Privacy and Security Policy

Beamy publishes several spaces online :

• The Client Platform refers to the online platform marketed by Beamy to its customers, accessible from the URL https://client.beamy.io

• The SaaS publisher Platform refers to the online space deployed by Beamy for its partners or the partner software providers of Beamy’s clients, accessible from the URL: https://solution.beamy.io

• The Beamy showcase site refers to the home page of the site published by Beamy accessible to the public from the URL https://beamy.io

 In the context of its commercial activity and while browsing these Internet spaces (the “Platform (s)” or the “Site”), Beamy is required to process personal data. This policy aims to inform about how we use this data, why we use it and what we do with it.

I. POLICY ON PERSONAL DATA

1. Beamy’s capacity

The personal data collected within the SaaS publisher Platform are processed by Beamy as the responsible for the processing of personal data and subcontractor for the services provided to Beamy’s customers.

The personal data collected within the Client Platform are processed by Beamy as the responsible for the processing of personal data and subcontractor for the services provided to Beamy’s customers.

The personal data collected within the Site are processed by Beamy as the responsible for the processing of personal data.

2. Why do we collect the data (purpose) and on what legal basis?

We only use personal data in the cases indicated in the current regulation, namely:

·      The execution of a current contract

·      The existence of a legitimate interest in using such data (i.e. a set of business
reasons that justifies the use of the data by Beamy) and / or;

·      Consent to use this data,

·      Compliance with a legal obligation.

Purpose

Legal basis

Management of the Client platform

Implementing Service Delivery
Contracts

Management of the SaaS publisherplatform

Implementing Service Delivery
Contracts

Analysis of the navigation within the Platforms
to improve our services

Beamy's legitimate interest

Conduct satisfaction surveys to
improve our services

Beamy's legitimate interest

Conduct statistical studies on the use
of our Platform and our services

Beamy's legitimate interest

3. What personal data do we collect and under what circumstances do we collect it?

Data transmitted directly to Beamy

We collect the data transmitted directly during the various contacts we have with customers, prospects or partners:

·      When requesting an appointment on our Site

·      When creating an account on our Site and Platforms (registration for a free trial or a paid subscription),

·      When registering for the newsletter

·      When downloading a white paper

This data includes the surname, first name, e-mail address, socio-professional category, password. It can also be the phone number, profile picture, link to LinkedIn / Twitter profiles if they are completed on the Platform.

Data collected under a service contract

We collect on behalf of our customers personal data concerning:

·       The employees of our Customers: in particular their surname name, first name, professional email address, related department

·      The points of contact of the partner software providers of our Customers: in particular their name, first name, professional email address, type of the professional relationship with our Clients

Data collected during a partnership or commercial relationship with Beamy

These are the data that are communicated, including:

·      Data in the contract signature;

·      Through requests made to our internal teams via an “Account Manager”, a “Customer Success Partner” and / or our “Support” team;

·      When participating in events we organize (“Workshops” / “WorkShop”).

These data include the surname, first name, e-mail address, socio-professional category of the sales contact, HR or any person who may come into contact with Beamy for the execution of the services entrusted to Beamy, as well as any information you would like to communicate to us.

Exclusion of sensitive data:

“Sensitive” data refers to racial or ethnic origin, political opinions, religious or philosophical beliefs, union membership, health data or sexual orientation. Beamy does not collect any.

4. How long do we keep the data?

Personal data are kept for a period of time in accordance with legal provisions or proportional to the purpose for which they were recorded. Certain shelf lives are in the interest of Beamy’s legitimate interest as specified in the introduction. Below you will find the main durations of data retention. 

Data category

Purpose

Retention period

Prospect data

Prospect data set (surname, first name, email, SP category, etc.)

Management of a prospect file

3 years after the
data collection or last contact with the prospect

Data relating to an Employee of our
Customers

Surname
Name
Professional email address

Related department

Execution of a contractual obligation

3 months after the
departure of the person concerned / or / the end of the contractual
relationship with the Client

Employee Data from
a Software Provider Partner of Our Customers

 

Surname
First name
Professional email address

Type of the professional relationship
with the customer

Execution of a contractual obligation

 

3 months from the
departure of the person concerned / or / the end of the contractual
relationship with the Client

Data relating to an active customer

All customer data entered in the Subscription
form, at the time of subscription (surname, first name, email, category SP)

Customer account management

12 months from the
end of the contractual relationship with the Customer

Data relating to an inactive customer

Identification and
contact data – Registered newsletters

Sending information about the
evolution of our publications and our offers

12 months after the
end of the contractual relationship with the Customer

Data collected during the exercise of
the rights related to the GDPR

Copy of the
identity document

Management of the file of the persons
exercising their right of access, rectification, deletion, limitation and
opposition

12 months

When the data retention is no longer justified by legal, commercial or customer account management requirements, or if a modification or deletion right has been used, we will delete it securely.

5. Who has access to the data?

5.1 Beamy

The data is accessible by some members of Beamy’s teams. These teams have access only to the data needed to perform their functions and are not allowed to process the data for other purposes. They are also subject to an obligation of confidentiality for this purpose.

5.2 The entity concerned

Data based on the “roles” on the Platform are accessible by the employer, and the Extended Roles that benefit from the platform’s administrative rights (“Owner” and “Administrator”).

5.3 Our service providers / Subcontractors of personal data

The data is accessible to the service providers we use to outsource all or part of the processing we perform with the data (hosting the Platform and data, maintenance, sending order confirmation emails, emailing, secure payment, etc.).

The subcontractors we use are covered by the safeguards required by the regulations applicable to the protection of personal data. They only have access to the data needed to perform their services and are not allowed to process the data for other purposes.

The access of our subcontractors to the data is done on the basis of legal acts mentioning the obligations that they are subject to with regard to the protection of the security and the confidentiality of the data.

5.4 Competent authorities

Personal data may be disclosed to the authorities by law, regulation or by a decision of a competent regulatory or judicial authority.

In general, we undertake to comply with all legal rules that may prevent, limit or regulate the dissemination of information or data and in particular to comply with applicable data protection regulations.

 6. What are data subjects’ rights and how can they be exercised?

6.1 What are the rights of the people concerned?

The persons concerned have the right to obtain our services:

·       confirmation that personal data concerning the person making the request are or are not processed, and if necessary, to have access to them;

·       the correction of personal data concerning the person making the request that are inaccurate or incomplete;

·       the deletion of personal data under certain conditions;

·       limitation of the processing of personal data under certain conditions;

·       the portability of personal data;

·       organize the fate of personal data in the event of death (retention, deletion, or communication to a designated person).

·       to oppose, under certain conditions, the processing of personal data.

The persons may at any time object to the processing of data for the purposes of commercial prospecting and withdraw their consent to the processing of data used by our services for behavioural advertising purposes, navigation analysis, and calculating the audience.

We also remind that the persons concerned have the right to deposit a complaint with the CNIL if they consider that their rights have not been respected. For more information on the rights they have with regard to their data, they are invited to consult the CNIL website: www.cnil.fr

6.2 How to exercise the rights?

For any request for access, opposition, rectification, portability, limitation, release of data in the event of death: The persons concerned can send an email to the following address data-protection@beamy.com while:

·      indicating the subject of the request, the surname (s) and first name (s);

·      joining the photocopy of both sides of their identity card or passport, to allow us to verify their identity and any information that would be useful to process the request

We will get back to the persons concerned as soon as possible, at the latest within a month of the reception of the request.

7. Is the data transferred outside the European Union?

We do not transfer any data outside the European Union. 

8. How is the data secured? 

As the responsible for the processing of personal datawe implement appropriate technical and organizational measures in accordance with the applicable legal provisions to protect personal data against tampering, accidental or unlawful loss, use, disclosure or unauthorized access.

For more information, please see Chapter II – Security Policy.

9. Update

We reserve the right to modify this policy to meet the standards imposed by the law but also because our site and services are continually evolving.


II. SECURITY POLICY

Beamy must protect its confidential, sensitive and limited circulation data to avoid negatively impacting its customers and damaging their reputation and their own reputation. Data protection is one of the essential needs of the business, but just as important is the ability to easily access this data and work effectively.

Its main purpose is to educate users and avoid any accidental loss. This policy highlights the requirements for preventing data breaches.

1. Obligation of employees

1.1.       Referring to

·      Any employee or equivalent: contractor or individual having access to Beamy systems or data

·      List of sensitive data to protect:

o  Personal data

o  Confidential data subject to a confidentiality agreement signed between Beamy and one of its customers or partners

o  Data containing information characterized as strategic 

1.2.       Policy

 

1.    Every employee must take Beamy Safety Awareness Training and agree to abide by the security policy

2.    If an employee identifies an unaccompanied or unauthorized person in Beamy, he shall immediately notify Irfane Goulamabasse, CTO of Beamy.

3.    Visitors of Beamy must be accompanied by an authorized employee at all times. Employees who accompany visitors must limit their access to the appropriate areas.

4.    Employees are prohibited from publicly referencing the purpose or content of the data to be protected, or via non-Beamy-regulated communication systems or channels. For example, the use of external mail systems not hosted by Beamy to distribute data is not allowed.

5.    Employees are required to have a “clean” office. To maintain information security, they ensure that all printed data is not left unattended on their workstation.

6.    Employees must use a secure password on all Beamy systems in accordance with the password policy. These login credentials must be unique and must not be used on other external services or systems.

7.    Employees who have ceased their duties are required to report all documents, in any format, containing information to be protected.

8.    Employees must immediately notify Beamy if a system containing sensitive data (for example a smartphone or laptop, etc.) is lost.

9.    In the event that an employee finds a system or process that you believe does not comply with this policy or the data security objective in place, it has the duty to inform Irfane Goulamabasse, CTO of Beamy, so that he can take the appropriate measures.

10. Employees must ensure that resources containing sensitive, confidential or limited-circulation data are not publicly disclosed, particularly in public transport.

11. The data to be transferred within Beamy must be transferred only via secure transfer mechanisms provided by the company (for example via USB keys, file shares, encrypted emails, etc.).

12. Any data transferred to a portable system (for example a USB key, a laptop) must be encrypted in accordance with industry best practices and current regulations. 

2.   Encryption of hard disks 

2.1.       Scope

 ·      All Beamy Professional Workstations

·      All virtual machines of Beamy

2.2.       Policy

1.   All systems affected by this policy must have full encryption of the activated disk.

2.    Beamy’s Acceptable Use Policy (AUP) and Safety Awareness Training must require users to notify if they suspect they are not complying with this policy.

3.   Security Awareness Training and the AUP must require users to warn of any system that has been lost or stolen.

4.   The encryption policy must be administered and validated by Irfane Goulamabasse, CTO of Beamy.

5.    Irfane Goulamabasse, CTO of Beamy has the right to access any encrypted system for investigation or maintenance purposes or in the absence of an employee with unique access to the file system.

6.   The encryption technology is configured according to industry practices.

7.    All security related events will be logged and verified to identify any inappropriate access to the systems or any other malicious use.

III. Applicable law and competent jurisdiction

This policy is governed by French law. Any dispute relating to the interpretation or execution of this policy will be subject to French law 

01/06/2019, Paris
Andréa Jacquemin
President of Beamy