May 23, 2018; Revised January 2, 2020
Auric Systems International, a division of Appropriate Solutions, Inc. (ASI), is committed to ensuring your personal data is protected and not misused.
This letter is issued by ASI as a Data Processor under the guidelines of the European Union General Data Protection Regulation (EU GDPR). ASI also complies with the EU Privacy Shield Framework, the Swiss Privacy Shield Framework, and the Payment Card Industry Data Security Standard (PCI DSS) requirements. ASI has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.
This letter addresses the privacy of data stored and processed using ASI’s AuricVault® and PaymentVault™ APIs or related services including, but not limited to, Payments Passthrough, custom iFrame hosting, AuvProxy, and DataDip (the “Services”).
Please direct questions regarding ASI’s privacy and data security policy to our Data Protection Officer’s email: compliance@AuricSystems.com.
ASI is a Level 1 PCI DSS Validated Service Provider.
DATA YOU STORE WITH THE SERVICES
- The Services access un-encrypted plain text data only in the normal course of tokenization and detokenization.
- ASI does not perform any data processing on the stored data outside the normal course of tokenization and detokenization.
- ASI does not perform any data analysis on the stored data.
- The stored encrypted data is shared with Flexential, our Level 1 PCI compliant hosting provider who provides hosting, server management, and backup services.
- At no time does Flexential have access to un-encrypted personal data or the keys to decrypt that data.
- The Flexential hosting servers are based in the United States.
- ASI does not share your stored data with any additional party.
The legal basis for processing the data is the Services contract you have with ASI, the consent provided by you, the consent provided by your customer to you, or our legitimate interests, namely monitoring, providing support, and improving the Services.
METADATA WE COLLECT AND PROCESS
ASI Services collect metadata in logs for the following purposes:
- Providing you support
- Monitoring and performance metrics
- General operation of the Services
- Access metadata may be collected for each HTTPS web request to the Services.
This metadata may include:
- IP address making the request
- Geographical location
- Browser type and version
- URLs accessed
- HTTP response codes
- Information about the timing, frequency, and pattern of your Services use.
- The Services do not use HTTP Cookies or any other client-side tracking device.
Access metadata may also be collected by the Services’ back-end processing logs. This metadata may contain:
- The specific Services API being accessed
Services identifying credentials:
- Retention Period
- Your IP address
- Unique Trace ID
- JSON request ID
- Token ID
- Services response code
- Services response error messages
- Transaction speed
The Payments Passthrough service may collect additional data:
- Payment processor being accessed
- Card type being processed (Visa, Mastercard, etc.)
- Transaction amount
The Payments Passthrough service DOES NOT log the payment information sent through to the payment processor. The Payments Passthrough service DOES NOT log any personally identifiable payment information you provide within the transaction.
The Proxy4pci service may collect additional data:
- OTA being accessed
- Reservation Number
The Proxy4pci service DOES NOT log the reservation information received from the remote OTA service. The Proxy4pci service DOES NOT log any personally identifiable information.
The legal basis for processing the metadata is the Services contract you have with ASI, the consent provided by you, the consent provided by your customer to you, or our legitimate interests, namely monitoring, providing support, and improving the Services.
- Retention of the data stored within the Services is managed by you, either through manual deletion or setting a specific Retention Period when a token is stored.
- We may maintain database backups for up to six (6) months. These backups may contain data you have deleted from the Services.
- Metadata contained in logs is maintained for a period of one (1) year, in conformance with ASI’s responsibility as a Level 1 PCI DSS validated service provider.
To the extent that the legal basis for our processing of your personal information is consent, you have the right to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.
You may exercise any of your rights in relation to your personal data by written notice to us. Our email address for this purpose is compliance@AuricSystems.com.
Since the Company does not include, on a large scale, processing of special categories of data as referred to in Article 9(1) of the GDPR or processing of personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR, and is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing; it is not necessary for Company to have an EU-based GDPR representative per Article 27.
- The Services are owned and operated by Auric Systems International, a division of Appropriate Solutions, Inc.
- ASI is a registered New Hampshire, USA corporation with offices at 85 Grove Street, Peterborough, NH 03458.
- Our mailing address is PO Box 458, Peterborough, NH 03458-0458 USA.
- Our telephone number is 1-603-924-6079.
- Email to: compliance@AuricSystems.com.