BroadCloud UC-One Cloud PBX Privacy Statement

BroadSoft, Inc. and its affiliates (collectively "BroadSoft" or “we”) are committed to protecting your privacy. 

We comply with data protection legislation. This regulates the processing of personal data relating to you and grants you various rights in respect of your personal data including a right to object to some of your processing.

The aim of this statement is to tell you how we will use your personal data collected in the context of your customer relationship with BroadSoft and the choices available to you regarding collection, use, access, and how to update and correct your personal data.

There may be additional policies and notices to be aware of, if you are using a BroadSoft Solution provided by a service provider or third party. Please refer to the privacy statement or policy of the entity through which you are obtaining BroadSoft Solutions for more details.

Additional information on our personal data practices may be provided in supplemental privacy statements or notices provided prior to or at the time of data collection.

What information do we collect and process?

When you use our services, we collect and process the following data:

  • Personal data – Name, Email Address, Phone Number, Calling ID name, Address.
  • Credentials- User IDs and passwords, SIP credentials, Web Interface/ XSI credentials, Voicemail PIN (personal identification number), digitized/ electronic signature, authentication tokens, and cookies.
  • Profile data – Service settings, call forward number, do-not-disturb settings, auto-attendant, etc.
  • Contact Lists – Personal phone lists group phone lists
  • User Generated data –instant messages, uploaded media files, voice messages and call recordings.
  • Connectivity data – IP addresses, device Identifiers (such as IMEI), MAC address, MSISDN, Landline number, SIP Number.
  • Traffic data – phone numbers or other identifiers that you call and send messages to and receive from, the date, time, duration (at the time these communications are made).
  • Usage data – communications metadata such as call logs.
  • Billing data - Data (such as call detail records which include the cost of your communications) relevant for invoicing and collections, invoice documents and other billing records.
  • Location data – based on IP address or device location to provide presence functionality.


What do we use this information for and what is the legal basis for this use?

We will use your personal data for the following purposes:

  • In the context of your customer relationship with BroadSoft for the performance of our contractual obligations, in particular:
    • for the provisioning of and providing the service
    • Provide operational support for contracted service
    • Communicate with you on status and availability of service
    • for billing
  • to conduct our business and pursue our legitimate interests and where our interests are not overridden by your data protection rights, in particular:
    • for verifying your identity;
    • for subscriber and user enquiries and the resolution of problems associated with service;
    • for prevention or detection of fraud;
    • to carry out research and analysis and monitor use of our network and products and services on an anonymous basis to identify general consumer trends and to understand better our users’ behaviors and partner with other businesses to create new services and to develop interesting and relevant products and services for our customers, as well as personalize the products and services we offer you. We may use information about your location for research and analytics purposes but we will only retain this information in an anonymized form to ensure that you cannot be identified as an individual;
    • for enforcing compliance with our terms of use and other policies or otherwise in connection with legal claims, compliance, regulatory and investigatory purposes as necessary (including disclosure of such information in connection with legal process or litigation) or preventing, investigating and/or reporting fraud, terrorism, misrepresentation, security incidents or crime;
  • where you give us your consent
    • Where you ask us to send marketing information via a medium or in a format where we need your consent (for example email marketing in certain countries). For more information about how to modify your preferences about marketing communications, please see below;
    • for informational type directory services; and
    • On other occasions where we ask for your consent, for the purpose we explain at the time.
  • For purposes which are required by law, such as responding to requests by government or law enforcement authorities conducting an investigation.
  • We also use aggregated information about the use of our services so we can administer and improve our services, analyze trends, and gather broad demographic information. We may pass this information to third parties.


How long do we keep your information?

We will retain your Subscriber Data (such as personal data, profile data, contact lists, etc) for the duration of the contract relationship.

We will retain billing data relevant for invoicing and collection for up to 2 years (except in the EU and EEA where data is stored for six months), or in the case of invoice disputes until the dispute is resolved. Traffic Data will be stored for up to 30 days (except in Germany where data is stored for up to 7 days), unless necessary to investigate faults or investigate cases of fraud.

Data backups, file archives and application log files are deleted every 30 days. Pertinent log information required to troubleshoot a problem encountered by end-users may be retained for up to 1 year.

Data Category

Retention Time in Production or Live Systems

Personal data

Data is deleted as soon as service is terminated or a user is deactivated.

Credentials

Data is deleted as soon as service is terminated or a user is deactivated.

Profile data

Data is deleted as soon as service is terminated or a user is deactivated.

Contact lists

Data is deleted as soon as service is terminated or a user is deactivated.

User-generated
data

Data such as voicemails are deleted as soon as service is terminated or a user is deactivated.
Call recordings are stored for up to 40 days.

Usage data

Data is deleted as soon as service is terminated or a user is deactivated.

Connectivity
data

Data is deleted as soon as service is terminated or a user is deactivated.

Traffic data

Data is stored for up to 30 days, except in Germany where data is stored for up to 7 days.

Billing data

Data is stored for up to 2 years, except in the EU and EEA where data is stored for six months.
Invoices and billing records are stored for up to 7 years.

 

Who will we share this information with, where and when?

BroadSoft will share the personal data you provide with other BroadSoft entities and/or third parties who are acting on BroadSoft’s behalf to provide you services such as technical assistance, troubleshooting, customer support and billing. Business partners include for vendors for cloud hosting, service billing, analytics and service monitoring purposes.

Where these recipients are data processors on our behalf, we have entered into appropriate data processing agreements with them. Where these recipients receive your data as controllers, this disclosure is justified by their role in providing services to you and they receive the data necessary to provide and invoice their contribution to these services.

Some of these BroadSoft entities or business partners may be located in multiple geographies, including the US, Canada, United Kingdom, Northern Ireland, EU, Australia, and Japan.  Where we export your data outside of the EEA, this is permitted either by appropriate data processing agreements or justified by the need to provide our services to you internationally. Where such transfers are to a Broadsoft entity or business partner in a country that is not subject to an adequacy decision by the EU Commission, data is adequately protected by EU Commission approved standard contractual clauses, an appropriate Privacy Shield certification or Processor Binding Corporate Rules.  You can obtain a copy of the relevant mechanism by contacting us on the contact details set out below.  

Personal data may be shared with government authorities or law enforcement officials if required for the purposes above, if mandated by law or if required for the legal protection of our legitimate interests in compliance with applicable laws.

In the event that the business is sold or integrated with another business, your details will be disclosed to our advisors and any prospective purchaser’s advisors and will be passed to the new owners of the business.

Security

We have implemented appropriate technical and organizational measures designed to secure your personal data from accidental loss and from unauthorized access, use, alteration or disclosure. BroadSoft has earned the prestigious ISO 27001:2013 certification, an international standard for an information security management system.

The BroadCloud product security control baseline incorporates the NIST 800-53 control families that cover various security related areas. These areas represent a broad-based, balanced information security program that addresses the management, operational, and technical aspects of protecting information and information systems.

Additional controls may include:

  • Encryption of data in transit and secure file transfers
  • Protection of authentication passwords via encryption or hashing
  • Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
  • Conducting penetration tests and vulnerability scans
  • Authenticating employees, vendors and contractors access to information systems
  • Maintaining appropriate security documentation


What rights do you have?

You are entitled to see the information held about you. If you wish to do this, please contact us at privacy@broadsoft.com. We may require you to provide verification of your identity to provide a copy of the information we hold. Please note that in certain circumstances we may withhold access to your information where we have the right to do so under current data protection legislation.

You may also have the right to correct, delete or restrict the processing of your personal data; and to obtain the personal data you provide to us for a contract or with your consent in a structured, machine readable format, and to ask us to share (port) this data to another controller. In addition, you can object to the processing of your personal data in some circumstances, in particular where we don’t have to process the personal data to meet a contractual or other legal requirement, or where we are using the data for direct marketing.

If you opted to receive marketing emails or other communications from BroadSoft or third parties at the time you registered for the services but subsequently change your mind, you may opt-out by emailing privacy@broadsoft.com.You can also email this address to exercise any of your other rights. If you have unresolved concerns, you have a right to complain to an EU data protection authority where you live, work or where you believe a breach may have occurred.

Children's Privacy

BroadSoft encourages parents and guardians to take an active role in their children's online activities. BroadSoft does not knowingly collect personal data from children without appropriate parental or guardian consent. If you believe that we may have collected personal data from someone under the applicable age of consent in your country without proper consent, please let us know using the methods described in the Contact Us section and we will take appropriate measures to investigate and address the issue promptly.

How to Contact Us

We value your opinions. Should you have questions or comments related to this Privacy Statement, please email our privacy team at privacy@BroadSoft.com.

Updates to this BroadSoft Privacy Statement

We may update this Privacy Statement from time to time. If we modify our Privacy Statement, we will post the revised version here, with an updated revision date. You agree to visit these pages periodically to be aware of and review any such revisions. If we make material changes to our Privacy Statement, we may also notify you by other means prior to the changes taking effect, such as by posting a notice on our websites or sending you a notification. By continuing to use our website or Solutions after such revisions are in effect, you accept and agree to the revisions and to abide by them.

The BroadSoft Privacy Statement was revised and posted as of May 4, 2018.