Expedient Data Privacy Framework Principles


Expedient is a participant in the U.S. Department of Commerce’s EU-US Data Privacy Framework Principles program, the UK Extension to the EU-US Data Privacy Framework Principles, and the Swiss-US Data Privacy Framework Principles (together, the “Data Privacy Frameworks”) and has certified that it adheres to the Data Privacy Frameworks. For more information about the Data Privacy Frameworks, visit the Department of Commerce’s Data Privacy Framework Principles website at https://www.dataprivacyframework.gov/s/program-overview.

Expedient is subject to the jurisdiction of the Federal Trade Commission.

This Privacy Policy (“Policy”) covers Expedient’s storage of Personal Data provided to Expedient by clients that have access and use Personal Data of individuals who reside in European Economic Area (which includes the twenty-seven (27) member states of the European Union plus Iceland, Liechtenstein and Norway that participate in the Data Privacy Frameworks) (EEA). Personal Data is data about an identified or identifiable individual received by Expedient from clients located in the EEA. Clients are business entities that operate in the EEA and use Expedient’s services to store Personal Data at Data Centers owned by Expedient and located throughout the United States. Expedient does not directly collect, or, record, use, organize, disclose, adapt, alter, disseminate, erase or destruct Personal Data received from clients located in the EEA. Expedient does not store Personal Data on its own behalf or for any purpose of its own.

Before storing any Personal Data from its clients at its Data Centers, Expedient will ask those clients to acknowledge and agree that they have complied with the Data Privacy Frameworks of transparency, legitimate purpose and proportionality. Expedient will cooperate with each client to ensure compliance with the Data Privacy Framework Principles. Expedient does not have any control over the uses its clients may make of the Personal Data disclosed to them and stored by Expedient.

In compliance with the Data Privacy Frameworks, Expedient strives to resolve all complaints about, requests to restrict the use of, or requests to correct Personal Data stored at its Data Centers. If an individual whose Personal Data is stored within one or more of Expedient’s Data Centers has a complaint against the client responsible for their information and Expedient, then that individual should contact the client at the address provided by the client available through the client’s online privacy policy and contact Expedient at Privacy.Framework@expedient.com. Expedient will respond to any complaint within forty-five (45) days of receiving the compliant.

Under the Data Privacy Framework Principles, any complaints that remain unresolved by Expedient will be referred to JAMS, an independent alternative dispute resolution organization located in the United States. Individuals whose complaints have not been satisfactorily addressed by Expedient can visit JAMS’ website at https://www.jamsadr.com/dpf-dispute-resolution for details on how to file a complaint. This recourse mechanism is free of charge to individuals. As a last resort, complaints that remain unresolved after pursuing these recourse mechanisms may be subject to binding arbitration. For more details about binding arbitration, contact Expedient at Privacy.Framework@expedient.com.

Expedient’s employees do not have access to Personal Data stored at Data Centers owned by Expedient, except incidental access if Client requests technical assistance based on the services purchased from Expedient. Expedient will comply with a request to provide access to its Data Centers that store information systems hosting Personal Data only in response to lawful requests by public authorities, including meeting national security or law enforcement requirements, in accordance with the Data Privacy Framework Principles.

Expedient works hard to protect Personal Data stored on information systems hosted at its Data Centers from unauthorized access, unauthorized alteration, disclosure or destruction. Expedient has strict policies regarding access to its Data Centers, has developed administrative, technical and organizational controls to protect Personal Data, and undertakes annual reviews of its security policies.

Expedient does not transfer Personal Data stored in information systems at its Data Centers unless it is directed to do so by its client. Each client is responsible for complying with the Accountability for Onward Transfer requirements for any transfer of Personal Data initiated by such client. If Expedient transfers Personal Data to a third party acting as an agent, Expedient will make sure that the third party subscribes to the Data Privacy Frameworks or can present evidence that such third party has otherwise complied with the requirements for permitted transfer under the EU’s General Data Protection Regulation.

If there is any conflict between the terms in this Policy and the Data Privacy Frameworks, the Data Privacy Frameworks shall govern. Expedient may amend this Policy from time to time by posting a revised Policy, which is located at https://www.expedient.com/privacy-framework. Expedient will amend this Policy in a manner consistent with the requirements of the Data Privacy Frameworks.


Attn: Privacy Shield Compliance Officer
Nova Tower 1
One Allegheny Square, STE 600
Pittsburgh, PA 15212

Effective Date: October 11, 2023

The best of Expedient delivered to your inbox.

Sign up for more technical briefs, stories, and special offers from Expedient.