Privacy and Security Policy

Privacy and Security are essential to our company mission. Therefore, this Privacy and Security Policy is enforced by our CEO, Patrick Brennan, who is responsible for compliance. This policy is reviewed at least annually.

This Privacy and Security Policy describes our practices for the collection, protection, use and disclosure of the information we collect from customers, their suppliers and partners, and visitors to our websites (collectively, our software “Users”), who use our software applications in any media: web, mobile, email, text, etc. (the “Service”). We are committed to state-of-the-art security and User data privacy and controls.

Supply Risk Solutions is the registered “Doing Business as” brand name for Accelor Corp’s supply chain risk management solutions. Accelor Corp was incorporated in California in January 2000. Corporate headquarters is located at 1755 E Bayshore Rd, Ste 14B, Redwood City, San Mateo County, California, in the heart of Silicon Valley. This document uses “Accelor Corp”, “Supply Risk Solutions”, “SRS”, “we”, and “our” interchangeably.

Supply Risk Solutions (SRS) Overview

Supply Risk Solutions (SRS) is a secure, encrypted, permission-based platform for suppliers to share confidential data including locations, contacts, and risk management practices with the customers they choose using the website https://supplier.supplyrisk.com. Suppliers are in complete control of their data and can add, delete, or edit it 24×365. Suppliers save time by entering their data once, sharing it with many customers, and updating only what has changed after the initial data entry. Suppliers have access to complementary SRS training, templates, and support (support@supplyrisk.com) to improve their resilience.

SRS complies with stringent international security and privacy requirements. Accelor Corp is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). SRS certifies its compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, UK, and Switzerland to the United States. SRS certifies it adheres to the EU DPF Principles (including the UK DPF extension) and the Swiss DPF Principles with regard to transfers of personal data from the European Union and the United Kingdom, and with the Swiss-U.S. DPF Principles with regard to transfer of personal data from Switzerland. If there is any conflict between the terms in this privacy policy and EU-US DPF, UK-US DPF, or Swiss-US DPF, the DPF Principles shall govern. To learn more about the Data Privacy Framework Principles, the DPF program, and to view our certification, please visit https://www.dataprivacyframework.gov/. SRS also complies with the California Consumer Privacy Act (CCPA) of 2018.

The use and disclosure of all user information transferred to third parties are subject to the policies described in this Privacy Policy. Users have a right to access, modify, and delete their personal data by logging into our website https://supplier.supplyrisk.com. SRS is liable under the Principles if its third-party agent processes such personal information in a manner inconsistent with the Principles, unless SRS proves that it is not responsible for the event giving rise to the damage.

Multi-Level Data Security

SRS is committed to data security and has therefore implemented multi-level physical, procedural, and technical safeguards in connection with the storage, processing, and transfer of data. These safeguards include the following:

• Hosting in secure Azure data centers which have achieved SOC 1 Type 2, SOC 2 Type 2, and SOC 3 reports.
• Secure solution architecture including
  • State-of-the art network security, firewalls, hardened servers
  • Hardened software applications
  • No SRS servers are accessible from the internet
• Encryption of data in transit and at rest.
• Permission-based access where organizations control their data in a strictly permission-based website where they can update or delete data at any time and where they determine which other organizations see the data.
• User and Password management by Microsoft Azure Active Directory, a highly secure, encrypted, cloud-based service. SRS has no access to passwords.
• Data and software resilience with hourly backups between redundant Azure data centers separated by 2500 miles (4000 km).
• Physical data center security including 24×365 guards and monitored operations center.
• Monitoring including log analysis, copying log events to separate server, malware detection, real-time event alerting and active response.
• Procedural controls such as security training, minimizing access to production data to few personnel, enabling access only through encrypted, internal VPN.
• Testing to prevent unauthorized access, accidental loss, destruction, or damage and to ensure timely recovery in the event of an outage.

SRS provides superior data security, control and privacy to all organizations that use our software, regardless of whether they are customers, suppliers, or other organizations.

Privacy Protections

SRS is committed to maintaining unsurpassed data privacy and data protection, compliant with the international standards documented above. SRS is also under binding Non-Disclosure Agreements (NDA) and Master Agreements with its customers.

Please read this Privacy Policy carefully and make sure that you fully understand and agree to it. You are not legally required to provide us with any data and may do so (or avoid doing so) at your own free will. If you do not wish to provide us with Personal Data or other data, or to have it processed by us or any of our Service Providers, please simply do not enter our Sites or use our Service. You agree to this Privacy Policy by accessing or using the Service.

SRS complies with the principles of the EU-US DPF, UK-US DPF, and Swiss-US DPF:

1. Notice: Inform data subjects via this detailed online privacy policy. Data subjects can opt out of communications and can update and delete their information themselves at any time using the following websites:
   • Supplier contacts can add, update, and delete their Personal Data at any time by logging into the secure website https://supplier.supplyrisk.com
   • Customer contacts can update and delete their Personal Data at any time by logging into the secure website https://customer.supplyrisk.com
   • SRS markets SRS to members of the Healthcare Industry Resilience Collaborative (hircstron.com). SRS shares with HIRC the name of their member organizations who have subscribed to SRS. Personal information is not shared with HIRC.
   • SRS markets SRS to members of the Vizient, Inc. Group Purchasing Organization (GPO). SRS shares with Vizient, Inc. the name of their member organizations who have subscribed to SRS. In addition, SRS shares with Vizient, Inc. organizational usage insights for each Vizient member organization who subscribes to SRS. The usage insights for each member organization include a summary of the number of active users, last activity date, number of users who have logged in, number of users who have clicked an alert, number of users who have run a report, and number of users who have accessed training. Personal information is not shared with Vizient, Inc.
   • The sharing of member organization names and usage insights allows SRS and our partners to better tailor our outreach such as by avoiding marketing to organizations that are already using SRS QuickStart
   • You may email our support team at support@supplyrisk.com with any questions or requests such as opting out of communications or to delete your personal information.
2. Choice: We will not share your information with a third party for a purpose that is materially different from original purpose (supply chain transparency and risk prevention) without your consent. Personal Data (name, job title, email, and telephone number) resides in secure software applications that we built and in secure SaaS-based third-party technical support and communications systems that we use to support and communicate with our customers and suppliers. The names of organizations that use SRS may be visible to other organizations for the purpose of collaborating on supply chain transparency and risk prevention.
3. Security: SRS safeguards data that it collects with multi-level data security, including leading technology, procedural and policy measures, as described above.
4. Data Integrity: Personal Data is limited to what is relevant for the purpose of the processing, namely the contact names, job title, email address and telephone number of our customers and their suppliers. SRS takes measures to ensure that Personal Data is accurate, complete, and current.
   • Personal Data is processed fairly and in a transparent manner for specified, explicit and legitimate purposes and kept no longer than is necessary for the purposes for which the Personal Data are processed. SRS maintains a Register of Systems that it uses to process Personal Data and reviews that Register at least annually.
5. Legal Basis of Processing Personal Data: SRS processes Personal Data and other information of SRS customers and their suppliers because the processing is necessary for specific legitimate business purposes which include some or all of the following:
   • Fulfill legally binding Master Service Agreements with SRS customers and partners for supply chain transparency and risk prevention
   • Comply with the Information Collection and Use section of this policy
   • Improve the effectiveness of SRS services to suppliers, including natural disaster alerts, secure transfer of data to customers, rapid communication with customers during natural disaster events, etc.
   • Personalize our software
   • Enhance information security, such as by confirming that account information is current and safeguards to data and software access are in place
   • Understand how people interact with our software
   • Provide communications which we believe will be of interest to you
   • Address a service request from you
   • Provide benefits of SRS to members of our healthcare membership association partners
   • Comply with or avoid the violation of applicable law, regulation, or subpoena
6. Access: Data subjects can obtain confirmation of whether SRS processes Personal Data related to them by emailing support@supplyrisk.com or by logging into the websites described above in section “1. Notice”.
7. Accountability to Onward Transfers: If SRS wishes to transfer Personal Data to a third party acting as an agent, SRS will ensure that the transfer is made on the basis of a contract which provides the level of protection guaranteed by the Privacy Principles.
   • Personal Data (name, job title, email, and telephone number) resides in secure software applications that we built and in secure SaaS-based third-party technical support and communications systems that we use to support and communicate with our customers and their suppliers. SRS is not responsible for violations by third parties or if SRS is required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
8. Enforcement and Redress: Ensure compliance with the Privacy Principles and to put in place an effective redress mechanism. Data Subjects have options for addressing data privacy protection issues, including but not limited to:
   • SRS (recommended, free): Please email support@supplyrisk.com any Personal Data protection issues, suggestions, complaints, or questions. SRS will normally reply within 1-3 business days
     • SRS is not required by GDPR Article 27 to designate a representative in the EU because processing is occasional and does not include on a large scale, processing of special categories of data as referred to in Article 9(1), nor in Article 10, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing. We offer our Software as a Service solution to companies; no goods or services are offered to data subjects (only to companies).
   • Independent Recourse Mechanism: An individual (“Data Subject”) also has the option to seek recourse through an independent organization named JAMS (https://www.jamsadr.com/eu-us-privacy-shield). JAMS will mediate unresolved complaints at no cost to the Data Subject as explained in Supplemental Principle 11 (Dispute Resolution and Enforcement). JAMS is SRS’ designated alternative dispute resolution provider, for Data Subjects who prefer to use an independent recourse mechanism for addressing privacy protection issues. There is also the possibility, for an individual to invoke binding arbitration, under certain conditions (for example, after exhausting all other options)

In the unlikely event of a breach involving unlawful or harmful unauthorized access of unencrypted personally identifiable information (PII) or other confidential information, SRS policy is to notify and work with affected SRS customers within 24 hours and authorities within 72 hours if required. The governing local law for SRS is California Civil Code § 1798.80 et seq; California Health & Safety Code § 1280.15; California Consumer Privacy Act of 2018.

Information Collection and Use

Information Collected by SRS

SRS collects the data needed to provide accounts to company users to communicate with them. This data includes the contact information normally found on standard business cards, such as name, email, job title and telephone. SRS may use your email address to send you Service-related notices and announcements. No sensitive Personal Data is collected or stored.

Supply Risk Solutions (SRS) also collects and stores company and site assessment information and documents, and associated information.

Cookies and Log Data

Like most websites, SRS uses technologies, such as cookies, beacons, pixels, tags, and scripts (collectively, “Cookies”). SRS uses Cookies to provide, monitor, analyze, promote, and improve the Service. Cookies are small text files that are stored through the browser on your computer or mobile device. They allow websites to store information like user preferences, to perform basic functions, to recognize you, and to provide consistency as you navigate between pages. Cookies can have various durations. Session cookies are temporary and expire once you close your browser (or once your session ends). Persistent cookies remain on your hard drive until you delete them, or your browser deletes them automatically based on the cookie’s expiration date.

SRS uses several different types of Cookies on our website and platform:

• Registration Cookies: When you register and sign into our Services, we generate Cookies that let us know whether you are signed in or not, which Services you are authorized to use, and to maintain your login session. Such Cookies are essential for you to browse the website and use its features, such as accessing secure areas of the website.
• Performance Cookies: This type of Cookie helps us to secure and better manage the performance of our Services and remembers your preferences for features found on the Services, so you don’t have to re-set them each time you visit.
• Analytics Cookies: Analytics tools generate Cookies which can tell us (so long as they are allowed and not deleted) whether or not you have visited our Services in the past, tailor communications to you based on your usage, and provide aggregate information on how visitors and users use our Services.

All modern web browsers allow you to change your Cookie permission settings. You can usually find these settings in the “Options”, “Preferences”, or “Set up” browser menu.

In addition, SRS uses databases and server logs to record information such as user web requests, Internet Protocol (“IP”) address, user location, browser type, referring / exit pages and URLs, number of clicks and how you interact with links on the Service, domain names, landing pages, pages viewed, mobile carrier, and other such information. Databases and logs help SRS to monitor, fix and improve the Service. When you access the Service using a mobile device, SRS may collect specific device information contained in your mobile device’s device identifier. SRS may associate this device identifier with your Service account and use data associated with your device identifier to tailor Services to your device and to analyze any device-related issues. Some web browsers have a “do not track” feature that lets you tell websites that you do not want to have your online activities tracked. SRS does not respond to “do not track” signals.

Links to Other Web Sites

SRS is not responsible for the practices employed by websites linked to from within the Service (e.g. news links), nor the information or content contained therein. Please remember that when you use a link to go from the Service to another website, our Privacy Policy is no longer in effect and your activities on that third party website is subject to such third-party website’s own rules and policies.

ALL SRS SOFTWARE, INFORMATION, DOCUMENTATION, REPORTS, RECOMMENDATIONS, ADVICE, SERVICES, ETC. IN ANY MEDIA ARE PROVIDED ON AN “AS IS”, “AS AVAILABLE” BASIS. SRS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF ACCURACY, COMPLETENESS, AVAILABILITY, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORTS, LACK OF NEGLIGENCE OR NON-INFRINGEMENT. SRS INTELLECTUAL PROPERTY INCLUDES BUT IS NOT LIMITED TO SRS SERVICES, DATA, SOFTWARE, ETC. AND REMAINS EXCLUSIVE PROPERTY OF SRS. SRS IS GOVERNED BY THE LAWS OF SAN MATEO COUNTY, CALIFORNIA, USA. SRS’ PRIMARY AND BACKUP DATA CENTERS ARE LOCATED IN THE USA. SRS OWNS AND RETAINS ALL RIGHT, TITLE, AND INTEREST IN AND TO THE SERVICE, AND NOTHING IN THIS POLICY SHALL BE CONSTRUED AS GRANTING USERS ANY RIGHT OR LICENSE TO THE SERVICE, OTHER THAN EXPRESSLY PERMITTED BY THE SERVICE.

SRS is committed to providing a secure, permission-controlled environment to support supply chain management. Revisions to the policies in this document will be dated and posted on this website. Please email any questions to support@supplyrisk.com. This document was last updated on March 8, 2024.