EU Safe Harbor Policy

Introduction

MongoHQ is a full service cloud database hosting provider that focuses on simplicity, reliability, and security of customer data. Protecting consumer privacy is important to MongoHQ (hereinafter collectively referred to as the “Company,” “we,” “us” or “our”).

Accordingly, MongoHQ complies with the U.S.-EU Safe Harbor Framework and the U.S.-Swiss Safe Harbor Framework as set forth by the U.S. Department of Commerce (hereinafter collectively referred to as the “Safe Harbor Principles”, “Principles”) regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. MongoHQ has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Safe Harbor program, and to view MongoHQ's certification, please visit http://www.export.gov/safeharbor/.

The Company has a firm commitment to adhere to the Safe Harbor privacy principles and the 15 FAQs that make up the applicable Safe Harbor Framework(s). As such, if there is any conflict between the policies in this privacy policy and the Safe Harbor Principles, the Safe Harbor Principles shall govern. This privacy policy outlines our general policy and practices for implementing the Principles, including the types of information we manage, and our role as a Data Processor facilitating notices and choices that affected individuals have regarding Customer use, and an individual’s ability to correct that information. MongoHQ facilitates this process by providing an open and transparent data access layer to help customers comply with European Union’s Directive 95/46/EC on data privacy (hereinafter referred to as the “Directive”). To learn more about the EU Directives, please visit http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML.

We self-certify compliance with
MongoHQ Safe Harbor Policy

Definitions

“Customers” refers to direct users of MonogHQ's services, who have signed up for a MongoHQ account, and allow MongoHQ to store their data.

“Personal Data” or “Information” means information that (1) is transferred from the EU to the United States; (2) is recorded in any form; (3) is about, or pertains to a specific individual; (4) can be linked to that individual; and (5) does not apply to information collected by MongoHQ directly about MongoHQ’s customers. For information regarding our use, disclosure and handling of information we collect directly from our customers located in the European Union, please see the MongoHQ Privacy Statement located at http://docs.mongohq.com/policies/privacy.html.

“Sensitive Personal Data” means personal data that reveals race, ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership or that concerns an individual’s health.

“Safe Harbor Principles” or “Principles” means both the European Union Safe Harbor Framework and the U.S.-Swiss Safe Harbor Frameworks published by the U.S. Department of Commerce. For more information regarding the Safe Harbor Principles and the Directive, please visit http://www.export.gov/safeharbor/. 

Data Processor

MongoHQ acts as a cloud data storage provider offering to its Customers a cloud-­‐based hosted, and/or remotely managed database solution. Thus MongoHQ provides hosting services on its servers for Customers who need data storage for their software applications. MongoHQ does not own, control or direct the use any of the Personal Data stored or processed by any Customer. Only the Customer is entitled to access, retrieve and direct the use of such Personal Data. MongoHQ is neither aware nor responsible for what Personal Data is actually being stored and does not directly access such Personal Data except as authorized by the Customer or as necessary to provide services to the Customer. Except as provided in this Privacy Policy, MongoHQ does not independently cause stored Personal Data to be transferred or otherwise made available to third parties, except to third party subcontractors who function on behalf of the Company in connection with our provision of services to Customers. Instead, such actions are performed or authorized only by the applicable Customer. MongoHQ should be considered only as a processor on behalf of its Customers as to any Personal Data transferred from the European Union or Switzerland to the United States that is subject to the requirements of the Directive. The Customer is the “Data Controller” under the Directive; meaning that such party controls the manner Personal Data is collected and used as well as the determination of the purposes and means of the processing of such Personal Data. MongoHQ is not responsible for the content of the Personal Data or other information stored on its servers at the direction of the Customer nor is MongoHQ responsible for the manner in which the Customer collects, handles, discloses and distributes such Personal Data.

Data Controller

The Safe Harbor Principles require that those who collect and determine the purposes and the means of the processing of Personal Data adhere to certain requirements related to compliance with the Directive. The specific functions of a Data Controller depend on the laws of each EU member state. However, since MongoHQ does not collect or determine the use of any Personal Data stored on its servers, and since it does not determine the purposes for which such Personal Data is collected, the means of collecting such Personal Data, or the uses of such Personal Data, MongoHQ is not acting in the capacity of Data Controller and does not have the associated responsibilities under the Directive or the Safe Harbor Principles.

Customer Agreement and Security

MongoHQ and each Customer located in the European Union or Switzerland will enter into an agreement/contract that specifies each party’s role in complying with the Directive and the Safe Harbor Principles. Any such contract with an EUor Swiss Customer will also specify that the Customer is responsible for security measures with respect to its Personal Data stored on MongoHQ’s servers. Although MongoHQ has implemented commercially reasonable security measures to protect Personal Data stored on its servers, Customer is ultimately in control of whether the Personal Data is made available to third parties. MongoHQ will comply with Customer’s instructions with respect to the return, update or destruction of Personal Data stored on MongoHQ’s servers.

In its role as a processor of Personal Data on behalf of its Customers, MongoHQ is not able to or required to apply all of the Safe Harbor Principles to Personal Data subject to the Directive that is received for processing from Customers. Instead, MongoHQ’s role as a data processor is to assist the Customer, at the Customer’s request, in complying with its obligations under the Directive.

Notice

MongoHQ requires its Customers located in the European Union or Switzerland to comply with their obligations under the Directive prior to the transfer of any such Personal Data from the European Union or Switzerland to the United States, including, should the case arise, compliance with the obligations to provide notices and obtain consents of individuals about the purposes for which they collect and use Information, as required under the Directive with respect to Personal Data.

Choice

MongoHQ requires its EU Customers to provide individuals the opportunity to choose (opt out) whether their personal information will be (1) disclosed to a third party or (2) used for a purpose incompatible with the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive information, affirmative or explicit (opt in) choice must be given if the information is to be disclosed to a third party or used for a purpose other than its original purpose or the purpose authorized subsequently by the individual.

Onward Transfers

MongoHQ does not disclose any Personal Data to third parties that has been collected by its Customers, and provides an adequate level of privacy protection to prevent third party access to any such Information. MongoHQ also requires its Customers to disclose to individuals any such transfers of their own Personal Data to third parties, and allow the individual a choice (opt out) of such disclosure, as outlined in the Directive.

Access

MongoHQ allows for its Customers to respond to an individual’s request to access to their Personal Data and allow the individual to correct, amend or delete inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated.

Security

The control, access, and security of the Personal Data stored on the MongoHQ servers is (1) in the direct and primary control of the Customer, and (2) subject to the security measures undertaken by the Customer. Subject to the foregoing, MongoHQ has in place information security procedures and commercially reasonable security measures designed to protect Personal Data stored on its servers from loss, misuse, unauthorized access, disclosure, alteration and destruction. Customers will be notified of any breach with respect to their stored Personal Data of security measures implemented by MongoHQ of which MongoHQ becomes aware.

Any compromise of security or potential compromise of security of which a Customer becomes aware and any inquiries concerning security should be reported promptly by such Customer to MongoHQ. Contact information is provided below.

Director of Customer Support, MongoHQ
And to:
support@mongohq.com

Data Integrity

MongoHQ is not authorized to access or manipulate Personal Data stored on its servers other than as necessary to provide services to a Customer or as otherwise permitted or directed by such Customer. MongoHQ takes reasonable steps to assure that Personal Data transferred from the European Union or Switzerland to the United States and stored on MongoHQ’s servers is maintained in a reliable, accurate and complete state, subject to any deficiencies in the state in which such Personal Data was received.

Enforcement

Individuals who wish to file a complaint or who take issue with MongoHQ’s EU/Swiss Safe Harbor Privacy Policy should direct such communication to the MongoHQ Director of Customer Support who can explain the process to be followed when filing a complaint. Should an individual be unable to resolve a complaint after having contacted the Privacy Administrator, that individual can contact the International Centre for Dispute Resolution of the American Arbitration Association at www.adr.org. This organization will provide independent dispute resolution in which MongoHQ will participate. MongoHQ is subject to the jurisdiction of the U.S. Federal Trade Commission, which may be contacted at the following address:

Federal Trade Commission

Attn: Consumer Response Center
600 Pennsylvania Avenue NW
Washington, D.C. 20580
consumerline@ftc.gov
http://www.ftc.gov

Limitations

MongoHQ’s adherence to the Safe Harbor Principles is limited to the extent permitted or required by applicable United States laws, rules or regulations.

Amendments

MongoHQ may update this Safe Harbor Privacy Policy from time to time to reflect changes in its services and Customer feedback, or as applicable laws and change, and such changes shall become effective promptly after they are posted. MongoHQ encourages Customers to periodically review this EU Safe Harbor Privacy Policy to be informed of any changes.

This EU Safe Harbor Privacy Policy was last updated on: Dec 1, 2012.