IBM Privacy Shield Privacy Policy for Certified IBM Cloud Services


This Statement is effective as of September 29, 2016, and as modified effective December 18, 2020.

Advisory: 

On 16 July 2020, the Court of Justice of the European Union issued a judgment declaring as invalid the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Economic Area to the United States.

Please note that: (i) EU Standard Contractual Clauses (SCCs) remain a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Economic Area and the United Kingdom to the United States; and (ii) section 9 of the Data Sheet, which is referenced in section 2 of the Service Description for virtually every offering listed at the bottom of this web page, already includes the required reference to the SCCs (which states “…EU Standard Contractual Clauses signed by all IBM Data Importers, if applicable, are available at: https://www.ibm.com/software/sla/sladb.nsf/sla/eumc.”).

On 8 September 2020, the Swiss Federal Data Protection and Information Commissioner (FDPIC) issued a  position paper  following his annual re-assessment of the Swiss-US Privacy Shield Framework. The FDPIC’s new position is that although the Swiss-US Privacy Shield guarantees special protection rights for persons in Switzerland, it no longer provides an adequate level of protection for data transfer from Switzerland to the US pursuant to the Swiss Federal Act on Data Protection (FADP).

Special Note: While the EU-US and Swiss-US Privacy Shield Frameworks may no longer be used or relied upon for transfer of personal information, IBM continues to comply with all EU-US Privacy Shield Framework and Swiss-US Privacy Shield Framework obligations. Doing so demonstrates IBM’s serious commitment to protect personal information in accordance with a set of privacy principles that offer meaningful privacy protections and recourse for EU individuals. More information can be found here:US Department of Commerce (Program Overview), andUS Department of Commerce (FAQ #3).

This IBM Privacy Shield Privacy Policy for Cloud Services (the “Policy”) applies to the IBM Infrastructure-as-a-Service, Platform-as-a-Service, Software-as-a-Service, and other hosted offerings that are Privacy Shield certified (“Privacy Shield-Certified Cloud Services”). A list of these offerings is provided below; if an offering is not on this list, it is not covered by the IBM Privacy Shield.

As the Privacy Shield only applies to personal data transferred to the United States from those countries whose data protection laws recognize Privacy Shield as a valid mechanism for such cross-border transfers, this Statement only applies to:

  1. such personal data hosted in the United States through the Privacy Shield-Certified Cloud Services; and
  2. select offerings when the data is hosted outside the United States but the Cloud Service processing is temporarily directed to a United States data center to enable continued availability and resiliency.

This Policy does not otherwise apply when clients choose to have their offering content hosted in other countries.

IBM’s Privacy Shield-Certified Cloud Services process content (which may include the personal data of individual end users) on behalf of enterprise clients. In this scenario, and as provided below, IBM may direct inquiries from individual end users to the enterprise client that oversees the use of their personal data.

IBM complies with the EU-U.S. Privacy Shield Framework  and the Swiss-U.S. Privacy Shield Framework (collectively Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred to the United States from those countries whose data protection laws recognize Privacy Shield as a valid mechanism for such cross-border transfers. IBM has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.

All personal data received from those countries whose data protection laws recognize Privacy Shield as a valid mechanism for such cross-border transfers in connection with Privacy Shield-Certified Cloud Services is subject to the Privacy Shield principles as described in the EU-U.S. Privacy Shield Framework and the Swiss-US Privacy Shield Framework, which applies to all IBM affiliates that process personal data associated with Privacy Shield-Certified Cloud Services.

To learn more about the Privacy Shield Program, or to view the certification applicable to certain IBM Cloud Services, please visit www.privacyshield.gov.

Personal Data: Types and Purpose for Use

The types of personal data that Privacy Shield-Certified Cloud Services collect will vary based on the type and nature of each offering, and is described in its offering documentation (searchable via this link) or as otherwise provided by IBM. IBM uses such personal data as needed to deliver the Cloud Service, along with additional purposes that may be described in the corresponding TD or Attachment.

Use of Subprocessors

IBM may use processors and subprocessors (including personnel and resources) in locations worldwide to deliver the Cloud Services. A list of subprocessors is available upon request. If IBM subcontracts the performance of any of the Cloud Services pursuant to any Attachment or TD, IBM will be liable to the Client for the acts and omissions of IBM subcontractors as if they were the acts or omissions of IBM under the agreement governing the Cloud Services (subject to the limits and exclusions of liability).

Regulatory Authority and Disclosures

IBM is subject to investigatory and enforcement powers of the Federal Trade Commission in the United States in connection with its Privacy Shield program. IBM may also be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Additional Information for End Users
If end users have any questions or complaints concerning IBM’s processing of personal data on behalf of an IBM enterprise client, they are invited to contact the enterprise client directly, or they may contact IBM by using this form. End users who wish to access the personal data that IBM hosts on behalf of an enterprise client, or to make choices concerning their data, are invited to contact the enterprise client directly.

Dispute Resolution

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) athttps://feedback-form.truste.com/watchdog/request. In addition, and as described in the Privacy Shield Principles, you may also have the option of invoking binding arbitration after other dispute resolution procedures have been exhausted.

Account Data

Account data -- i.e. all information about IBM’s clients or their users provided to or collected by IBM (including through tracking and other technologies, such as cookies) – is covered by the IBM Online Privacy Statement, available at www.ibm.com/us-en/privacy/details/.

Privacy Shield-Certified Cloud Services

  • Applications Management for Oracle on Any Cloud
  • Applications Management for SAP Solutions on Any Cloud
  • Applications Management for SAP Solutions on IBM Cloud (formerly known as "IBM Cloud for SAP Solutions")
  • GitHub Enterprise on IBM Cloud Dedicated
  • IBM Alert Notification
  • IBM Analytics Engine (Also known as "IAE")
  • IBM Analytics Engine (Also known as "IBM Analytics Engine PPA Subscription")
  • IBM API Connect for IBM Cloud
  • IBM API Connect Test and Monitor on Cloud (also known as "IBM API Connect Test and Monitor")
  • IBM App Connect on IBM Cloud (formerly known as IBM App Connect)
  • IBM App Connect Professional (also known as "IBM App Connect Professional on Cloud")
  • IBM Aspera on Cloud
  • IBM Blockchain Platform on IBM Cloud Standard Plan (IBP)
  • IBM Blueworks Live
  • IBM Business Automation Content Analyzer on Cloud (BACAoC)
  • IBM Business Automation Content Services on Cloud
  • IBM Business Automation Workflow on Cloud
  • IBM Business Process Manager Hybrid Entitlement
  • IBM Business Process Manager on Cloud
  • IBM Business Process Manager on Cloud Express
  • IBM Call Center
  • IBM Clinical Development
  • IBM Clinical Trial Management System for Sites
  • IBM Cloud App ID
  • IBM Cloud App Service (also known as "Developer Experience")
  • IBM Cloud Application Performance Management
  • IBM Cloud Block Storage for Virtual Private Cloud (also known as "IBM Cloud Block Storage for VPC")
  • IBM Cloud Certificate Manager
  • IBM Cloud Container Registry
  • IBM Cloud Continuous Delivery Dedicated
  • IBM Cloud Continuous Delivery Public
  • IBM Cloud Databases for DataStax
  • IBM Cloud Databases for Elasticsearch
  • IBM Cloud Databases for EnterpriseDB
  • IBM Cloud Databases for etcd
  • IBM Cloud Databases for MongoDB
  • IBM Cloud Databases for PostgreSQL
  • IBM Cloud Databases for Redis
  • IBM Cloud DNS Services (dns-svcs)
  • IBM Cloud Event Management
  • IBM Cloud for Oracle Solutions
  • IBM Cloud for SAP Applications
  • IBM Cloud for VMware Solutions
     

    IBM Cloud for VMware Solutions specifically includes:

    • VMware vCenter Server on IBM Cloud
    • VMware vSphere on IBM Cloud
    • NetApp ONTAP Select
    • Single-node Trial for Migration and App Modernization
    • Single-node Trial for Data Protection and Disaster Recovery

    • Caveonix RiskForesight on IBM Cloud
    • IBM Cloud Private Hosted
    • FortiGate Security Appliance on IBM Cloud
    • FortiGate Virtual Appliance on IBM Cloud
    • F5 on IBM Cloud
    • IBM Cloud Secure Virtualization
    • HyTrust CloudControl on IBM Cloud
    • HyTrust DataControl on IBM Cloud
    • HyTrust KeyControl on IBM Cloud
    • KMIP for VMware on IBM Cloud
    • IBM Spectrum Protect Plus on IBM Cloud
    • Veeam on IBM Cloud
    • Zerto on IBM Cloud
       
  • IBM Cloud Functions
  • IBM Cloud Hyper Protect Crypto Services
  • IBM Cloud Hyper Protect DBaaS
     

    IBM Cloud for Hyper Protect DBaaS specifically includes:

    • IBM Cloud Hyper Protect DBaaS for MongoDB
    • IBM Cloud Hyper Protect DBaaS for PostgreSQL
       
  • IBM Cloud Hyper Protect Virtual Servers
  • IBM Cloud Identity Service
  • IBM Cloud Infrastructure Services (Infrastructure Services in IBM Cloud specifically are bare metal and virtual servers, networking, storage, and security services)
  • IBM Cloud Internet Services
  • IBM Cloud Kubernetes Service (formerly known as "IBM Cloud Container Service")
  • IBM Cloud Managed Services (CMS) (Note: This offering is no longer being sold. Only supporting existing clients)
  • IBM Cloud Messages for RabbitMQ
  • IBM Cloud Object Storage
  • IBM Cloud Object Storage (IaaS)
  • IBM Cloud Object Storage Dedicated IBM Managed
  • IBM Cloud Platform - Public
  • IBM Cloud Schematics
  • IBM Cloud Security Advisor
  • IBM Cloud SQL Query
  • IBM Cloud Virtual Private Cloud (NextGen)
  • IBM Cloud Virtual Private Cloud on Classic (GC)
  • IBM Cloud Virtual Server for VPC (NextGen)
  • IBM Cloud Virtual Server for VPC on Classic (also known as "IBM Cloud Virtual Server for Virtual Private Cloud")
  • IBM Cloudant Dedicated Cluster
  • IBM Cloudant for IBM Cloud
  • IBM Cloudant on Transaction Engine
  • IBM Cognos Analytics on Cloud Hosted (formerly known as "IBM Cognos Analytics on Cloud Dedicated")
  • IBM Cognos Analytics on Cloud
  • IBM Cognos Controller on Cloud
  • IBM Cognos Dashboard Embedded
  • IBM Commerce on Cloud (also known as "IBM Commerce on Cloud – Commerce Service" and "IBM Commerce Service Hosted")
  • IBM Compose Enterprise
  • IBM Compose Enterprise Paygo
  • IBM Compose for Elasticsearch for IBM Cloud
  • IBM Compose for etcd for IBM Cloud
  • IBM Compose for JanusGraph for IBM Cloud
  • IBM Compose for MongoDB for IBM Cloud
  • IBM Compose for MySQL for IBM Cloud
  • IBM Compose for PostgreSQL for IBM Cloud
  • IBM Compose for RabbitMQ for IBM Cloud
  • IBM Compose for Redis for IBM Cloud
  • IBM Compose for RethinkDB for IBM Cloud
  • IBM Compose for ScyllaDB for IBM Cloud
  • IBM Comprehend Services
  • IBM Content Foundation on Cloud
  • IBM Content Manager OnDemand on Cloud
  • IBM CPQ
  • IBM Datacap on Cloud
  • IBM DB2 on Cloud
     

    IBM DB2 on Cloud specifically includes:

    • IBM DB2 on Cloud (5737-C74)
    • IBM DB2 on Cloud Paygo (5737-C73)
       
  • IBM DB2 Warehouse on Cloud
     

    IBM DB2 Warehouse on Cloud specifically includes:

    • IBM DB2 Warehouse on Cloud (5725-U38)
    • IBM DB2 Warehouse on Cloud Paygo (5725-R65)
       
  • IBM Decision Composer
  • IBM Decision Optimization on Cloud
  • IBM Digital Business Automation on Cloud (DBAoC)
  • IBM Document Conversion Service
  • IBM Emptoris Contract Management (also known as "IBM Emptoris Contract Management on Cloud")
  • IBM Emptoris Program Management (also known as "IBM Emptoris Program Management SaaS" or "IBM Emptoris Program Management on Cloud")
  • IBM Emptoris Sourcing (also known as "IBM Emptoris Sourcing on Cloud" and "IBM Emptoris Sourcing SaaS")
  • IBM Emptoris Spend Analysis (also known as "IBM Emptoris Spend Analysis on Cloud" and "IBM Emptoris Spend Analysis SaaS")
  • IBM Emptoris Supplier Lifecycle Management (also known as "IBM Emptoris Supplier Lifecycle Management on Cloud" and "IBM Emptoris Supplier Lifecycle Management SaaS")
  • IBM Engineering Lifecycle Management Base SaaS (previously known as "IBM Collaborative Lifecycle Management on Cloud")
     

    IBM Engineering Lifecycle Management Base SaaS specifically includes:

    • IBM Engineering Requirements Management DOORS Next SaaS (previously known as "IBM DOORS Next Generation on Cloud")
    • IBM Engineering Test Management SaaS (previously known as "IBM Rational Quality Manager on Cloud")
    • IBM Engineering Workflow Management SaaS (previously known as "IBM Team Concert on Cloud")
       
  • IBM Engineering Lifecycle Management Extended SaaS (previously known as "IBM IoT Continuous Engineering on Cloud")
     

    IBM Engineering Lifecycle Management Extended SaaS specifically includes:

    • IBM Engineering Requirements Management DOORS Next SaaS (previously known as "IBM DOORS Next Generation on Cloud")
    • IBM Engineering Test Management SaaS (previously known as "IBM Rational Quality Manager on Cloud")
    • IBM Engineering Workflow Management SaaS (previously known as "IBM Team Concert on Cloud")
    • IBM Engineering Lifecycle Optimization – Engineering Insights SaaS (previously known as "IBM Engineering Lifecycle Manager on Cloud")
    • IBM Engineering Systems Design Rhapsody – Model Manager SaaS (previously known as "IBM Rhapsody Design Manager on Cloud")
       
  • IBM Enterprise Content Delivery Network (formerly known as "IBM Cloud Video Enterprise Content Delivery Network")
  • IBM Event Streams for IBM Cloud (Enterprise)
  • IBM Event Streams for IBM Cloud (Standard)
  • IBM Facilities and Real Estate Management on Cloud (TRIRIGA)
  • IBM Facilities and Real Estate Management on Cloud Flex (TRIRIGA)
  • IBM ILOG CPLEX Optimization Studio Subscription
  • IBM Informix on Cloud
  • IBM Integration Services-Standard
  • IBM IoT Connected Vehicle Insights (formerly known as "IBM IoT for Automotive")
  • IBM Kenexa BrassRing (also known as "IBM Kenexa Talent Acquisition BrassRing")
  • IBM Kenexa LCMS Premier on Cloud
  • IBM Kenexa Lead Manager (part of IBM Kenexa Talent Acquisition)
  • IBM Kenexa LMS on Cloud
  • IBM Kenexa Onboard on Cloud (also known as "IBM Kenexa Talent Acquisition Onboard")
  • IBM Key Protect for IBM Cloud
  • IBM MaaS360
  • IBM Managed Security Services (MSS)
  • IBM Master Data Management on Cloud
  • IBM Maximo Application Suite Managed Service
  • IBM Maximo Asset Performance Management for Energy & Utilities SaaS (formerly known as "IBM IoT for Energy and Utilities on Cloud")
  • IBM Maximo EAM SaaS
  • IBM Maximo EAM SaaS Flex [formerly known as "IBM Enterprise Asset Management on Cloud (Maximo)"]
  • IBM Maximo MRO Inventory Optimization (on IBM Cloud)
  • IBM Maximo Worker Insights
  • IBM Mobile Foundation (also known as "IBM MobileFirst Platform Foundation")
  • IBM MQ on Cloud (pre-pay)
  • IBM MQ on IBM Cloud (pay-as-you-go)
  • IBM Multicloud Management Services - MCMS for Regulatory (formerly known as "Integrated Managed Infrastructure for Regulatory")
  • IBM Operational Decision Manager on Cloud
  • IBM Order Management
  • IBM Partner Engagement Manager
  • IBM Planning Analytics (formerly known as "IBM TM1/Planning Analytics")
  • IBM Push Notifications for IBM Cloud
  • IBM QRadar on Cloud (Formerly IBM Security Intelligence on Cloud)
  • IBM Secure Gateway for IBM Cloud (formerly known as "IBM Secure Gateway on Bluemix")
  • IBM Security Verify (formerly known as "IBM Cloud Identity Connect" or "IBM Cloud Identity")
  • IBM SmartCloud for Managed Application Services (SC4MAS 2012.1)
  • IBM SPSS Modeler Subscription (also known as "IBM Watson Studio Desktop Subscription")
  • IBM SPSS Statistics Subscription
  • IBM Sterling B2B Services – File Transfer Service
  • IBM Storage Insights
  • IBM Store Engagement
  • IBM Streaming Analytics for IBM Cloud
  • IBM Supply Chain Business Network (SCBN)
     

    SCBN specifically includes:

    • Essential Edition
    • Standard Edition
    • Premium Edition
       
  • IBM Surveillance Insight for Financial Services on Cloud
  • IBM Talent Assessments (formerly known as "IBM Kenexa Assessments on Cloud")
  • IBM TRIRIGA Building Insights
  • IBM Trusteer Mobile SDK
  • IBM Trusteer Mobile Secure Browser
  • IBM Trusteer Pinpoint
     

    IBM Trusteer Pinpoint specifically includes:

    • IBM Trusteer Pinpoint Detect
    • IBM Trusteer Pinpoint Criminal Detection
    • IBM Trusteer Pinpoint Malware Detection
       
  • IBM Trusteer Rapport (also known as "IBM Security Trusteer Rapport")
  • IBM Trusteer Rapport Remediation
  • IBM Voice Agent with Watson
  • IBM Watson Annotator for Clinical Data
  • IBM Watson Care Manager
  • IBM Watson Compare and Comply Service
  • IBM Watson For Oncology
  • IBM Watson IoT Platform
  • IBM Watson Knowledge Catalog
     

    IBM Watson Knowledge Catalog specifically includes:

    • IBM Watson Knowledge Catalog (5900-A1L)
    • IBM Watson Knowledge Catalog Paygo (5900-A17)
       
  • IBM Watson Machine Learning (Also known as "IBM Watson Machine Learning (SQO)")
  • IBM Watson Machine Learning Service (Also known as "Watson ML")
  • IBM Watson Natural Language Understanding
  • IBM Watson Speech to Text Service
  • IBM Watson Studio (Also known as "IBM Watson Studio Enterprise")
  • IBM Watson Studio Paygo (Also known as "IBM Watson Studio Paygo (Bluemix)")
  • IBM Watson Supply Chain Insights
  • IBM Watson Text to Speech Service
  • IBM Watson Visual Recognition
  • IBM X-Force Exchange
  • OpenPages with Watson on Cloud (formerly known as "OpenPages GRC on Cloud")
  • Watson Assistant