IBM Privacy Shield Privacy Policy for Certified IBM Cloud Services


This Statement is effective as of September 29, 2016, and as modified effective September 22, 2020.

Advisory: 

On 16 July 2020, the Court of Justice of the European Union issued a judgment declaring as invalid the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Economic Area to the United States.

Please note that: (i) EU Standard Contractual Clauses (SCCs) remain a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Economic Area and the United Kingdom to the United States; and (ii) section 9 of the Data Sheet, which is referenced in section 2 of the Service Description for virtually every offering listed at the bottom of this web page, already includes the required reference to the SCCs (which states “…EU Standard Contractual Clauses signed by all IBM Data Importers, if applicable, are available at: https://www.ibm.com/software/sla/sladb.nsf/sla/eumc.”).

On 8 September 2020, the Swiss Federal Data Protection and Information Commissioner (FDPIC) issued a  position paper  following his annual re-assessment of the Swiss-US Privacy Shield Framework. The FDPIC’s new position is that although the Swiss-US Privacy Shield guarantees special protection rights for persons in Switzerland, it no longer provides an adequate level of protection for data transfer from Switzerland to the US pursuant to the Swiss Federal Act on Data Protection (FADP). Nevertheless, it is important to understand that the FDPIC’s assessment alone has no influence on the continued existence of the Swiss-US Privacy Shield Framework, and as such, the Swiss-US Privacy Shield Framework formally remains, at least for the time being, an option for transferring personal data from Switzerland to the United States unless otherwise revoked by the U.S. Department of Commerce. With that said, the FDPIC’s new position will certainly discourage use of the Swiss-US Privacy Shield as a cross border transfer mechanism.

This IBM Privacy Shield Privacy Policy for Cloud Services (the “Policy”) applies to the IBM Infrastructure-as-a-Service, Platform-as-a-Service, Software-as-a-Service, and other hosted offerings that are Privacy Shield certified (“Privacy Shield-Certified Cloud Services”). A list of these offerings is provided below; if an offering is not on this list, it is not covered by the IBM Privacy Shield.

As the Privacy Shield only applies to personal data transferred to the United States from those countries whose data protection laws recognize Privacy Shield as a valid mechanism for such cross-border transfers, this Statement only applies to:

  1. such personal data hosted in the United States through the Privacy Shield-Certified Cloud Services; and
  2. select offerings when the data is hosted outside the United States but the Cloud Service processing is temporarily directed to a United States data center to enable continued availability and resiliency.

This Policy does not otherwise apply when clients choose to have their offering content hosted in other countries.

IBM’s Privacy Shield-Certified Cloud Services process content (which may include the personal data of individual end users) on behalf of enterprise clients. In this scenario, and as provided below, IBM may direct inquiries from individual end users to the enterprise client that oversees the use of their personal data.

IBM complies with the EU-U.S. Privacy Shield Framework  and the Swiss-U.S. Privacy Shield Framework (collectively Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred to the United States from those countries whose data protection laws recognize Privacy Shield as a valid mechanism for such cross-border transfers. IBM has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

All personal data received from those countries whose data protection laws recognize Privacy Shield as a valid mechanism for such cross-border transfers in connection with Privacy Shield-Certified Cloud Services is subject to the Privacy Shield principles as described in the EU-U.S. Privacy Shield Framework and the Swiss-US Privacy Shield Framework, which applies to all IBM affiliates that process personal data associated with Privacy Shield-Certified Cloud Services.

To learn more about the Privacy Shield Program, or to view the certification applicable to certain IBM Cloud Services, please visit www.privacyshield.gov.

Personal Data: Types and Purpose for Use

The types of personal data that Privacy Shield-Certified Cloud Services collect will vary based on the type and nature of each offering, and is described in its offering documentation (searchable via this link) or as otherwise provided by IBM. IBM uses such personal data as needed to deliver the Cloud Service, along with additional purposes that may be described in the corresponding TD or Attachment.

Use of Subprocessors

IBM may use processors and subprocessors (including personnel and resources) in locations worldwide to deliver the Cloud Services. A list of subprocessors is available upon request. If IBM subcontracts the performance of any of the Cloud Services pursuant to any Attachment or TD, IBM will be liable to the Client for the acts and omissions of IBM subcontractors as if they were the acts or omissions of IBM under the agreement governing the Cloud Services (subject to the limits and exclusions of liability).

Regulatory Authority and Disclosures

IBM is subject to investigatory and enforcement powers of the Federal Trade Commission in the United States in connection with its Privacy Shield program. IBM may also be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Additional Information for End Users
If end users have any questions or complaints concerning IBM’s processing of personal data on behalf of an IBM enterprise client, they are invited to contact the enterprise client directly, or they may contact IBM by using this form. End users who wish to access the personal data that IBM hosts on behalf of an enterprise client, or to make choices concerning their data, are invited to contact the enterprise client directly.

Dispute Resolution

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at  https://feedback-form.truste.com/watchdog/request . In addition, and as described in the Privacy Shield Principles, you may also have the option of invoking binding arbitration after other dispute resolution procedures have been exhausted.

Account Data

Account data -- i.e. all information about IBM’s clients or their users provided to or collected by IBM (including through tracking and other technologies, such as cookies) – is covered by the IBM Online Privacy Statement, available at www.ibm.com/us-en/privacy/details/.

Privacy Shield-Certified Cloud Services

  • Applications Management for Oracle on Any Cloud
  • Applications Management for SAP Solutions on Any Cloud
  • GitHub Enterprise on IBM Cloud Dedicated
  • IBM Alert Notification (also known as IBM Alert Notification for Bluemix and IBM Alert Notification for Marketplace)
  • IBM Analytics Engine
  • IBM API Connect for IBM Cloud (formerly known as IBM API Connect for Bluemix)
  • IBM API Connect Test and Monitor on Cloud (also known as IBM API Connect Test and Monitor)
  • IBM App Connect on IBM Cloud (formerly known as IBM App Connect)
  • IBM App Connect Professional (also known as IBM App Connect Professional on Cloud)
  • IBM Aspera on Cloud
  • IBM B2B Integration Services
  • IBM Blockchain Platform (IBP)
  • IBM Blueworks Live
  • IBM Business Automation Content Analyzer on Cloud (BACAoC)
  • IBM Business Automation Content Services on Cloud
  • IBM Business Automation Workflow on Cloud
  • IBM Business Process Manager Hybrid Entitlement
  • IBM Business Process Manager on Cloud
  • IBM Call Center
  • IBM Clinical Development
  • IBM Clinical Trial Management System for Sites
  • IBM Cloud Activity Tracker (also known as Argonauts - IBM Cloud Activity Tracker)
  • IBM Cloud App ID
  • IBM Cloud App Service (also known as Developer Experience)
  • IBM Cloud Application Performance Management
  • IBM Cloud Block Storage for Virtual Private Cloud (also known as IBM Cloud Block Storage for VPC)
  • IBM Cloud Certificate Manager
  • IBM Cloud Container Registry
  • IBM Cloud Continuous Delivery Dedicated
  • IBM Cloud Continuous Delivery Public
  • IBM Cloud Databases for DataStax
  • IBM Cloud Database for EnterpriseDB
  • IBM Cloud Databases for Elasticsearch
  • IBM Cloud Databases for etcd
  • IBM Cloud Databases for MongoDB
  • IBM Cloud Databases for PostgreSQL
  • IBM Cloud Databases for Redis
  • IBM Cloud DevOps Insights
  • IBM Cloud DNS Services
  • IBM Cloud Event Management (also known as IBM Cloud Event Management in Bluemix and IBM Cloud Event Management for Marketplace)
  • IBM Cloud for Oracle Solutions
  • IBM Cloud for SAP Applications
  • IBM Cloud for SAP Solutions [formerly known as IBM Cloud for SAP Applications (IC4SAP)]
  • IBM Cloud for VMware Solutions


IBM Cloud for VMware Solutions specifically includes:

  • Caveonix RiskForesight on IBM Cloud
  • F5 on IBM Cloud
  • FortiGate Security Appliance on IBM Cloud
  • FortiGate Virtual Appliance on IBM Cloud
  • HyTrust CloudControl on IBM Cloud
  • HyTrust DataControl on IBM Cloud
  • HyTrust KeyControl on IBM Cloud
  • IBM Cloud Private Hosted
  • IBM Cloud Secure Virtualization
  • IBM Spectrum Protect Plus on IBM Cloud
  • KMIP for VMware on IBM Cloud
  • NetApp ONTAP Select
  • Single-node Trial for Data Protection and Disaster Recovery
  • Single-node Trial for Migration and App Modernization
  • Veeam on IBM Cloud
  • VMware vCenter Server on IBM Cloud
  • VMware vSphere on IBM Cloud
  • Zerto on IBM Cloud
     
  • IBM Cloud Foundry Enterprise Environment
  • IBM Cloud Functions (also known as Argonauts - IBM Cloud Functions)
  • IBM Cloud Hyper Protect Crypto Services
  • IBM Cloud Hyper Protect DBaaS


IBM Cloud Hyper Protect DBaaS specifically includes:

  • IBM Cloud Hyper Protect DBaaS for MongoDB
  • IBM Cloud Hyper Protect DBaaS for PostgreSQL
     
  • IBM Cloud Hyper Protect Virtual Server
  • IBM Cloud Identity (formerly known as IBM Cloud Identity Connect)
  • IBM Cloud Identity Service
  • IBM Cloud Infrastructure Services (Infrastructure Services in IBM Cloud specifically are bare metal and virtual servers, networking, storage, and security services)
  • IBM Cloud Internet Services
  • IBM Cloud Kubernetes Service (formerly known as IBM Cloud Container Service)
  • IBM Cloud Managed Services (CMS)
  • IBM Cloud Messages for RabbitMQ
  • IBM Cloud Object Storage
  • IBM Cloud Object Storage (IaaS)
  • IBM Cloud Object Storage Dedicated
  • IBM Cloud Platform
  • IBM Cloud Schematics
  • IBM Cloud Security Advisor
  • IBM Cloud SQL Query
  • IBM Cloud Virtual Private Cloud GC
  • IBM Cloud Virtual Private Cloud NextGen
  • IBM Cloud Virtual Server for Virtual Private Cloud (also known as IBM Cloud Virtual Server for VPC on Classic)
  • IBM Cloudant Dedicated Cluster
  • IBM Cloudant for IBM Cloud
  • IBM Cognos Analytics on Cloud Dedicated
  • IBM Cognos Analytics on Cloud
  • IBM Cognos Controller on Cloud
  • IBM Commerce on Cloud (also known as IBM Commerce on Cloud – Commerce Service and IBM Commerce Service Hosted)
  • IBM Compose Enterprise
  • IBM Compose Enterprise Paygo
  • IBM Compose for Elasticsearch for IBM Cloud
  • IBM Compose for etcd for IBM Cloud
  • IBM Compose for JanusGraph for IBM Cloud
  • IBM Compose for MongoDB for IBM Cloud
  • IBM Compose for MySQL for IBM Cloud
  • IBM Compose for PostgreSQL for IBM Cloud
  • IBM Compose for RabbitMQ for IBM Cloud
  • IBM Compose for Redis for IBM Cloud
  • IBM Compose for RethinkDB for IBM Cloud
  • IBM Compose for ScyllaDB for IBM Cloud
  • IBM Comprehend Services
  • IBM Content Foundation on Cloud
  • IBM Content Manager OnDemand on Cloud
  • IBM CPQ
  • IBM Datacap on Cloud
  • IBM DB2 on Cloud
  • IBM DB2 Warehouse on Cloud
  • IBM Decision Composer
  • IBM Document Conversion Service
  • IBM Emptoris Contract Management on Cloud
  • IBM Emptoris Edge Delivery Web Application Accelerator
  • IBM Emptoris Program Management on Cloud
  • IBM Emptoris Services Procurement
  • IBM Emptoris Sourcing on Cloud
  • IBM Emptoris Spend Analysis on Cloud
  • IBM Emptoris Supplier Lifecycle Management on Cloud
  • IBM Engineering Lifecycle Management Base SaaS (previously known as IBM Collaborative Lifecycle Management on Cloud)


This cloud service specifically includes:

  • IBM Engineering Requirements Management DOORS Next SaaS (previously known as IBM DOORS Next Generation on Cloud)
  • IBM Engineering Test Management SaaS (previously known as IBM Rational Quality Manager on Cloud)
  • IBM Engineering Workflow Management SaaS (previously known as IBM Team Concert on Cloud)
     
  • IBM Engineering Lifecycle Management Extended SaaS (previously known as IBM IoT Continuous Engineering on Cloud)


This cloud service specifically includes:

  • IBM Engineering Requirements Management DOORS Next SaaS (previously known as IBM DOORS Next Generation on Cloud)
  • IBM Engineering Test Management SaaS (previously known as IBM Rational Quality Manager on Cloud)
  • IBM Engineering Workflow Management SaaS (previously known as IBM Team Concert on Cloud)
  • IBM Engineering Lifecycle Optimization – Engineering Insights SaaS (previously known as IBM Engineering Lifecycle Manager on Cloud)
  • IBM Engineering Systems Design Rhapsody – Model Manager SaaS (previously known as IBM Rhapsody Design Manager on Cloud)
     
  • IBM Enterprise Content Delivery Network (formerly known as IBM Cloud Video Enterprise Content Delivery Network)
  • IBM Event Streams for IBM Cloud (formerly known as IBM Message Hub for IBM Cloud or IBM Message Hub)
  • IBM Event Streams for IBM Cloud (Enterprise)
  • IBM Facilities and Real Estate Management on Cloud (TRIRIGA)
  • IBM Facilities and Real Estate Management on Cloud Flex (TRIRIGA)
  • IBM Geospatial Analytics for IBM Cloud (formerly IBM Geospatial Analytics for Bluemix)
  • IBM Globalization Pipeline for IBM Cloud
  • IBM ILOG CPLEX Optimization Studio Subscription
  • IBM Informix on Cloud
  • IBM Integration Services-Standard
  • IBM IoT Connected Vehicle Insights (formerly known as IBM IoT for Automotive)
  • IBM IoT for Electronics
  • IBM IoT Platform (formerly known as IBM IoT Connection Service)
  • IBM Kenexa BrassRing (also known as "IBM Kenexa Talent Acquisition BrassRing")
  • IBM Kenexa LCMS Premier on Cloud
  • IBM Kenexa Lead Manager
  • IBM Kenexa LMS on Cloud
  • IBM Kenexa Skills Manager on Cloud (formerly known as IBM Kenexa Skills Manager)
  • IBM Kenexa Talent Acquisition (formerly known as IBM Kenexa Talent Acquisition Suite)
  • IBM Key Protect for IBM Cloud
  • IBM Log Analysis (also known as IBM Cloud Log Analysis and/or Argonauts - IBM Cloud Log Analysis)
  • IBM MaaS360
  • IBM Managed Security Services (MSS)
  • IBM Master Data Management on Cloud
  • IBM Maximo Application Suite Managed Service
  • IBM Maximo Asset Performance Management for Energy & Utilities SaaS (formerly known as IBM IoT for Energy and Utilities on Cloud)
  • IBM Maximo EAM SaaS
  • IBM Maximo EAM SaaS Flex [formerly known as IBM Enterprise Asset Management on Cloud (Maximo)]
  • IBM Maximo Production Quality Insights SaaS Acoustic Insights (also known as IBM Acoustic Insights)
  • IBM Maximo Production Quality Insights SaaS Prescriptive Quality (also known as IBM Prescriptive Quality for Manufacturing)
  • IBM Maximo Production Quality Insights SaaS Visual Insights (also known as IBM Visual Insights)
  • IBM Maximo Worker Insights (formerly known as IBM IoT Worker and Home Insights and/or IBM Internet of Things for Insurance)
  • IBM Mobile Foundation (also known as IBM MobileFirst Platform Foundation)
  • IBM MQ on Cloud (pre-pay)
  • IBM MQ on IBM Cloud (pay-as-you-go)
  • IBM Multi-cloud Management Services - MCMS (formerly known as Integrated Managed Infrastructure for Regulatory)
  • IBM OpenPages with Watson on Cloud (formerly known as IBM OpenPages GRC on Cloud)
  • IBM Operational Decision Manager on Cloud
  • IBM Order Management
  • IBM Partner Engagement Manager
  • IBM Planning Analytics (formerly known as IBM TM1/Planning Analytics)
  • IBM Predictive Insights on Cloud
  • IBM PureApplication Services
  • IBM Push Notifications for IBM Cloud
  • IBM QRadar on Cloud (formerly IBM Security Intelligence on Cloud)
  • IBM Secure Gateway for IBM Cloud (formerly known as IBM Secure Gateway on Bluemix)
  • IBM SmartCloud for Managed Application Services (SC4MAS 2012.1)
  • IBM SPSS Modeler Subscription
  • IBM SPSS Statistics Subscription
  • IBM Sterling B2B Services – File Transfer Service
  • IBM Sterling B2B Services Collaboration Network
  • IBM Sterling B2B Services Reporting & Analytics
  • IBM Sterling e-Invoicing
  • IBM Sterling Web Forms
  • IBM Storage Insights (formerly known as IBM Spectrum Control Storage Insights)
  • IBM Store Engagement
  • IBM Streaming Analytics for IBM Cloud
  • IBM Supply Chain Business Network (SCBN)


SCBN specifically includes:

  • Essentials Edition
  • Standard Edition
  • Premium Edition
  • e-Invoicing Services
  • Synchronous Process & Process Enrichment Services
  • Document Conversion Services
  • IBM Web Forms
     
  • IBM Surveillance Insight for Financial Services on Cloud
  • IBM Talent Assessments (formerly known as IBM Kenexa Assessments on Cloud)
  • IBM Trusteer Mobile Browser
  • IBM Trusteer Mobile SDK
  • IBM Trusteer Pinpoint


IBM Trusteer Pinpoint specifically includes:

  • IBM Trusteer Pinpoint Detect
  • IBM Trusteer Pinpoint Criminal Detection
  • IBM Trusteer Pinpoint Malware Detection
     
  • IBM Trusteer Rapport (also known as IBM Security Trusteer Rapport)
  • IBM Trusteer Rapport Remediation
  • IBM Verse
  • IBM Voice Agent with Watson
  • IBM Watson Annotator for Clinical Data
  • IBM Watson Assistant
  • IBM Watson Candidate Assistant
  • IBM Watson Captioning
  • IBM Watson Care Manager
  • IBM Watson Commerce Insights
  • IBM Watson Compare and Comply
  • IBM Watson for Clinical Trial Matching
  • IBM Watson for Genomics
  • IBM Watson For Oncology
  • IBM Watson Internet of Things Platform (also known as IBM Watson IoT Platform)
  • IBM Watson Knowledge Catalog (WKC)


WKC specifically includes:

  • IBM Watson Knowledge Catalog (5900-A1L)
  • IBM Watson Knowledge Catalog Paygo (5900-A17)
     
  • IBM Watson Machine Learning
  • IBM Watson Machine Learning Services
  • IBM Watson Natural Language Understanding
  • IBM Watson OpenScale (formerly known as IBM AI OpenScale and/or IBM Watson AI OpenScale)
  • IBM Watson Recruitment
  • IBM Watson Speech to Text
  • IBM Watson Studio Enterprise (formerly known as IBM Watson Studio)
  • IBM Watson Studio Paygo
  • IBM Watson Supply Chain Insights
  • IBM Watson Text to Speech
  • IBM Watson Video Enrichment
  • IBM X-Force Exchange