CLIENT DATA PRIVACY & INFORMATION SECURITY POLICY
“The safety of your privacy is important to us”
SuccessLink Outsourcing (SLO) is dedicated to delivering solutions that enable our Clients to meet their strategic goals. We offer business process and IT outsourcing solutions, along with advisory services. Central to our commitment to putting Clients first is ensuring that Client Personal Information entrusted to us, including sensitive personal information, is secure, and that the privacy of our Clients’ End Users is respected.
INTRODUCTION
SLO provides outsourcing solutions categorized as front office, back office, knowledge process, and customized solutions to the global market. An essential part of our commitment to providing a true outsourcing partnership and solutions is ensuring that all Client Personal Information, including sensitive personal information, is secure, and that the privacy of our Clients is highly respected.
SLO’s privacy practices are developed in accordance with applicable legislation relating to privacy and information security, which may include, but are not limited to, the Personal Information Protection and Electronic Documents Act (“PIPEDA”), the EU General Data Protection Regulation (Regulation (EU) 2016/679), as nationally implemented, supplemented, amended, and replaced from time to time (“GDPR”), the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Children’s Online Privacy Protection Act of 1998 (“COPPA“), the Video Privacy Protection Act of 1988, the Cable Television Protection and Competition Act of 1992, the Fair Credit Reporting Act (“FCRA”), the California Consumer Privacy Act of 2018 (“CaCPA”), the Philippine Data Privacy Act of 2012, and various provincial and state privacy laws, collectively referred to as the “Applicable Privacy Laws.”
SLO is committed to ensuring that our privacy management practices comply with the Applicable Privacy Laws as well as with our contractual commitments in the various countries in which we or our Clients operate. Our commitment to our Clients is that we will work with them to protect privacy and apply safety measures to any data in all our dealings.
This SLO Client Privacy Policy (this “Privacy Policy”) outlines the responsibilities of SLO concerning the protection of Personal Information entrusted to SLO by our Clients.
DEFINITIONS
For the purpose of this Privacy Policy, the following terms shall have the following meanings. Terms defined elsewhere in this Privacy Policy shall have those meanings.
- Business Contact Information: Refers to the business contact details of our Clients’ representatives.
- Client: Means a Client or potential Client of SLO who is a business, enterprise, sole proprietor, or other organization.
- Client Personal Information: Means Business Contact Information and/or End User Personal Information.
- Data Controller: The organization that determines the purposes and means of the processing of Personal Information.
- Data Processor: The organization that processes Personal Information on behalf of the Data Controller.
- End User: Means the users of Clients’ products or services, or clients, customers, or patients of Clients.
- End User Information: Means the Personal Information of End Users.
- Personal Information: Means any information relating to an identified or identifiable natural person.
- Processing: Means the recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, collection, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction of Personal Information.
SCOPE & APPLICATION
This Privacy Policy applies to Client Personal Information that is in SLO’s custody for the purposes of providing services to the Client. It includes Client Personal Information that is in the possession of service providers who have been contracted to provide services on SLO’s behalf.
The application of this Privacy Policy is subject to the requirements or provisions of any applicable legislation, regulations, agreements, or the order of any court or other lawful authority.
All SLO employees, contractors and agents with access to Client Personal Information are required to comply with this Privacy Policy.
OUR ACCOUNTABILITY PRINCIPLES
Our Accountability Commitment
SLO is responsible to our Clients for Client Personal Information in SLO ’s possession or custody, including information that has been transferred for processing by SLO to a service provider or a third party in the course of conducting SLO ’s business.
Where the GDPR applies toSLO ’s processing of Personal Information:
- SLO acts as a Data Processor for its Clients, which effectively means that it processes End User Personal Information on behalf of its Clients in order to provide services to those Clients.
- SLO acts as a Data Controller in respect of Business Contact Information that it collects and processes in order to develop its business and sell services to its Clients.
- SLO acts as a Business Associate (as such term is defined in HIPAA) for certain of its Clients, which effectively means that it processes Personal Health Information on behalf of its HIPAA covered-entity Clients in order to provide services to those Clients.
Executive Responsibility
Protecting privacy is an integral part of our services and all members of SLO ’s executive team have a responsibility to enable and oversee operational compliance with SLO ’s privacy policies and procedures within their own areas of responsibility, ensuring all business units are properly aware of and resourced to meet our privacy obligations.
Employee Accountability
As a core commitment of SLO , all members of the SLO team undergo mandatory annual privacy training to ensure their continued awareness of and compliance with applicable laws and our policies, including this Privacy Policy; we recognize that all employees play a role in earning and maintaining Client trust and we undertake ongoing privacy awareness activities to create a culture of privacy at SLO.
SAFETY MEASURES
SLO maintains an information security governance program to protect Client Personal Information.
In compliance with its security policy, SLO employs security measures appropriate to the sensitivity of the information in an effort to protect Client Personal Information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification, or destruction. SLO maintains security compliance with international standards such as PCI-DSS 3.0, SSAE16 SOC1, and SOC2 as part of its governance program.
SLO’s security measures include but are not limited to the following:
- Using appropriate administrative, physical, and technical security controls designed to prevent and detect unauthorized access to Client Personal Information;
- Employing encryption for data at rest and in transit, tokenization, de-identification, and other mechanisms to protect Client Personal Information as appropriate;
- Limiting access to Client Personal Information on a need-to-know basis and applying the principles of least privilege and role-based access control;
- Requiring secure disposal of any media containing Client Personal Information;
- Prohibiting the use of Client Personal Information in non-production or demonstration environments, except with the express consent of the Client;
- Implementing a Secure by Design methodology in our work processes;
- Identifying and assessing reasonably foreseeable risks to the integrity, confidentiality, or availability of Client Personal Information that we hold, and taking reasonable steps to mitigate those risks through the implementation of safety measures; and
- Regularly testing our safety measures and our overall security program.
SLO protects Client Personal Information shared with service providers by employing contractual or other means to ensure that any such service provider maintains a comparable level of protection while processing Client Personal Information.
Employment agreements at SLO include contractual provisions requiring the safeguarding and proper usage of confidential information (including Client Personal Information) accessible to employees during the course of their employment. SLO takes appropriate disciplinary measures where necessary to enforce this Privacy Policy.
INCIDENT MANAGEMENT
SLO has developed a comprehensive incident readiness and response plan designed to identify the cause, extent, and nature of any incident involving Client Personal Information, and to allow timely reporting to the Client in accordance with Applicable Privacy Laws and our contractual obligations.
SLO will provide reasonable assistance to Clients in investigating incidents and, where required, assist in reporting to regulatory authorities or other relevant parties to prevent or minimize any loss or harm resulting from such incidents.
LIMITATION OF PROCESSING OF CLIENT PERSONAL INFORMATION
SLO is committed to transparency in how we collect and use Client Personal Information. We receive Client Personal Information directly from Clients, their End Users, or other authorized entities, and limit collection to what is necessary to fulfill the purposes outlined in this Privacy Policy and in our agreements.
SLO requires that Clients share Client and End User Personal Information only if it has been lawfully obtained and is necessary for the agreed purposes. We do not use Client Personal Information for any purpose outside the scope of this Privacy Policy or the applicable agreement, unless required or permitted by law.
For more information about the types of personal information we collect and how we process it, please refer to the End User Personal Information and Business Contact Information sections.
CONTACT US
For the purposes of the GDPR and other applicable privacy laws, SLO acts as the Data Processor in relation to End User Personal Information, and the Client serves as the Data Controller. SLO is the Data Controller with respect to Business Contact Information.
We maintain procedures for addressing and responding to all inquiries or complaints regarding our handling of Personal Information. These may be submitted confidentially to our Privacy Office at compliance@sl-outsourcing.com
SLO has appointed Data Protection Officers to oversee data privacy compliance for its Philippine operations. They can also be contacted through the same email address.
All complaints will be thoroughly investigated. If a complaint is found to be justified, SLO will take appropriate steps to resolve the issue, which may include updating our policies and procedures.
END USER PERSONAL INFORMATION
What End User Personal Information Do We Process?
In order to provide services to Clients, SLO processes Personal Information related to End Users, which is entrusted to us by Clients in connection with the services we provide. This Personal Information may be used by or otherwise impact End Users. Such information may include, but is not limited to:
- Names
- Email addresses
- Mailing addresses
- Telephone numbers
- Information for account administration (such as usernames and passwords)
- IP addresses
- Behavioral information (such as interactions, preferences, habits, feedback, needs, and issues)
- Voice recordings, images, and video
- Financial information (such as credit card numbers, bank account details, and transaction histories)
- Special categories of data (such as personal health information and other health-related data)
How is End User Personal Information Processed?
SLO processes End User Personal Information solely under the direction of our Clients in order to:
- Provide products and services tailored to Client and End User needs, as defined in our Client agreements
- Ensure our products and services remain responsive through technical support, training, and feature improvements
- Investigate and resolve incidents, including Client and End User complaints
- Promote or sell products and services to End Users, as directed by Clients, and in compliance with applicable marketing and telemarketing laws
- Develop, customize, or modify software applications and source code on behalf of Clients
How May We Disclose End User Personal Information?
1. Third-Party Service Providers
We may disclose End User Personal Information to trusted vendors that provide services such as IT support, legal consulting, auditing, and other business services. Additionally, some of our services may be subcontracted to third parties under strict contractual obligations.
In all such cases, SLO enters into agreements that require these vendors or subcontractors to protect End User Personal Information in accordance with Applicable Privacy Laws.
2. Group Companies
We may disclose certain End User Personal Information between group companies, including those located in other countries, to ensure we are allocating the appropriate resources to fulfill Client needs and to remain compliant with our contractual obligations.
3 Legal Obligations
We may also disclose End User Personal Information when necessary to:
- Enforce our contracts and terms and conditions with Clients
- Safeguard the operations, rights, and property of SLO
- Protect the rights and safety of Clients and End Users
- Comply with legal requirements such as court orders or regulatory actions
- Pursue available legal remedies or limit potential damages
- Respond to lawful requests from public or government authorities, including those outside of the Client’s country of establishment
- Fulfill any other obligations under applicable laws, including those outside of the Client’s jurisdiction
How Do We Protect End User Personal Information That Is Disclosed Internationally?
SLO complies with Applicable Privacy Laws when transferring End User Personal Information to and from different countries.
For transfers of Client Personal Information outside of the EU to a third country that does not afford an adequate level of protection of Personal Information according to the European Commission, SLO implements appropriate safeguards. Such transfers are made only when enforceable rights and effective legal remedies are available for the individuals whose Personal Information is being transferred.
The appropriate safeguards SLO has in place include standard contractual clauses compliant with the European Commission and Privacy Shield mechanisms (where applicable).
Consent
As SLO does not have a direct relationship with End Users, we require that our Clients obtain all necessary consents or authorizations required under Applicable Privacy Laws. This ensures that SLO is authorized to process End User Personal Information on behalf of the Client for the purposes outlined in this Privacy Policy.
Retention
SLO maintains a comprehensive records retention policy and schedule. We retain End User Personal Information only for as long as necessary to provide services to our Clients, or as required by the terms of our contractual agreements, unless longer retention is mandated by legal or regulatory obligations.
Accuracy
SLO does not independently verify the accuracy of End User Personal Information provided by Clients. We rely on Clients to ensure that the Personal Information shared with us is complete and accurate, and sufficient for the purposes for which it is being processed.
Nevertheless, SLO takes reasonable steps to maintain the integrity of the data in our custody and applies appropriate safeguards as described in the Safety Measures section of this Policy.
Individual Rights
Unless explicitly agreed upon in the provision of services to a Client, SLO will not respond directly to inquiries from End Users about the processing of their Personal Information. Instead, we will make reasonable efforts to refer such inquiries to the appropriate Client, who acts as the Data Controller.
We recommend that Clients inform their End Users to review the Client’s own privacy policy to understand their rights under Applicable Privacy Laws.
BUSINESS CONTACT INFORMATION
What Business Contact Information Do We Collect?
To deliver services to our Clients, SLO collects and processes Personal Information from Client representatives at various stages of the business relationship. This may include when Clients:
- Inquire about our services
- Engage with us for customized solutions
- Continue to use our services
Collected Business Contact Information may include:
- Names
- Email addresses
- Mailing addresses
- Telephone numbers
- IP addresses
How Do We Use Business Contact Information?
We use this information to:
- Communicate with Clients throughout the relationship
- Understand Client needs and preferences
- Provide tailored services and solutions
- Ensure our offerings remain relevant and responsive
- Manage billing and process payments
- Promote or offer products and services
- Support business operations, including audits, analytics, service enhancement, and marketing strategy
- Comply with legal and regulatory obligations
What Are Our Legal Bases for Processing Business Contact Information?
Where the GDPR applies, our legal bases include:
- Legitimate interests: Such as managing client relationships, analyzing service usage, business development, and marketing strategy.
- Performance of a contract: When processing is necessary to fulfill obligations to Clients.
- Compliance with legal obligations: As applicable under specific legal or regulatory frameworks.
To learn more about how we balance our interests with privacy rights, please contact us.
How May We Disclose Business Contact Information?
Third-Party Service Providers
We may share Business Contact Information with service providers who deliver key functions such as:
- IT and cybersecurity
- Client relationship management
- Payment processing
- Financial software solutions (SaaS)
- Legal, accounting, auditing, and consulting services
All such vendors are bound by contractual obligations to protect Personal Information in line with Applicable Privacy Laws.
Group Companies
We may share Business Contact Information within our group of companies (including those in other jurisdictions) to allocate resources appropriately, maintain internal records, meet compliance requirements, and support shared business functions.
Corporate Transactions or Events
In connection with a corporate transaction—such as a merger, reorganization, sale, or transfer of assets—Business Contact Information may be disclosed to involved third parties under appropriate confidentiality terms.
Legal Obligations
We may disclose Business Contact Information when necessary to:
- Enforce contractual terms
- Protect our operations and assets
- Ensure the safety of Clients
- Comply with legal proceedings, court orders, or regulatory demands
- Pursue legal remedies or limit damages
- Respond to lawful government or public authority requests—even outside of the Client’s country of establishment
- Fulfill other requirements under applicable law
How Do We Protect Business Contact Information That Is Disclosed Internationally?
SLO complies with all Applicable Privacy Laws when transferring Business Contact Information across borders.
For transfers to countries outside of the EU that lack an adequate level of data protection (as determined by the European Commission), SLO uses safeguards such as standard contractual clauses and Privacy Shield frameworks to ensure that individuals’ rights are protected and legally enforceable remedies are available.
Consent
When collecting Business Contact Information from Client representatives, SLO provides appropriate notices explaining the purpose of collection and use of the data in accordance with this Privacy Policy.
Retention
SLO retains Business Contact Information only for as long as necessary to fulfill our obligations to Clients or as otherwise required under applicable legal or regulatory retention requirements.
Accuracy
SLO will make reasonable efforts to maintain the accuracy and integrity of Business Contact Information in its custody and will safeguard such information through the safety measures outlined in the relevant section of this policy.
Individual Rights
Client representatives may have the following rights, to the extent permitted under Applicable Privacy Laws, with respect to the Business Contact Information in SLO’s custody:
- The right to request access to their Personal Information
- The right to request correction of their Personal Information
- The right to request erasure of their Personal Information
- The right to object to the processing of their Personal Information
- The right to request restriction of processing of their Personal Information
- The right to request the transfer of their Personal Information
- The right to lodge a complaint with the relevant national supervisory authority regarding the processing of their Personal Information
Please refer to the “Contact Us” section for further information on exercising these rights.
COOKIES
When you visit this website, we may place one or more cookies—a small text file containing a string of alphanumeric characters—on your device. These cookies uniquely identify your browser and may convey information such as:
- The pages you view
- The links you click
- Your preferred browsing language
- Other usage data to help us enhance your browsing experience over time
These cookies do not grant us access to your computer nor allow us to collect or process any personal information directly. You may configure your web browser to detect or disable cookies; however, disabling cookies may affect the functionality and user experience of this site.
By continuing to use this website, you consent to our use of cookies in accordance with this cookie policy and our privacy policy. For more details about how we handle any information collected through our website, please refer to the full Privacy Policy.
SuccessLink Outsourcing, LLC
99 S Almaden Blvd, San Jose CA 95113, United States
Toll-Free Number 888-276-1670
FAX: 800-696-1437
