Effective Date: May 25, 2018
This Customer Privacy Notice describes our practices regarding the collection and processing of Personal Data (as defined below) of Customer Representatives (as defined below) who enter our premises on behalf of any Customer (as defined below). This Privacy Notice also applies to the Personal Data to which we have access in connection with our threat analytics services. We do not have access to any Personal Data that is processed by Customers using our colocation facilities. The general principles that govern our processing of Personal Data are:
We are responsible for the protection of Personal Data entrusted to us.
We inform individuals about the collection and processing of their Personal Data, and use it fairly.
We collect and use Personal Data for specific legitimate purposes. We collect what we need to get our job done.
We offer individuals choices regarding the use of their Personal Data, and honor their preferences for contacting them.
- Security & Retention
We apply technical, physical and organizational measures to ensure an appropriate level of security for the Personal Data in our custody. We retain such data as needed for its intended purposes.
- Third Parties
We carefully choose vendors, service providers and other third parties with whom we share Personal Data and require them to commit to standards that we consider adequate.
The operator of the Platform is Cyxtera Technologies, Inc. located at 2333 Ponce De Leon Blvd, Suite 900, Coral Gables, FL 33134. The Services are provided by Cyxtera Technologies, Inc. and its subsidiaries, including Cyxtera Technology UK Limited (a company organized and existing under the laws of England and Wales), Cyxtera Germany GmbH (a company organized and existing under the laws of Germany), Cryptzone Group AB (a company organized and existing under the laws of Sweden), and Cryptzone UK Ltd. (a company organized and existing under the laws of England and Wales) (together with Cyxtera Technologies, Inc., collectively “Cyxtera” or “we,” “us,” “our”).
The local representative of Cyxtera in the European Economic Area is Michael Bennett, located at 630 Ajax Ave, Slough, SL1 4DG, United Kingdom.
For the purpose of this Privacy Notice, the following terms shall have the definitions set forth below:
“Customer” means a business that is, has been, or is about to become a customer of Cyxtera pursuant to a validly executed service agreement for the purpose of using any or all of the Services.
“Customer End User” means an individual who is a client, lead, business contact, or has a relationship with a Customer such that such Customer stores or processes the Personal Data of such individual through equipment collocated at Cyxtera, or to which Cyxtera has access in connection with the provision of the Services.
“Customer Party”, “individual”, “you” or “your” means and refers to any Customer Representative or Customer End User.
“Customer Representative” means an individual who the Customer has identified to Cyxtera as being authorized to acts on behalf of the Customer, and who uses or interacts with Cyxtera or the Services in such capacity.
“GDPR” means the EU General Data Protection Regulation.
“Personal Data” means any information that pertains to an identified individual, or to an individual who can be identified directly or indirectly by reference to an identifier.
“Processing” and “Processor” have the meanings ascribed to such terms in the GDPR.
“Services” means the services provided by Cyxtera, including colocation and other data center services, fraud detection software and services, website accessibility compliance software and services, and cybersecurity software and services relying on the Tools.
“Tools” means the proprietary tools, software applications, computer networks, technology, equipment, know-how and similar tools that Cyxtera uses to provide the Services and interact with Customer Representatives.
This Privacy Notice applies to the handling of Personal Data by Cyxtera when it provides the Services.
Processing Activities by Customers Through Use of Our Services are Not Subject to this Privacy Notice
This Privacy Notice does not apply to the collection or processing of Personal Data that occurs when our Customers use their own equipment and applications hosted on or through Services to process the Personal Data of their own customers, employees, business contacts and the like for their own purposes.
5. Updates and Changes to Privacy Notice.
We will review and update this Privacy Notice periodically in response to changing legal, technical, market, and business developments. When we update this Privacy Notice, we will note the date of its most recent revision on the cover page of this Privacy Notice. We will take appropriate measures to inform you in a manner that is commensurate with the materiality of any such changes, and that complies with applicable law regarding changes in this Privacy Notice.
6. Information Collection Practices
We collect a variety of information as needed to provide the Services, and for the legitimate interests of our business, including for marketing purposes, to the extent permitted by applicable law. In most case the Personal Data has been provided to us by a Customer or a Customer Representative. We have access to Customer End User Personal Data, if any, only as incidental to our provision of Services, and only at the specific request of the Customer. Our information collection practices are focused on ensuring the security of our Services, and ensuring our ability to communicate with our Customers as needed for administrative purposes, and occasionally for marketing purposes.
The collected data includes:
Customer Representative Data
When a Customer purchases Services, we create an account in the name of the Customer. With regard to colocation Services, the Customer has the ability to record the names of its authorized Customer Representatives who are allowed to access our premises and the areas in which the Customer’s equipment is located. We request the following information with respect to such Customer Representatives:
- First and Last Name of the Customer Representative(s);
- Name of the Customer;
- Email address;
- Street address, including country;
- Telephone number;
- Scope of authority;
- Government issued ID; and
- Vehicle license plate.
CCTV Footage and Biometric Information
For security reasons, our data centers and other premises are equipped with technologies that allow us to verify identity and record who has accessed different areas of our premises. We may collect the following information:
- Biometric information of authorized Customer Representatives who access our premises;
- CCTV footage that captures and records images of the whereabouts of the visitors who visit our premises; and
- CCTV of parking area.
We collect payment information, such as method, date and amount of payment. If a Customer pays with a credit card, the relevant credit card information will be transmitted directly to our payment processor, and we will not retain details of such payment information other than the Transaction ID number related to such payment. After payment information is provided by the individual and transmitted to our payment processor, we will not have access to payment card information and disclaim any liability for any loss or compromise of payment card information. When you make a payment, you agree to terms of our payment processor.
In certain cases of ongoing Customer relationships, we retain information about such Customers as necessary for the administration of such Customer accounts.
Communication with Customer Representatives
When a Customer Representative communicates with us by email, phone or text, we automatically collect and store certain information, such as:
- The Customer Representative’s name and contact information;
- Other Information that the Customer Representative provides to us; and
- The nature and purpose of the communication and the actions we took in response to the Customer Representative’s inquiry or the action that the Customer Representative took.
The information collected in connection with each type of interaction is retained to ensure continued interaction with the requesting party for administrative purposes, and as applicable for the promotion of our Services.
The information is collected in connection with our marketing efforts and is retained so that we can continue or elect to stop interaction with individuals.
If at any time you wish for us to cease communicating with you, please contact us as indicated below in the section captioned “How to Contact Us”. You can also take advantage of the unsubscribe link that you will find in any of our written electronic communications.
Customer End User Personal Data
We may have access to Customer End User Personal Data in an incidental manner when we are requested by a Customer to perform certain tasks that require us to have access to such Personal Data. For example, this happens when a Customer requests that we provide technical support that requires incidental (and temporary) access to Personal Data. We may also have incidental (and temporary) access to Personal Data in the course of performing certain tasks in connection with our forensic and threat analytics services.
Information We Obtain from Third Parties
We may receive or seek information from third party data providers in connection with our marketing activities. In some cases, such information has manifestly been made public on the internet by the individuals providing such information (for example, in the case of a social media profile that has been posted and shared online publicly), and we assume that such individuals no longer have a privacy interest in such information, and that such information can be used in connection with Cyxtera’s legitimate interests in learning about potential Customers. In other cases, where it is not clear that such information was made manifestly public by the individuals, we obtain this data with assurances from the third-party providers that the individual has consented to the collection and sharing of this data, or that this information is available in public records and is permissible to collect.
7. How Information is Collected
Customer information is collected through several different means described below. We believe that such means are fair, lawful, and proportional in light of the legitimate interests and needs of our business, and that our methodology fairly addresses each individual’s legitimate rights and expectations in view of the context and purpose for the collection and use of the information collected.
These means include (but are not limited to):
- Information directly provided by the Customer or the Customer Representative as necessary to ensure legal access to the premises; and
- Information collected through our CCTV network and other tracking or identity verification technologies such as biometric information, which allow us to keep track of the whereabout of visitors within our premises.
We do not intentionally collect information about Customer End Users. Our access is only incidental to the provision of our Services (as described above), and is retained only for the duration of the specific Services that require access to such information.
8. Information Use and Disclosure
We use the data collected as necessary to perform the Services that the Customer purchased, for the legitimate interests of our business (including for interacting with Customers and for marketing purposes) and to comply with our legal obligations, as follows:
For our Business Operations
We collect information from Customers for business operation reasons, including, but not limited to:
- To send administrative information to Customers and Customer Representatives;
- To expedite the processing and completion of a transaction;
- To diagnose technical problems, and manage our business;
- To keep records of contact information, correspondence and communications;
- To respond to request for assistance or support, or request for information concerning their account;
- To diagnose server problems, and similar issues with its Tools;
- To administer the Services; and
- To follow up with Customer Representatives and help resolve issues internally or with our affiliated entities.
For Security Purposes
We use CCTV footage, and biometric information about our Customer Representatives, and in some cases visitors, for security purposes.
We use IP Addresses for administration and security purposes, such as calculating usage levels of our Services, help diagnose server problems, and detect disruptive or destructive behavior.
To Interact with Customers
We use contact information and records of our interactions with Customer Representatives:
- To keep records of contact information, correspondence and communications;
- To provide information concerning the Services;
- As necessary for the legitimate interests of our business and when we believe that such use is legitimate under applicable law;
- As necessary for the performance of our contract with the Customer; and
- As required for compliance with a legal obligation to which Cyxtera is subject.
- To send relevant marketing information or market research surveys (in some countries subject to the recipient’s prior approval); and
- To send invitations to events that may be of interest to the Customer Representative in accordance with the individual’s preferences or apparent interests (in some countries, subject to the recipient’s prior approval).
We also use contact information and information we have inferred about the interest of an individual in connection with our Customer relationship management, for the legitimate interests of our business taking into account the legitimate privacy interests of the individual, in accordance with the local data protection laws. In all cases we offer the individual the ability to opt-out of commercial communications.
For Marketing Purposes
We use contact data of certain Customer Representatives to:
- Communicate with them about announcements, Cyxtera products or services that are similar to the Services purchased and that might be of interest to them;
- To send relevant marketing information or market research surveys; and
- To send invitations to events that may be of interest to the Customer Representative in accordance with the individual’s preferences or apparent interests.
Recipients of such material can opt-out from receiving such communications at any time by contacting us as provided in the “how to contact us” section or by following the directions provided in each such communication.
For Statistical and Research Purposes
We aggregate information about visits to our premises in aggregated form to:
- Better understand the interests and needs of our Customers and Customer Representatives;
- Create reports on trends in the usage of the Services; and
- In the case of our marketing activities, to determine the effectiveness of our promotional campaigns, and optimize our marketing and advertisement targeting efforts.
9. Sharing with Third Parties
Except as described below, Cyxtera will not share or disclose Personal Data with or to third parties.
We believe that our practices below are fair, lawful, and proportional in light of the legitimate interests and needs of our business, and that they fairly address each user’s legitimate rights and expectations in view of the context and purpose of the collection and use of the information collected, and are not intrusive or contrary to users’ legitimate rights.
Disclosure to Marketing Partners.
In countries where such activities do not require prior explicit consent, we may provide personal information of individuals to third party marketing companies, affiliates, advertising agencies, and data aggregation companies. These partner firms use this information to provide individuals with information on products and services that may be of interest.
In countries, such as in the European Economic Area, where such activities are restricted, we conduct these activities in accordance with applicable local laws.
The above does not apply to Personal Data of Customer End Users to which we might have access in the course of providing a Service as described herein.
We share information with our suppliers, subcontractors, and other third parties who provide services to us (collectively “service providers”) in connection with hosting, data analytics, information technology and infrastructure, order fulfillment, email delivery, auditing, and other related activities as necessary to perform the Services that the Customer purchased and to comply with our legal or contractual obligations. We provide only the information such service providers need to perform their designated functions. Our contracts with them prohibit them from using or sharing with others the information that we provide to them, or that they collect directly for purposes other than as directed by us.
Events and Tradeshows
If, in connection with an event or a tradeshow, an individual provides us with contact information, we assume that this constitutes an affirmative explicit consent to our collection and use of this information for marketing purposes.
Some of the events or tradeshows in which we participate may be organized and hosted by unaffiliated organizations. These entities may require attendees to these events to provide information such as their name, email address, and/or phone number as part of the registration process. We cannot control this collection or use of information. We encourage you to read the privacy statements of any third parties to whom you provide information, as they control how such information is handled.
We share information with entities that are under common ownership or control of our parent company (our “Affiliates”). Subject to local law requirements, express preferences indicated by individuals, or our contractual obligations, this information may be used to promote the services offered by our Affiliates and for the other purposes described in this Privacy Notice.
Affiliates may share information about users for direct marketing purposes, but only in accordance with each user’s choices or preferences.
Fraud Prevention and Protection of Legal Rights
We may use and disclose information to the appropriate legal, judicial or law enforcement authorities and our advisors and investigators (i) when we believe that such disclosure is necessary to investigate, prevent, or respond to suspected illegal or fraudulent activity or to protect the safety, rights, or property of Cyxtera, its Customers, Customer Parties, or others; (ii) when an individual has abused the Services, exceeded the permitted use of the Services, gained unauthorized access to any Tool, engaged in spamming, denial of service attacks, use of malicious code, or similar attacks; (iii) to exercise or protect legal rights or defend against legal claims; or (iv) to allow us to pursue available remedies or limit the damages that we may sustain.
We may have to disclose Personal Data if a court, law enforcement or other public or government authority with appropriate jurisdiction so requests, and we believe that such request is in compliance with applicable law.
10. Basis for the Collection and Use of the Personal Data
We only use Personal Data in connection with our ordinary professional activities, which include, but are not limited to such use:
If any processing activity requires the prior consent of the individual, we ensure that the individual has the ability to withdraw that consent.
11. Privacy Shield Statement
Cross Border Transfers
Cyxtera is a global corporation. As a result, Personal Data may be transferred, accessed or stored globally as explained in this Privacy Statement.
Cyxtera complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce (“Privacy Shield”) regarding the collection, use, and retention of Personal Data when a Customer and Cyxtera have agreed that the transfer and processing of Personal Data about individuals in the European Economic Area (“EEA”) will be conducted pursuant to the Privacy Shield for the relevant services.
When conducting those activities on behalf of its EEA customers, Cyxtera holds and/or processes Personal Data about EEA individuals at the direction of the customer.
Cyxtera is responsible for ensuring that third parties acting as an agent on Cyxtera’s behalf are obligated to provide at least the same level of privacy protection as is required under the Privacy Shield Principles.
Cyxtera has certified (application pending) to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Privacy Shield Statement and those of the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification (once accepted), please visit https://www.privacyshield.gov/list.
The following entities are covered entities under Cyxtera’s Privacy Shield self-certification: SIS Holdings LP, Cyxtera Technologies, Inc., SIS Acquisition Corp. IV, Cyxtera Software, Inc., Cyxtera Management, Inc., Cyxtera DC Parent Holdings, Inc., Cyxtera Federal Group, Inc., SIS Acquisition Corp. II, SIS Acquisition Corp. III, Easy Solutions Enterprises Corp., Easy Solutions, Inc., Brainspace Corporation, Cyxtera DC Holdings, Inc., Catbird Networks, Inc., Cryptzone Worldwide, Inc., Cryptzone International Holdings, Inc., Cryptzone North America, Inc., Cyxtera Data Centers, Inc., Cyxtera Communications, LLC and Cyxtera Canada, LLC.
With respect to Personal Data received or transferred pursuant to the EU-US Privacy Shield Framework, Cyxtera is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission and commits to cooperate with EU data protection authorities. In certain situations, Cyxtera may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If you have any complaints regarding our compliance with this Privacy Shield Statement, you should first contact us. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of Personal Data in accordance with this Statement.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider, the American Arbitration Association, (free of charge) at http://go.adr.org/privacyshield.html.
Under certain conditions, more fully described on the Privacy Shield website at:, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
Cyxtera is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC). Liability for onward transfers to third parties shall be in accordance with applicable data privacy laws, including but not limited to the GDPR.
Security of Personal Data
We use commercially reasonable technical, organizational, and administrative safeguards to protect information within our control against unauthorized or unlawful access, use, modification, destruction, processing or disclosure, and against accidental loss, destruction, or damage. We believe that these measures are reasonably suited to the nature of the information in our custody.
We limit access to our Users’ Personal Data to only those employees and third parties who reasonably need access to such information in order to perform their job responsibilities.
Threats to data security are constantly evolving, therefore Cyxtera cannot guarantee information in its care will not be accessed, hacked, disclosed, altered, or destroyed by unauthorized parties. Cyxtera continually seeks to improve its security posture in order to protect its employees', customers', and partners' data while aligning with industry best practices.
Breach of Security
If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us might have been compromised), or if you suspect someone else is using your account, please let us know immediately by contacting us as indicated below in the section captioned “How to Contact Us”.
Lost or Stolen Information.
You must promptly notify us if your credit, bank, other financial institution information, username, or password is lost, stolen, or used without permission. In such an event, we will assist you in updating your account details with respect to that information that we have in our possession.
13. Data Retention
We will retain Personal Data we collect as described herein where we have justifiable business need to do so, and/or for as long as it is needed to fulfill the purposes outlined in this Privacy Notice, unless a longer retention period is required by law, such as for tax, legal, or accounting purposes.
You can request deletion of your Personal Data at any time, and we will consider your request in light of applicable laws.
When, in our reasonable discretion, we have no justifiable business need to process your Personal Data (for example, after you have ended all of your interactions with Cyxtera and our internal record keeping policies no longer dictate that we retain your Personal Data), we will either delete it or anonymize it or, if it not possible (for example, because your Personal Data has been stored in back-up archives), we will securely store your Personal Data and isolate it from any further processing until deletion is possible.
14. Electronic Communications
If you receive commercial electronic communications from us, you can unsubscribe from the receipt of future commercial electronic communications from us by clicking on the “unsubscribe link” provided in such communications.
Customer Representatives who have a registered account may also opt out of receiving commercial electronic communications by logging in to their Cyxtera account, clicking on “Settings,” “User Accounts,” selecting a user, then editing the options in “Notification Options.” We will comply with your request(s) within ten (10) working days.
Please also note that if you do opt out of receiving commercial electronic communications from us, we may still send you important administrative messages (such as updates about your account or service changes), and you cannot opt out from receiving these messages.
15. Right of Information, Access and Other Rights
Accessing, Correcting or Deleting Your Information
Customer Representatives who have an account with Cyxtera have the right to review, change, or suppress Personal Data that we have collected from them. There are several ways to do this, including by logging into your account and changing this information or by contacting us as indicated below in the section captioned “How to Contact Us”. To confirm the completeness and accuracy of, or make changes to, their Personal data, individuals are encouraged to visit their personal profile.
We may need to retain certain information for legally required, or Cyxtera internal, record keeping purposes and/or in order to complete any transactions initiated prior to an individual request to remove or delete their information. Residual information may remain within our databases and other records, but it will no longer be tied to your identity.
16. EU/EEA Residents: Data Subject Rights under the GDPR
The GDPR grants individuals who are in the European Union and European Economic Area (“EU/EEA”) the following rights, with some limitations. Customer Parties who are located in the EU/EEA may contact us, at the address provided below in the section captioned “How to Contact us”, to exercise any of those rights and we will respond with the requested action or information, or will let you know why such right(s) does not apply.
Right Not to Provide Consent or to Withdraw Consent
We may seek to rely on a Customer Representative’s consent in order to process certain Personal Data. Where we do so, you have the right not to provide your consent, and the right to withdraw your consent at any time. If you withdraw your consent, this will not affect the lawfulness of the processing conducted based on consent before its withdrawal.
Right of Access
You have the right to obtain confirmation as to whether or not we collect or process Personal Data concerning you and, if this is the case, you have the right to request a copy of such Personal Data in digital format.
Right of Rectification
You have the right to require that we correct any inaccurate Personal Data concerning you, and that we complete incomplete Personal Data.
Right of Erasure
In certain circumstances, you have the right to request that we erase Personal Data concerning you; for example, if it is no longer necessary for the purposes for which it was originally collected.
Right to Restrict Processing
In certain circumstances, you have the right to request that we restrict the processing of the Personal Data that we have collected about you; for example, where you believe that the Personal Data that hold about you is not accurate or lawfully held.
Right to Data Portability
In certain circumstances, you have the right to receive the Personal Data concerning you that you have provided us in a structured, commonly used, machine readable format, and the right to obtain that we transmit the data to another entity where technically feasible.
Right to Object to the Processing
In certain circumstances, you have the right to request that we stop processing your Personal Data.
Right to Object to the Processing for Direct Marketing Purposes
You have the right to request that we stop sending you marketing communications.
Right Not to be Subject to Decisions Based Solely on Automated Processing that Produce Legal Effects
In certain circumstances, you have the right no to be subject to a decision based solely on automated processing - including profiling - that produces legal effects or similarly affects you.
Right to Complain to a Supervisory Authority
You have the right to lodge complaint with a Supervisory Authority if you believe that our processing of Personal Data relating to you infringes the GDPR.
17. California Residents: Rights under California Law
California requires operators of websites or similar services to make certain disclosures to individuals who reside in California regarding their rights, specifically:
Shine the Light
Under California law, a business that has an established business relationship with an individual, and has, within the immediately preceding calendar year, disclosed Personal Data that is primarily used for personal, family or household purposes to third party for the third party’s direct marketing purposes, must disclose to the California individual, upon request, the identity of any such third party, along with the type of Personal Data disclosed.
You can contact us to request such information as provided in the “How to Contact Us” section. Please note that under California law, businesses are only required to respond to an individual’s request once during any calendar year.
Some browsers give individuals the ability to communicate that they wish not to be tracked while browsing on the Internet. California law requires that we disclose how we treat do-not-track requests. The Internet industry has not yet agreed on a definition of what “Do Not Track” means, how compliance with “Do Not Track” would be measured or evaluated, or a common approach to responding to a “Do Not Track” signal. Due to the lack of guidance, we have not yet developed features that would recognize or respond to browser-initiated Do Not Track signals in response to California law.
18. How to Contact Us
We would love to hear your questions, concerns, and feedback about this Notice.
You can contact us:
By email at:
By postal mail at:
Attn: Director, GRC
22860 International Drive
Sterling, VA 20166
Please note that email communications are not always secure; so please do not include credit card information or sensitive information in your emails to us.
Request to Exercise Individual Rights
To exercise any of your rights as set forth herein, please contact us in writing, via email or postal mail as indicated above, so that we may consider your request under applicable law. Please be aware that your request will not be accepted for review unless you provide the following:
- Your first and last name and an address where we can correspond with you;
- The State or Country in which you are located.
- A clear description of the information or content you wish to receive or to be deleted or corrected, or the action you wish to be taken; and
- Sufficient information to allow us to locate the content or information to be deleted, removed or corrected.
For your protection, we may only implement requests with respect to the Personal Data associated with the particular email address that you use to send us your request.
In addition, please note that, depending on the nature of your inquiry, request or complaint, we may need to verify your identity before implementing your request and may require proof of identity, such as in the form of a government issued ID and proof of geographical address.
We will try to comply with your request as soon as reasonably practicable. However, we reserve the right to refuse to act on a request that is manifestly unfounded or excessive (for example because it is repetitive) and/or, in some cases, to charge a fee that takes into account the administrative costs for providing the information or the communication or taking the action requested.