Our Services and Client Data
In connection with the performance of services for our Clients, our Clients are the “controller”, and Legility is the “processor” regarding the personal data processed by Legility on a Client’s behalf ("Client Personal Data"). We only process Client Personal Data as instructed by each of our Clients in writing for the specific purposes and services offered to that Client and in no other way.
“Controller” and “processor” have the meaning given to these terms by Regulation (EU) 2016/679 and any applicable local laws or regulations for the protection of personal data enacted to effect Regulation (EU) 2016/679 or in a country covered by such regulation (the "Data Protection Laws").
Our form Client Data Protection Addendum (“DPA”) can be found here and includes agreement to the Standard Contractual Clauses for processors (in the absence of Privacy Shield certification) for the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.
We have implemented appropriate technical and organizational security measures to ensure a level of security appropriate to the risks that are presented by the processing and the nature of the Client Personal Data to be protected:
- We have established procedures for quickly responding to breach incidents and prepared a breach response policy, as well as incorporated "table top" exercises to establish timely response to breach reporting obligations.
- We have established appropriate access controls to safeguard all Client Personal Data. Our employees and personnel who have access to Client Personal Data are (1) both informed of the confidential nature of the Client Personal Data and obliged to keep such Client Personal Data confidential; and (2) aware of Legilitiy’s duties and obligations under any written agreement with a Client.
More detailed information regarding our security measures is available upon request. Please contact us at
Attn: Mona Maerz, GC
112 Westwood Place
Brentwood, TN 37027
As a Processor:
- We have developed an audit/due diligence procedures and implemented a process for requiring execution of compliant Data Processing Agreements when IT or SaaS vendors are engaged in our services and expected to have access to personal data, including Standard Contractual Clauses where a vendor is not located in the EEA.
- We have developed policy and procedures to discontinue with processing activities if the data controller advises Legility that a data subject denies consent and we have established procedures for deleting, returning or disconnecting access to any and all Client Personal Data if so requested.
- We have developed and implemented Privacy By Design review for all new IT Systems, SaaS applications, Software and hosted services touching personal data through a Vendor Management Oversight Committee, Third Party Risk Management Program, Security Scorecard, and SIG Lite process.
- We maintain records of processing activities involving Client Personal Data, and our data mapping allows us to identify and track Client Personal Data when processed by us or/and third party providers to whom Client Personal Data has been delivered.