Sapio Sciences LLC has certified with the EU-U.S. and Swiss-U.S. Privacy Shield with respect to the personal data we receive and process on behalf of our customers through our Exemplar LIMS+ELN software or consulting services. Sapio certifies that it adheres to the Privacy Shield Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement for personal data processed by our customers in the European Union, the United Kingdom and Switzerland. Our certification is available here.
The Federal Trade Commission (FTC) has jurisdiction over Sapio's compliance with the Privacy Shield.
Sapio's Exemplar software is intended to collect the data necessary to accomplish a customer's LIMS and ELN goals. This may include metrics/data used for proprietary laboratory goals, users' personal data such as name, title, email, and Protected Health Information (PHI) in some clinical instances. Exemplar also records an audit trail of all data changes made by users of the system and the date/time in which they were made.
We process Customer Data in accordance with Customer’s instructions, including any applicable terms in a customer’s agreement with Customer and Customer’s use of Exemplar's functionality, and as required by applicable law. Sapio Sciences is a processor of customer data and the customer is the controller. This data may be used to perform customer specific requirements of the software such as calculations, process tracking, sample, storage, and reagent inventory, etc., to follow the instructions of the customer who submitted the data, or in response to contractual requirements with our customers. This data is encrypted if Sapio Sciences provides the hosting. This data is in the control of the customer in the case where they install Exemplar on premise within their own administrator controlled environments.
Sapio Sciences uses a limited number of third party providers to assist in providing consulting and hosting services. These third party providers may be contractually requested by the customer or Sapio for consulting or IT services, or on behalf of Sapio to fulfill business requirements. We accept certain liability for data covered by Privacy Shield that is transferred to third parties on our behalf provided that data was not accessed improperly. The third parties are as follows:
- AWS Hosting: AWS Privacy
- Google Analytics: Google Privacy
- Zifo RnD Solutions: Zifo Privacy
- Stripe: Stripe Privacy
Sapio will not disclose/share personal information outside of these third party providers. Individuals may request that their personal information not be shared with these entities by contacting the customer who owns the Exemplar software that houses their data. Alternatively, individuals may also email email@example.com to make this request and Sapio will work with the customer to ensure steps to prevent their personal data from being accessed in accordance with the individual's request.
Questions or Complaints
If you are a resident of a European country participating in the Privacy Shield and you believe we maintain your personal data within the scope of this Privacy Shield certification, you may direct any questions or complaints concerning our Privacy Shield compliance to firstname.lastname@example.org or at our mailing address:
Sapio Sciences LLC
400 East Pratt St, Suite 800
Baltimore, MD 21202
We will work with you to resolve your issue.
We commit to cooperate with competent EU, Swiss and UK data protection authorities (DPAs) with regard to our customers end users’ human resources data and non-human resources data transferred from a European country participating in the Privacy Shield.
You may also be able to invoke binding arbitration for unresolved complaints but prior to initiating such arbitration, a resident of a European country participating in the Privacy Shield must first: (1) contact us and afford us the opportunity to resolve the issue; (2) seek assistance from the U.S. Department of Commerce (either directly or through a European Data Protection Authority) and afford the Department of Commerce time to attempt to resolve the issue. If such a resident invokes binding arbitration, each party shall be responsible for its own attorney’s fees. Please be advised that, pursuant to the Privacy Shield, the arbitrator(s) may only impose individual-specific, non-monetary, equitable relief necessary to remedy any violation of the Privacy Shield Principles with respect to the resident.
U.S. Federal Trade Commission Enforcement
Our Privacy Shield compliance is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
Right of Access
Personal data within Exemplar always adheres to access control policies set forth by the customer. Exemplar can be customized to limit any data to only specific users of the system including administrators, managers, or whatever other roles were configured within the system. Therefore, the right to access data is configurable for each customer allowing them to abide by any required laws.
Some international users (including those whose personal data is within the scope of this Privacy Shield certification) have certain legal rights to access certain personal data we hold about them and to obtain its correction, amendment or deletion. Our personnel have a limited ability to identify and access an individual user’s personal data that a customer has submitted through the Exemplar software. If you wish to request access, to limit use, or to limit disclosure, we may first refer your request to the customer who submitted your personal data, and we will support them as needed in responding to your request. This procedure is outlined below.
Initial requests to Sapio Sciences for data access, correction, amendment, or deletion by an individual with personal data held within an instance of the Exemplar software will be directed to the customer of the Exemplar software since they will administrate access control to their own data. The individual will be informed to contact the customer and Sapio will provide contact information if needed. The individual will be alerted to contact us again if they are unsuccessful in contacting and obtaining the needed data with the customer.
If the individual is unsuccessful in retrieving the needed data from the customer and contacts Sapio again, we will collect the individual's contact information and reason for the request. The individual will be informed that we will alert the customer to the request.
Sapio Sciences will make a best effort attempt to contact the customer on behalf of the individual and pass them the individual's information and request. We will alert the customer that the requesting individual was unsuccessful in retrieving the data through the customer previously. On many occasions, the customer will elect to the handle the rest of this for us.
In the event the customer passes the responsibility to Sapio Sciences to address the individual's request, we will contact the individual and request they provide verification of their identity by providing a scan of a government issued ID. The individual will be alerted that Sapio will retrieve the information on behalf of the customer.
Once the individual's ID is verified, we will provide the requesting individual with a csv copy of the requested data or will perform legally required actions as requested by the individual.
Requirement to Disclose
We may disclose personal data when we have a good faith belief that such action is necessary to: conform to legal requirements or to respond to lawful requests by public authorities, including to meet national security or law enforcement requirements; or to enforce our contractual obligations.