Summit Analytical LLC. Privacy Policy

Introduction

Summit Analytical, LLC and its subsidiaries (hereafter “Summit Analytical”, “SA”, “the Company”, “we” or “us”) offers statistical analysis services (“Services”) to its Customers and Clients (“Customers”) in the pharmaceutical industry. Summit Analytical is committed to the privacy and security of the Personal Data it processes in accordance with our obligations under applicable Privacy and Data Protection laws.

1. Activities are Covered under this Privacy Policy?

This Privacy Policy informs you how Summit Analytical may collect, use, disclose, and process Personal Data we collect as a Data Controller in the situations described in Section 2 below.

IN ALMOST ALL CIRCUMSTANCE EXCEPT HUMAN RESOURCES-RELATED SITUATIONS, SUMMIT ANALYTICAL IS NOT A DATA CONTROLLER. This Privacy Policy does not apply to the extent we process Personal Data in the role of a Data Processor on behalf of our Customers. When using our Services, Customers will input data into our systems, or send us data sets to analyze, and Summit Analytical will process such data for the purposes of providing the Services, without any direct control or ownership of the Personal Data. As such, Summit Analytical’s Customers are responsible for complying with any regulations or laws that require providing notice, disclosure and/or obtaining consent prior to transferring the data to Summit Analytical for processing purposes, in accordance with applicable service/consulting agreements, (“Customer Service Agreements”). If your data has been submitted to us in our role as a processor by or on behalf of a Summit Analytical Customer and you wish to exercise any rights you may have under applicable data protection laws, please inquire with them directly. In our role as data processors, we are not allowed to directly provide clinical trial participants with answers to their requests. However, you may contact us by using the information in Section 13 below and provide us with the name of the Summit Analytical Customer who submitted your data to us. We will refer your request to that Customer and will support them as needed in responding to your request within a reasonable timeframe.

2. What Personal Data do we collect?

(a) Personal Data we collect directly from you: The Personal Data we collect directly from you may include identifiers, professional or employment-related information, financial account information, commercial information, visual information, and internet activity information, as well as any other information you choose to provide us. We may collect such information in the following situations:

If you provide us or our service providers with any Personal Data relating to other individuals, you represent that you have the authority to do so, and where required, have obtained the necessary consent, and acknowledge that it may be used in accordance with this Privacy Policy. If you believe that your Personal Data has been provided to us improperly or want to exercise your rights relating to your Personal Data, please contact us by using the information in Section 13 below.

(b) Personal Data we collect from our customers: We receive information about you provided directly to us by our Customers to satisfy contract obligations. The types of information we may collect directly from our Customers may include names, usernames, email addresses, postal addresses, phone numbers, job titles, transactional information, as well as other contact or other information they choose to provide us or upload to our systems in connection with the Services. Other Personal Data we process may vary depending on the requirements specified in Customer contracts. In those cases, we assume that those Customers have the authority to do so and that you have given and/or obtained appropriate consent where necessary. In addition, Summit Analytical may receive sensitive health and medical information from our Customers to satisfy Customer contract terms. We take appropriate steps to protect this information, including industry standard security and privacy controls. By submitting or providing collected information to the Customers of Summit Analytical, you consent to the use of your information as set out in this Privacy Policy.

3. What Device and Usage Data do we process?

Unless you have separately given your consent or as a condition of your employment, we do not use common information-gathering tools, such as tools for collecting device and usage data, cookies, web beacons, pixels, and similar technologies to collect information that may contain Personal Data.

4. How and Why do we use your Personal Data?

We collect and process your Personal Data (including, where legally permissible, special categories of Personal Data) for the following purposes and relying on the following legal bases:

5. With whom do we share Personal Data?

Where applicable, we may share your Personal Data in the following circumstances:

Vendors, contractors, and other service providers

We may share your Personal Information with vendors, consultants, and other Processors we employ to perform services on our behalf.

If Summit Analytical receives your Personal Data and subsequently transfers that information to a third-party agent or service provider for processing, Summit Analytical remains responsible for ensuring that such third-party agent or service provider processes your Personal Data to the standard required by the applicable privacy laws.

Business Transfers

We may choose to buy or sell assets, and may share and/or transfer Customer information, including Personal Data, in connection with the evaluation of and entry into such transactions and based on our legitimate interests. Also, if we (or our assets) are acquired, or if we go out of business, enter bankruptcy, or go through some other change of control, Personal Data could be one of the assets transferred to or acquired by a third party.

We may also share Personal Data with external professional advisors such as lawyers or accountants.

Summit Analytical may share your Personal Data with our Customers and Service Providers.

We may also share your Personal Data with our Customers and service providers for purposes consistent with this Privacy Policy. Personal Data is transferred to ensure efficient and effective business operations and to enable the Summit Analytical to provide Customer, sales, marketing, human resource, finance, information technology, legal, quality assurance, software/product development, and other support services.

Disclosures for other Regulatory Reporting Obligations

Protection of Summit Analytical and Others: We reserve the right to access, read, preserve, and disclose any information as necessary to comply with law; enforce or apply our agreements with you and other agreements; or protect the rights, property, or safety of Summit Analytical, our employees, our users, or others.

6. How long do we keep your Personal Data?

We may retain your Personal Data for a period of time consistent with the original purpose of collection (see Section 4 above) or as long as required to fulfill our legal obligations. We determine the appropriate retention period for Personal Data on the basis of the amount, nature, and sensitivity of the Personal Data being processed, the potential risk of harm from unauthorized use or disclosure of the Personal Data, whether we can achieve the purposes of the processing through other means, and on the basis of applicable legal requirements (such as applicable statutes of limitation).

After expiry of the applicable retention periods, your Personal Data may be deleted. If there is any data that we are unable, for technical reasons, to delete entirely from our systems, we will implement appropriate measures to prevent any further use of such data.

7. How do we Secure your Personal Data?

We take appropriate precautions including organizational, technical, and physical measures to help safeguard against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure of, or access to, the Personal Data we process or use.

While we follow generally accepted standards to protect Personal Data, no method of storage or transmission is 100% secure. You are solely responsible for protecting your password, limiting access to your devices, maintaining up-to-date and patched version of software and operating system, and signing out of websites after your sessions.

8. How are International Data Transfers processed?

Summit Analytical is a company operating primarily in the United States, but also provides Services and engages service providers globally. Your Personal Data may be transferred to and stored by us in the United States and third parties (as disclosed above) that are located in other countries. We ensure that the recipient of your Personal Data provides an adequate level of protection, for example by entering into appropriate processing agreements and, if necessary, standard contractual clauses or an alternative lawful data transfer mechanism.

When Summit Analytical engages in such transfers of Personal Data, it relies on:

Adequacy Decisions, as adopted by:
- European Commission (“EC”), based on Article 45 of Regulation (EU) 2016/679 (GDPR) – for more information, and to access the full list of countries deemed adequate to date, please visit https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions;
- UK Secretary of State, based on Article 45 of the UK GDPR and Section 17A of the Data Protection Act 2018 - for more information, and to access the full list of countries deemed adequate to date, please visit https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/;
The EC’s Standard Contractual Clauses (“SCCs”) and the UK Information Commissioner’s Office’s International Data Transfer Addendum (“IDTA”), as applicable, supplemented by additional security measures as recommended by the European Data Protection Board. The EC’s and the UK’s Information Commissioner’s Office ("ICO”) have determined that the SCCs and IDTA may provide sufficient safeguards to protect personal data transferred outside the EEA and the UK. For more information, please visit  https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en and https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/; or
Other Data Transfer Mechanisms and supplemental security measures, as approved by applicable national, regional, and regulatory authorities.

If Summit Analytical is recognized on the DPF Program Data Privacy Framework List as a participant (https://www.dataprivacyframework. gov/s/participant-search) Summit Analytical is self-certified to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework. As part of our commitment to maintaining high data protection standards when transferring Personal Information between European Economic Area (“EEA”)/UK/Switzerland and the United States, we participate in the EU-US Data Privacy Framework (“EU-US DPF”) and the UK Extension to the EU-US DPF and the Swiss-US Data Privacy Framework (“Swiss-US DPF”).

Summit Analytical complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Summit Analytical has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Summit Analytical has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, see the US Department of Commerce’s Data Privacy Framework website.

To view our DPF certification, please visit Participant Detail (dataprivacyframework.gov).

Accountability for Onward Transfers. We acknowledge our responsibility for the processing of Personal Information received and subsequently transferred to our Third Parties/Agents/Service Providers. Summit Analytical remains liable under the DPF Principles if a Third Party/Agent/Service Provider processes Personal Information covered by this Notice in a manner inconsistent with the DPF Principles, except where Summit Analytical can demonstrate that we are not responsible for the event giving rise to the damages.

9.What are your Privacy Choices and Data Subject Rights?

Privacy laws and applicable regulations give you certain rights over your Personal Data. Some rights only apply when Summit Analytical uses one of the “Legal Bases” described in Section 4; and some rights only apply when Summit Analytical acts as data controller (which is usually not the case except with respect to human resources-related matters).

Your rights include the following:

The right to know what Personal Data is being collected and for what purpose;
The right to know what Personal Data is being “sold” or “shared”, for what purpose, and the categories of recipients of your Personal Data;
The right to access your Personal Data;
The right to have your Personal Data rectified, corrected or updated;
The right to have your Personal Data deleted, including from any third parties where your Personal Data has been sold, shared or disclosed;
The right to opt out of the “sale” or “sharing” of your Personal Data;
The right to object or restrict to the processing of your Personal Data;
The right not to be subject to a decision based solely on automated processing and profiling, which produces legal effects; and
The right not to be discriminated against for exercising your rights as described above.

10. How may you Exercise your Privacy Choices and Rights?

If you would like exercise any data subject right available to you under applicable data protection regulations, you can fill out our Data Privacy Inquiry Form. Your Personal Data will be processed when responding to these rights and we may be required by law to verify your identity before fulfilling your request. We respond to all as required by applicable law and Service Agreements. If we are unable to comply with your request due to an exception or limitation, we will explain this in writing. If we need more time, we will inform you of the reason and extension period in writing.

As described above, we may also process Personal Data submitted by or for a Customer to our Services. To this end, if not stated otherwise in this Privacy Policy or in a separate disclosure, we process such Personal Data as a processor on behalf of our Customer (and the Customer’s affiliates) who is the controller of the Personal Data. IF YOUR DATA HAS BEEN SUBMITTED TO US IN OUR ROLE AS A PROCESSOR BY OR ON BEHALF OF A SUMMIT ANALYTICAL CUSTOMER AND YOU WISH TO EXERCISE ANY RIGHTS YOU MAY HAVE UNDER APPLICABLE DATA PROTECTION LAWS, PLEASE INQUIRE WITH THEM DIRECTLY. In our role as data processors, we are not allowed to directly provide clinical trial participants with answers to their requests. However, you may provide us with the name of the Summit Analytical Customer who submitted your data to us. We will refer your request to that Customer and will support them as needed in responding to your request within a reasonable timeframe.

Summit Analytical complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework program (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Summit Analytical has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Summit Analytical has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Program Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

In compliance with the EU-US Data Privacy Framework Principles, Summit Analytical commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles. European Union, Swiss and United Kingdom individuals with DPF inquiries or complaints should first contact Summit Analytical at privacy@summitanalytical.com

Summit Analytical has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by JAMS Data Privacy Framework (DPF) Dispute Resolution. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Arbitration Procedures (dataprivacyframework.gov). Summit Analytical is subject to the jurisdiction of the US Federal Trade Commission for the purposes of DPF enforcement.

If your complaint involves human resources data transferred to the United States from the European Union, the United Kingdom, or Switzerland in the context of the employment relationship, and Summit Analytical does not address it satisfactorily, Summit Analytical commits to cooperate with the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC), as applicable and to comply with the advice given by the DPAs, ICO, or FDPIC, as applicable with regard to such human resources data. To pursue an unresolved human resources complaint, you should contact the state or national data protection or labor authority in the appropriate jurisdiction. Complaints related to human resources data should not be addressed to the JAMS Data Privacy Framework (DPF) Dispute Resolution.

If you have any questions or concerns, we encourage you and provide you with sufficient information on how to contact your local data protection authority. For EEA authorities, please see this directory for contact details: https://edpb.europa.eu/about-edpb/board/members_en. For Switzerland, please visit this FDPIC site for contact details: https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html. For the United Kingdom, please see this site for contact details: https://ico.org.uk/global/contact-us/.

11. Additional Information

Please note that we may still use aggregated and de-identified Personal Data that does not identify you or any individual; we may also retain your Personal Data as needed in order to comply with legal obligations, enforce agreements, and resolve disputes.

In compliance with the applicable State law, we commit to respond and resolve complaints about your privacy and our collection or use of your Personal Data. Individuals with inquiries or complaints regarding this Privacy Policy should contact us in the manner detailed below.

12. Changes to the Privacy Policy

We are constantly trying to improve our Websites and Services, so we may need to change this Privacy Policy from time to time. We will alert you when and how we are required to do so by applicable law. You can see when this Privacy Policy was last updated by checking the date at the bottom of this page. You are responsible for periodically reviewing this Privacy Policy.

13. Contact Us

For any questions or concerns about this Notice, contact our Data Protection Officer any one of these ways:

E-mail: privacy@summitanalytical.com
Write to us at: Summit Analytical, LLC

Attention: Data Protection Officer

8354 Northfield Blvd.

Bldg G Suite 3700

Denver, CO 80238

https://www.summitanalytical.com/, this resource is independent, secure, and confidential.

Effective March 22, 2024

Situations

If you express an interest in obtaining additional information about our Services; communicate with us via a phone call; visit our offices; use our “Contact Us” or similar features; use our Services; download certain content; or otherwise communicate with us.

If you use and interact with our Services.

If you are a supplier or service provider to Summit Analytical (or work for a supplier or service provider).

If you are an employee, prospective employee, former employee, or independent contractor/freelancer of Summit Analytical.

Categories of Personal Data

Contact information, such as your name, job title, company name, address, phone number, email address, username and password, other information voluntarily chosen to share.

Information about your interaction with our Services through logfiles and other technologies, some of which may qualify as Personal Data.

Contact information, payment, and billing information.

Information you have provided which may include Contact information, Demographic data, National identifiers, Employment details, Family Contact and Date of Birth, Background Information, Financial information, Professional Experience & Affiliations.

Purpose

Recording video or phone calls

Handling contact and user support requests

Providing, developing and optimizing the performance of the Services

Managing our Customer and user accounts

Maintaining our security

Managing job applicants

Undertaking financial

reporting, managing payments, preparing internal reports, and business modeling

Complying with legal obligations

Managing our Contractors

Managing Employees

Description

We reserve the right to process your Personal Data, including recording phone calls (in accordance with applicable laws) for training, quality assurance, and administration purposes.

We process your Personal Data, if you fill out a “Contact Us” web form, request user support, or if you contact us by other means including but not limited to via phone.

We process your Personal Data to perform our contract with you to develop, optimize, provision, and improve the performance of the Services and to satisfy our obligations under the applicable terms of use.

We process your Personal Data to manage Customer and user accounts generally, such as billing, Customer correspondence and Customer relationship management.

We process your Personal Data for the purposes of maintaining Summit Analytical’s own security, including investigating, detecting and preventing suspicious activity, fraud and cybercrime that may affect Summit Analytical or its Services.

We process your Personal Data for the purpose of talent acquisition, including assessing capabilities, reference checks.

We process your Personal Data for the purposes of financial reporting, modeling purposes (e.g., forecasting), and to collect payments to the extent that doing so is necessary to complete a transaction and perform our contract with you.

As necessary, We may process your Personal Data as required by government authorities, courts or regulators in accordance with our legal obligations under applicable laws.

We process your Personal Data primarily for the purposes of managing the working relationship with you.

We process your Personal Data primarily for the purposes of managing the employment or working relationship with you, and to fulfill our obligations under your employment contract, or applicable Summit Analytical policies, including on-boarding, payroll, benefits administration, pension and retirement administration, managing vacation and other types of leave, tax reporting, and the like. We may also process your Personal Data when it is necessary for other legitimate purposes, such as general HR administration; maintaining our global directory; general business management and operations; disclosures for auditing, reporting purposes and as required by law; measuring employee sentiment and performance; internal investigations; management of network, information systems security and data protection; safety and physical security; provision and improvement of employee services and facilities; for global diversity and inclusion initiatives; and in connection with the sale, assignment or other transfer of all or part of our business.

Legal Basis

Consent or our legitimate interest in maintaining the high quality of our phone calls with users.

Necessary for the performance of a contract with our Customer or our legitimate interest in fulfilling your requests and communicating with you.

Necessary for the performance of a contract with our Customer or our legitimate interest to provide and administer our Services in line with Customer expectations.

Necessary for the performance of a contract with our Customer or our legitimate interest in the management of Customer and user accounts.

Our legitimate interest in promoting the safety and security of Summit Analytical generally and to protect our rights and the rights of others.

Legitimate interests to hire qualified staff for our administrative purposes, aggregate management reporting, internal training, and as generally required to conduct our business.

Our legitimate interest in meeting our obligations associated with the reporting of our finances, management of our business operations, and necessary for the performance of a contract.

Legal obligation incumbent on Summit Analytical, like a judicial, law enforcement or national security request or order; or our legitimate interest in pursuing remedies available to us and limiting our damages; or for auditing purposes.

Our legitimate interest in meeting our legal and statutory obligations associated with the reporting of our finances, management of our business operations, and necessary for the performance of a contract.