At UbiStor, Inc. we are dedicated to conducting our business in a manner that complies with the EU Safe
Harbor Principles published by the U.S. Department of Commerce. The Safe Harbor Principles were
developed to aid U.S. businesses in addressing and assessing their privacy policies and practices as they
may relate to the European Union’s Directive 95/46/EC on data privacy for “personal data” (including any
EU member state’s rules, regulations or laws enabling such Directive, herein the “Directive”). Personal data
is information relating to an identified or identifiable natural person. It includes personal information
specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical
beliefs, trade union memberships and information concerning the personal activities, undertakings, traits or
habits of a particular individual. An identifiable person is one who can be identified, directly or indirectly, by
reference to an identification number or to one or more factors specific to the person’s physical,
physiological, mental, economic, cultural or social identity. Personal data may be considered transferred
outside the EU under the Directive if it falls under one of two situations that are described below. For the
Directive to apply, the personal data must be processed, wholly or partly, by automatic means or if not
processed to any extent by automatic means, it forms (or is intended to form) part of a filing system.
Processor on Behalf
UbiStor, Inc. provides managed offsite data backup, which is designed to help companies store and recover
data more efficiently and effectively. UbiStor, Inc. does not own or control any of the information stored or
processed by any of its customers. Only the customer is entitled to process, store, access and retrieve
such information. Customer information that originates in the EU will be stored on UbiStor, Inc.’s server
located in the U.S. utilizing UbiStor, Inc.’s service and which is accessible over the Internet only by the
customer. UbiStor, Inc. does not own or control, collect, record, organize, use or otherwise disclose or
make available to third parties the data that is stored through use of its managed offsite data backup
service, and such data is considered owned or controlled only by that customer. UbiStor, Inc. does not
actively process the data stored on its server under the managed offsite data backup service. As a point of
fact, UbiStor, Inc. is not aware of what is actually being stored by a customer on UbiStor, Inc. system
under the managed offsite data backup service and has no general direct access to such information or
data, except as expressly authorized by the customer, as applicable. Furthermore, under no circumstances
may UbiStor, Inc. independently cause a customer’s data to be transferred to any third party, such action
being limited to the customer. Also, UbiStor, Inc.’s standard operating policy in this case is not to directly
cause a transfer of any such data other than to return it to the customer. In this capacity, UbiStor, Inc.
should be considered only as a processor on behalf as to any personal data that may be considered
transferred from the EU to the U.S. subject to the requirements of the Directive. As such, the customer is
the Data Controller as they have the actual control over the way any personal data is collected and used as
well as the determination of the purposes and means of the processing of such data. UbiStor, Inc. is not
responsible for the content of the information stored on its server by the customer nor is UbiStor, Inc.
responsible for the way the customer treats such information.
The Safe Harbor Principles require that those who collect and determine the purposes and the means of the
processing of personal data to fulfill very specific requirements related to compliance with the Directive.
The specific functions of a Data Controller will depend on the specific laws of each EU member state.
However, since UbiStor, Inc. is not the collector or in control of any personal data, because it, neither alone
nor jointly with others, will determine the purposes and means of collecting and the processing and uses of
such data, it should not be considered as acting in the capacity of Data Controller with attendant
responsibilities under the Directive or the Safe Harbor Principles. Although UbiStor, Inc., without its actual
knowledge, may be provided data or information subject to the Directive by a customer by means other
than use of the managed data backup service (e.g., by email) in order to aid in the resolution of a technical
issue, it should not be considered a data collector or Data Controller as to such data. Furthermore, UbiStor,
Inc. requires that its customers do not include personal data in such transmittal to it, and it may reject and
return such data to the sender if it becomes aware that such data is not in compliance with such
EU Data Controller Contract
UbiStor, Inc. and its customers will enter into a contract to ensure that each party understands its role in
complying with the Directive and the Safe Harbor Principles. Any data considered processed or stored by
UbiStor, Inc. on behalf of a customer will not be further disclosed to third parties, except as directed or
required by the customer, acting only in compliance with the Directive. Any information which the Data
Controller identifies as sensitive personal information must be treated accordingly.
The contract with a customer also will specify that the customer is responsible for implementing and
maintaining reasonable security measures relating to the customer’s access to the customer’s data stored
on the UbiStor, Inc. server, including assignment and administration of all identification codes and
passwords authorizing such access. The customer, as applicable, is responsible for all security measures
relating to such identification codes and passwords. UbiStor, Inc. has in place commercially reasonable
measures to protect data on its network from loss, misuse, unauthorized access, disclosure and alteration
and destruction. The customers are responsible for the utilization of any optional tools UbiStor, Inc.
provides for data protection, including transmission encryption and encrypting data at rest. The return or
destruction of data stored on the UbiStor, Inc. server is principally in the control of the customer, and
UbiStor, Inc. will comply with their instructions on such matters.
As merely a processor on behalf of the customer (who is considered the EU Data Controller), UbiStor, Inc.
is not required to apply other Safe Harbor Principles to personal information subject to the Directive and
considered received for processing (i.e., storage) from a customer.
UbiStor, Inc. requires that each of its customers comply with their respective obligations under the Directive
and that the customer confirm to UbiStor, Inc. that all applicable EU member state data protection laws
shall be complied with prior to any transfer of any non-public personal data from the EU to the U.S. in
connection with UbiStor, Inc.’s managed data backup service.
UbiStor, Inc. is entirely dependent on the customer’s compliance with the Directive in connection with any
authorization for access to such customer’s data on the UbiStor, Inc. system as well as its nature and the
form in which it is transmitted. UbiStor, Inc. has no ability to access data located on its system other than
as expressly permitted or directed by the customer, and, in no case, will UbiStor, Inc. be involved in the
further processing or manipulation of such data other than perhaps the return of data in another form of
media, as discussed below. UbiStor, Inc. takes reasonable steps to assure that any data that is considered
transferred from the EU to the U.S. is maintained in a reliable, accurate and complete state, subject always
to any deficiencies in the state in which it was received that may have been caused by others. The steps
UbiStor, Inc. undertakes to assure data integrity is provided to take into consideration the Safe Harbor
As noted above, the control of access to data stored on the UbiStor, Inc. system under its managed data
backup service is in the direct and primary control of and subject to the security measures undertaken by
the customer. Furthermore, UbiStor, Inc. recommends to its customers that all data “at rest” and stored on
the UbiStor, Inc. system be encrypted to better assure the protection and confidentiality of such data, but
the decision as to the use of such encryption is solely in the control of the customer. UbiStor, Inc. also
requires that personal data not be transmitted to it outside the managed data backup closed system, since
different security measures may be in place with respect to those systems (e.g., email). UbiStor, Inc. has
in place information security procedures and commercially reasonable security measures to protect all
information stored on its server from loss, misuse, unauthorized access, disclosure, alteration and
destruction. The customer will be notified of any breach of the security measures implemented by UbiStor,
Inc. of which UbiStor, Inc. becomes aware. Any measures or actions required to be undertaken by the
customer in connection with such breach are solely the responsibility of the customer. If it is required by a
customer to download data stored on the UbiStor, Inc. managed date backup system by such customer
onto some form of other data archival or compilation media, UbiStor, Inc. will do so only upon receipt of a
written request and directions (including by email) therefore from the customer and such media will be sent
via a reliable carrier or courier, as authorized by the customer. Upon its delivery to such carrier or courier,
UbiStor, Inc. shall have no further obligation thereafter for the security or safety of the data included on
Any compromise of security or potential compromise of security and any inquiries concerning security
should be reported or directed to UbiStor, Inc. Contact information is provided below.
EU Safe Harbor Policy Administrator
1111 Plaza Drive, Suite 600
Schaumburg, IL 60173
866.312.STOR toll free
Individuals who wish to file a complaint or who take issue with UbiStor, Inc.’s EU Safe Harbor Privacy
Policy should direct such communication to the Administrator, as set forth above. The Administrator can
explain the process to be followed when filing a complaint. Filing a complaint in English will expedite the
process. Should an individual be unable to resolve a complaint after having contacted the Administrator,
that individual can contact the International Centre for Dispute Resolution of the American Arbitration
Association at www.adr.org. This organization will provide independent dispute resolution. UbiStor, Inc. is
subject to the jurisdiction of the U.S. Federal Trade Commission. Such individual may contact the Federal
Trade Commission at the following address:
Federal Trade Commission
Attn: Consumer Response Center
600 Pennsylvania Avenue NW
Washington, D.C. 20580
Limitation on Application of the Safe Harbor Principles
UbiStor, Inc.’s adherence to the Safe Harbor Principles may be limited to the extent expressly permitted by
applicable law, rule or regulation.
UbiStor, Inc. applies the self- assessment approach for verification of its compliance with its obligations
conforms to the Safe Harbor Principles; that this policy contains provisions to inform individuals of UbiStor,
Inc.’s in-house arrangements for handling complaints and further informs individuals of the independent
mechanisms through which they may pursue complaints. UbiStor, Inc. has in place procedures for training
employees in this policy’s implementation, and for disciplining them for failure to follow it; and that it has in
place internal procedures for periodically conducting objective reviews of compliance with the above.
UbiStor, Inc. reaffirms this certification as verified through its self- assessment process by completing a
written statement signed by a corporate officer or other authorized representative of the organization at
least once a year and UbiStor, Inc. makes such statements available upon request.
product and services and customer feedback which will be effective immediately upon posting of an
updated policy. UbiStor, Inc. encourages you to periodically review this EU Safe Harbor Privacy Statement
to be informed of how it is protecting information stored on its server in connection with its managed data
To learn more about the Safe Harbor program, please visit http://www.export.gov/safeharbor/.