Privacy Shield

Cherwell and the EU-U.S. Privacy Shield

This Cherwell EU-U.S. Privacy Shield Policy (“Cherwell Privacy Shield Policy”) is intended to be read in conjunction with Cherwell’s Privacy Statement, available at and Cherwell’s other Websites (as defined in Cherwell’s Privacy Statement) that display the terms of Cherwell’s Privacy Statement. If you are a customer of Cherwell located in the European Economic Area (“EEA”) or Switzerland, the Cherwell Privacy Shield Policy is intended to be read in conjunction with Cherwell’s Privacy Statement and your applicable End-User License Agreement (“EULA”), End-User Subscription Agreement (“EUSA”), or other customer agreement.

Cherwell Software, LLC, and its subsidiaries and affiliates (collectively, “Cherwell”), complies with the EU-U.S. Privacy Shield framework (“Privacy Shield”) set forth by the U.S. Department of Commerce regarding the Processing of Personal Data of Data Subjects in the EEA. Cherwell, through its participation in the Privacy Shield, adheres to the Privacy Shield principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement and liability (the “Privacy Shield Principles”). For individuals located in the EEA, if there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. If you are a customer of Cherwell located in the EEA and there is any conflict between the terms of your EULA, EUSA, or other customer agreement and the Privacy Shield Principles, the Privacy Shield Principles shall govern. 

To learn more about the Privacy Shield framework, and to view our certification, please visit

Cherwell notifies visitors to its Websites and Cherwell customers about the Personal Data it collects, how Cherwell uses Personal Data, Personal Data disclosed to Third Parties, choice, data integrity and security, and access in its Privacy Statement at If you are a customer of Cherwell located in the EEA or Switzerland, more information about the foregoing may be found in your EULA, EUSA, or other customer agreement.

Cherwell’s accountability for Personal Data that it receives under the Privacy Shield and subsequently transfers to a Third Party is described in the Privacy Shield Principles. In particular, Cherwell remains responsible and liable under the Principles if Third-Party agents that it engages to process the Personal Data on its behalf do so in a manner inconsistent with the Principles, unless Cherwell proves that it is not responsible for the event giving rise to the damage.

As further explained in the “Questions or Complaints” section of the Cherwell Privacy Statement, we encourage you to contact us should you have a Privacy Shield-related (or general privacy-related) complaint. Cherwell will respond to an individual complaint within forty-five (45) days. If an issue cannot be resolved, Cherwell will refer such complaints under the Privacy Shield to an independent dispute resolution body based in the United States, Trustarc. If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact or visit for more information or to file a complaint. The services of TrustArcJAMS are provided at no cost to you. Under certain conditions, as further explained in the Privacy Shield Principles, individuals in the EEA may invoke binding arbitration before the Privacy Shield Panel in order to address residual complaints not resolved by any other means. Cherwell is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Cherwell has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU and Switzerland in the context of the employment relationship.

Cherwell provides a mechanism for assuring compliance with the Privacy Shield Principles. Cherwell uses a self-assessment, and at least once a year Cherwell will certify that this Privacy Shield Policy and its Privacy Statement are accurate, comprehensive, prominently displayed, implemented and in conformity with the Privacy Shield Principles. Cherwell will monitor adherence to the Privacy Shield Principles. Any employee who intentionally violates this Privacy Shield Policy will be subject to disciplinary action up to and including termination of employment.

Adherence to the Principles may be limited: (a) to the extent necessary to meet national security, public interest, or law enforcement requirements; (b) by statute, government regulation, or case law that creates conflicting obligations or explicit authorizations, provided that, in exercising any such authorization, Cherwell can demonstrate that its non-compliance with the Principles is limited to the extent necessary to meet the overriding legitimate interests furthered by such authorization; or (c) if the effect of the Directive or Member State law is to allow exceptions or derogations, provided such exceptions or derogations are applied in comparable contests.

This Policy may be amended from time to time, consistent with the requirements of the Principles.

In compliance with the Privacy Shield Principles, Cherwell commits to resolve complaints about our collection or use of your personal information.  EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Cherwell at: 

Contact Information

For all matters on Privacy Shield at Cherwell


The following definitions apply to this Privacy Shield Policy:

  1. “Data Subject” means an identified or identifiable natural person.
  2. “Identifiable natural person” means one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
  3. “Personal Data” means any information relating to a Data Subject received by Cherwell in the United States from the EEA or Switzerland, and recorded in any form. Personal Data does not include information that is anonymous, de-identified, or publicly available.
  4. “Processing personal data” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

Last updated:  March 1, 2019