Effective as of September 26, 2016, updated on June 29,2017

Scope of this Notice

SugarCRM Inc. complies with the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively.  SugarCRM Inc. has certified to the Department of Commerce that it adheres to the principles of the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (“Principles”) with respect to personal data submitted by SugarCRM`s customers to the SugarCRM Product (”Customer Data”). Specifically, SugarCRM certifies compliance with the Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability. If there is any conflict between the Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov/.

This Notice does not apply to SugarCRM (and its subsidiary’s) employee data, or the data that we receive directly through SugarCRM’s publicly accessible websites.

Data processed (categories of data)

SugarCRM, together with our subsidiaries (“We”), sell customer relationship management (CRM) solutions that our customers use to manage their customer relationships. In providing these tools, SugarCRM processes data our customers enter into our products or instruct us to process on their behalf. SugarCRM`s customers decide what to enter. SugarCRM generally has no knowledge about what is being stored. However, our understanding is that typically the information includes business-related information about our customers’ customers (e.g. names, business addresses, work phone numbers, work e-mail addresses etc.), prospects and/or sales leads.


SugarCRM processes Customer Data pursuant to our subscription agreement. Our products may be deployed On-Demand or On-Site and customers may also engage us for professional services and customer support. To fulfill our contractual obligations, SugarCRM may access Customer Data to provide services, to correct and address technical or service problems, or to follow instructions of the customer who submitted the data, or in response to contractual requirements.

Third Parties who may receive personal data (Onward Transfer)

SugarCRM may engage a limited number of third-party service providers to assist us in providing our services to customers. These third party providers may offer customer support, data storage services (data centers), or technical operations. These third parties may access, process, or store personal data in the course of providing their services./p>

SugarCRM maintains contracts with these third parties restricting their access, use and disclosure of personal data in compliance with our Privacy Shield obligations. SugarCRM may be liable if the third parties fail to meet their obligations.

Compelled disclosure

SugarCRM may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Data Integrity & Security

SugarCRM employs procedural and technological measures that are reasonably designed to help protect personal information from loss, unauthorized access, disclosure, alteration, or destruction. For example, among other measures, we have implemented physical security measures at our premises (e.g., key cards) and we have established technical safeguards such as firewalls and security patches.

Data access and correction, your choices for limiting use and disclosure

If you are an individual based in the EU or in Switzerland and our product holds your personal data, you may request access to your personal data. You also have the right to update, correct or delete your personal data. Also, the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework requires that participants offer data subjects a choice to opt out of uses and disclosures of their data that are materially different from the purposes for which that data was originally collected or subsequently authorized. SugarCRM is committed to respect your rights.

SugarCRM personnel has limited ability to access data submitted by its customers to the SugarCRM Product and does not have any personal relationship with the individuals whose personal data it processes on behalf of its customers. If you wish to request access to, correct or delete, or to limit the use or disclosure of your personnel data please provide us the name of the SugarCRM customer who has submitted your data into the SugarCRM Product. We will refer your request to that customer and will support our customer as needed in responding to your request.

Inquiries and complaints

We encourage you to direct any inquiries or complaints concerning our Privacy Shield compliance to SugarCRM Inc., attn. General Counsel 10050 N. Wolfe Road, SW2-130, Cupertino, CA 95014, USA, or call us at (408) 454-6900, or email us at legal@sugarcrm.com. We will investigate and attempt to resolve complaints and disputes in a manner that complies with the principles described in this Notice. If you have a comment or concern that cannot be resolved with us directly within forty-five (45) days time, or if our response does not address your concern, you may contact JAMS, an independent third party dispute resolution body based in the Unites States. JAMS has committed to respond to complaints and to provide appropriate dispute resolution at no cost to you. To contact JAMS and/or learn more about the company’s dispute resolution services, including instructions for submitting a complaint, please visit: https://www.jamsadr.com/eu-us-privacy-shield. If neither SugarCRM nor JAMS resolves your complaint, you may pursue binding arbitration through the Privacy Shield Panel.

U.S. Federal Trade Commission enforcement

SugarCRM’s commitments under the Privacy Shield are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.