
“Processing” (and “process”) means any operation or set of operations performed on Customer Data or on sets of Customer Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Proprietary Information” means all information and know how, whether or not in writing or other tangible or electronic form, concerning the business or financial affairs, including but not limited to all (i) inventions, discoveries, improvements and trade secrets, (ii) products and services and all plans, service levels, specifications and concepts for products and services, (iii) business plans, business and systems processes, methods, techniques, specifications and formulas, (iv) research and development projects and data, (v) financial and marketing data and information, (vi) information about customers and prospective customers, including contractual terms, customer specifications and the identity of and relationships with customer employees, (vii) names and other data relating to Customer employees, consultants, suppliers and prospective employees, consultants and suppliers, (viii) computer data, reports, computer programs, source codes, object codes, manuals, tapes, listings, specifications, test results, programming sequences, application programming interfaces, screen designs and formats and user interfaces, algorithms, flow charts, program formats, user documentation and operating processes, and (ix) trade names, copyrights and other intellectual property rights, whether developed or invented by Customer or others, and whether patentable, copyrightable or not.
“Record” includes books, documents, maps, drawings, photographs, letters, vouchers, papers and any other thing on which Customer Data is recorded or stored by graphic, electronic, mechanical or other means which are collected or produced by the Wenco in the course of delivering Services or otherwise performing its obligations under the Agreement but does not include Excluded Records.
“Security Incident” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of, or unauthorized disclosure of or access to, Customer Data on systems managed or otherwise controlled by Wenco.
“Services” means the products and services provided by Wenco or its Affiliates, as applicable, that are (a) used by Customer, including, without limitation, products and services that are on a trial basis or otherwise free of charge; or (b) ordered by Customer under the Agreement or a purchase order form.
“Third-party service provider” means any processor engaged by Wenco or its Affiliates to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this Policy. Third-party service providers may include third parties or Affiliates of Wenco but shall exclude Wenco employees, contractors, or consultants.
“Wenco Network” means Wenco’s data center facilities, servers, networking equipment, and host software systems (e.g., virtual firewalls) that are within Wenco’s control and are used to provide the Services.
2.1 Wenco acknowledges that the Customer Data is valuable and requires adequate protection. The purpose of this Policy is to establish measures to ensure the Confidentiality, Integrity, and availability of Customer Data throughout its lifecycle.
Notwithstanding the provisions of this Policy, Wenco retains the right to use and disclose aggregated and De-Identified Data in any manner. “De-Identified Data” means information (or any portion thereof) that has been the subject of reasonable efforts to de-identify, aggregate and/or anonymize such data with the result that no individual, entity or particular Record can be identified.
8.1 Wenco will ensure that its Personnel are granted access to the Customer Data only where such access is necessary for the performance of the Services, and subject to the following terms:
Customer hereby acknowledges and consents that Customer Data and Records may be collected, used, processed, shared, disclosed, stored, secured, destroyed, managed or administered from outside of Canada by the Wenco using cloud computing of other information technology infrastructure selected by the Wenco and managed using third parties, and that Customer has provided all required notices and information and/or obtained all required consents and approvals for such collection, use, processing, sharing, disclosure, storage, security, destruction, management and administration outside of Canada.
10.1 Authorized Third Party Service Providers. Customer agrees that Wenco may use third-party service providers to fulfil its contractual obligations under the Agreement and this Policy or to provide certain services on its behalf, such as providing support services. Customer hereby consents to Wenco’s use of Third-party service provider as described in this Section 10 and as further described in Appendix 2 to this Policy.
10.2 Third-party service provider Obligations. Where Wenco uses any authorized third-party service provider as described in Section 10.1:
11.1 Security Incident. If Wenco becomes aware of a Security Incident, Wenco will without undue delay: (a) notify Customer of the Security Incident; and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
11.2 Wenco Assistance. To assist Customer in relation to any data breach notifications Customer is required to make under Applicable Laws, policies, or agreement, Wenco will include in the notification such information about the Security Incident as Wenco is reasonably able to disclose to Customer, taking into account the nature of the Services, the information available to Wenco, and any restrictions on disclosing the information, such as confidentiality.
11.3 Failed Security Incidents. Customer agrees that a failed Security Incident will not be subject to the terms of this Policy. A failed Security Incident is one that results in no unauthorized access to Customer Data or to any of Wenco’s Network, equipment, or facilities storing Customer Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful login attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.
11.4 Notification. Notification of Security Incidents, if any, will be delivered to one or more of Customer’s administrators by any means Wenco selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate Contact Information on the Wenco management console and secure transmission at all times.
11.5 Corrective Action. Wenco will cooperate with Customer in preventing the occurrence or recurrence of any breach of this Policy, Agreement, or Applicable Law, including, if requested to do so: by preparing a written proposal to address or prevent further occurrences within the Wenco’s systems.
If Wenco or anyone to whom Wenco transmits Customer Data pursuant to a Permitted Purpose becomes legally compelled or otherwise receives a demand to disclose Customer Data other than permitted by Applicable Laws, including without limitation pursuant to any Conflicting Foreign Order, unless prohibited by law, Wenco will not do so unless and until: (i) Customer has been notified of such requirement; (ii) the party compelling disclosure has appeared before a Canadian Court; and (iii) the Canadian Court has ordered the disclosure. Wenco is responsible for ensuring that it obtains the obligations with its Personnel or such other third parties to whom it may grant access to Customer Data as may be necessary to enable it to comply with the provisions of this Section. Nothing in this Policy will be interpreted or construed to prohibit Wenco from complying with any valid court order made under the Applicable Laws.
Wenco’s obligation to report or respond to a Security Incident under this Policy is not and will not be construed as an acknowledgement by Wenco of any fault or liability of Wenco with respect to the Security Incident.
14.1 Independent Determination
Customer is responsible for reviewing the information made available by Wenco relating to data security and its security standards and making an independent determination as to whether the Services meets Customer’s requirements and legal obligations as well as Customer’s obligations under this Policy. The information made available is intended to assist Customer in complying with Customer’s obligations under Applicable Laws. Customer agrees that the Services and the Security Standards implemented and maintained by Wenco provide a level of security appropriate to the risk to Customer Data (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Data as well as the risks to individuals).
14.2 Audit and Compliance.
a. The Customer reserves the rright to audit Wenco's compliance with the provisions of this Policy. Such audits shall be conducted in a manner that minimizes disruption to the Wenco's operations and preserves the confidentiality of other customers' data.
b. Wenco shall reasonably cooperate with the Customer's audit requests and provide all necessary information and assistance to demonstrate compliance with this Policy.
This Policy will continue in force until the termination of our processing in accordance with the Agreement (the “Termination Date”).
16.1 Except as otherwise specified in the Agreement, Wenco will retain the Customer Data and Records for as long as required to engage in the uses described in this Policy, unless a longer retention period is required by Applicable Law.
16.2 As described in the Services, the Customer may request to return or deletion of Customer Data or Records at Customer’s expense. Customer hereby acknowledges and accepts the functionality of the Services and the data retention and deletion applications as made available by Wenco, which may impact Customer Data. Wenco will enable Customer to delete Customer Data during the term of the Agreement in a manner consistent with the functionality of the Services, terms of the Services and this Policy.
16.3 Upon termination or expiration of the Agreement, or upon the written request of Customer As described in the Services, the Customer may request to return or deletion of Customer Data or Records at Customer’s expense. Customer hereby acknowledges and accepts the functionality of the Services and the data retention and deletion applications as made available by Wenco, which may impact Customer Data. Wenco will enable Customer to delete Customer Data during the term of the Agreement in a manner consistent with the functionality of the Services, terms of the Services and this Policy.
16.4 Wenco will in a reasonable time upon request of the Customer: (i) return or deliver all Customer Data and Records, excluding back-up copies, to Customer; or (ii) destroy, according to Customer`s instructions, Customer Data or other Records, in any form or format whatsoever in Wenco’s possession, excluding back-up copies, if applicable.
16.5 After a request is made under this Section, Wenco will not retain any Records for any purpose without the prior written consent of the Customer, excluding back-up copies. If, for any reason, such as requirements under Applicable Law, Wenco fails to return or destroy any Customer Data or Record in accordance with this Section, Wenco’s obligations pursuant to this Policy will continue in full force and effect.
The liability of each party under this Policy will be subject to the exclusions and limitations of liability set out in the Agreement. Customer agrees that any regulatory penalties incurred by Wenco in relation to the Customer Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this Policy and any Applicable Laws will count towards and reduce Wenco’s liability under the Agreement as if it were liability to the Customer under the Agreement.
This Policy supersedes and replaces all prior or contemporaneous representations, understandings, agreements, or communications between Customer and Wenco, whether written or verbal, regarding the subject matter of this Policy. Except as amended by this Policy, the Agreement will remain in full force and effect. Unless otherwise expressly provided in the Agreement, if a provision of this Policy is inconsistent or conflicts with a provision of the Agreement, the terms of this Policy will prevail and the conflicting or inconsistent provision in the Agreement will be inoperative to the extent of the conflict.
If an amendment is required to this Policy in order to comply with the Applicable Laws or any requirements stipulated by the other agreements or policies, Wenco reserves the right to amend this Policy from time to time, and it is presumed that the Customer will adhere to and comply with the amendments.
Any questions regarding this Policy may be sent to Wenco’s Privacy Officer at email@example.com
21.1 The parties acknowledge and agree that either party may disclose the Agreement or portions thereof as may be required pursuant to Applicable Law.
21.2 If a provision of this Policy or the Agreement conflicts with a requirement of Applicable Law, the conflicting provision of the Agreement (or direction) will be inoperative to the extent of the conflict.
21.3 Wenco’s obligations under this Policy will continue despite the expiry or earlier termination of the Agreement until such time as the Customer Data and Records are returned to Customer or securely destroyed in accordance with this Policy.
1. Nature and Purpose of Processing. Wenco will Process Customer Data as necessary to perform the Services pursuant to the Agreement and as further instructed by Customer throughout its use of the Services.
2. Duration of Processing. Subject to this Policy, Wenco will process Customer Data during the effective date of the Agreement. Notwithstanding the foregoing, Wenco may retain Customer Data, or any portion of it, if required by Applicable Laws or regulation, provided that such Customer Data remains protected in accordance with the terms of this Policy and Applicable Laws.
3. Categories of Data Subjects. Customer may upload Customer Data in the course of its use of the Services, the extent to which is determined and controlled by Customer in its sole discretion, relating to the following categories of Data Subjects:
4. Categories of Customer Data. Customer may upload Customer Data in the course of its use of the Services, the type of and extent to which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Customer Data:
Contact Information: Names, job titles, work addresses, work phone numbers, work email addresses, and other similar business contact details.
Company information: Company names, company addresses, company phone numbers, company email addresses, and other similar company details.
Transactional data: Details of business transactions or interactions between the Customer and its customers, suppliers, partners, or other business contacts. This may include purchase history, order details, invoices, and other relevant transactional information.
Hardware and Operational Data: Device information, system logs, network data, software usage data, performance metrics.
I. Technical and Organizational Measures
We are committed to protect our customers’ Customer Data. Taking into account the best practices, the costs of implementation and the nature, scope, circumstances and purposes of processing as well as the different likelihood of occurrence and severity of the risk to the rights and freedoms of natural persons we take the following technical and organizational measures. When selecting the measures, the Confidentiality, Integrity, availability and resilience of the systems are considered.
1. Confidentiality. We use a variety of physical and logical measures to protect the confidentiality of Customer Data. Those measures include:
2. Integrity. Appropriate change and log management controls are in place, in addition to access controls to be able to maintain the Integrity of Customer Data such as:
Change & Release Management
3. Availability. We implement appropriate continuity and security measures to maintain the availability of its services and the data residing within those services:
4. Data Processing. It refers to ensuring that Customer Data will only be processed in accordance with the Agreement and the related company measures. We have established internal privacy policies, agreements and conduct regular privacy trainings for employees to ensure Customer Data is processed in accordance with the Agreement and legal obligations.
5. Retention Period. We follow generally accepted standards to store and protect the Customer Data we collect, both during transmission and once received and stored, including utilization of encryption where appropriate. We retain Customer Data for as long as required to engage in the uses described in this Policy, unless a longer retention period is required by Applicable Law. The criteria used to determine our retention periods include the following: