Data Privacy Framework Notice

This Data Privacy Framework Notice (this “Notice”) sets forth the privacy principles Domo, Inc. and its affiliates (“Domo”, “we”, “our” or “us”) follow when processing personal information transferred from the European Economic Area (the "EEA"), the United Kingdom, or Switzerland to the United States.

Domo is the provider of an online, cloud-based business management platform service and other subscription-based services (the “Subscription Services”). We provide the Subscription Services and related support, consulting, implementation, and other professional services to our customers (collectively, our “Services”).

Domo complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF (UK Extension), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Domo has certified to the U.S. Department of Commerce that it adheres to the EU- U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension. Domo has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. The EU- U.S. DPF, UK Extension, and Swiss-U.S. DPF are referred to collectively as the “Data Privacy Framework” and the EU-U.S. DPF Principles and Swiss-U.S. DPF Principles are referred to collectively as the “Principles.” If there is any conflict between the terms in this Notice and the Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

This Notice supplements the Domo Privacy Notice. In case of conflict between the Domo Privacy Notice and this Notice, this Notice prevails.

Scope

This Notice applies to EEA, United Kingdom and Swiss personal information that we obtain and process in the following capacities:

As a data controller, we collect and process EEA, United Kingdom and Swiss Personal Information directly from individuals, including in the context of our publicly available websites, including www.domo.com, our Services such as the personal information provided to Domo to register a user account, company events, forums, and communities, marketing, promotional, and advertising communications, and as otherwise described in the Domo Privacy Notice.
As a data processor, we process and store EEA, United Kingdom and Swiss personal information that is uploaded into the Subscription Services or otherwise provided to us for processing by or on behalf of our customers in our provision of the Services. In that context, we only process personal information on behalf of and at the instructions of our customers, which are the data controllers.

Domo commits to subjecting to the Principles all personal information received from the EEA, the United Kingdom, and Switzerland in reliance on the Data Privacy Framework (which includes both of the above type of activities).

Personal Information Processed

When Domo is acting as a data controller, the categories of personal information we collect are described in the Domo Privacy Notice. These categories may include, among other categories, your name, the company you work for, address, email, phone number, your position or title, and/or your Domo username and password.

When Domo is processing personal information as a data processor in the context of our Services, our customers determine the categories of data they upload into the Subscription Services. Accordingly, customers are responsible for providing notice to the individuals from whom they have collected personal information.

Purpose of Processing

When we process personal information in our capacity as a data controller, we may use any personal information we obtain for the purposes indicated in the Domo Privacy Notice or as otherwise notified to you. We will not process personal information in a way that is incompatible with these purposes or as subsequently authorized by you. We will adhere to the Principles for as long as we retain the personal information collected under the Data Privacy Framework.

When we process personal information as a data processor in the context of our Services, we process the personal information for the purpose of providing our Services to the relevant Domo customer and as authorized in our agreements with our customers. To fulfill this purpose, Domo may access personal information to provide technical support services, perform consulting, training, or other professional services, address technical or security issues, comply with customer instructions, or fulfill contractual requirements. We only process such personal information in accordance with our customers’ instructions, as set forth in the agreement between Domo and the applicable customer.

Onward Transfers and Disclosure

When we process personal information as a data controller, we work with third-party service providers that provide services or help support our business as described in the Domo Privacy Notice. In the context of providing our Services, Domo uses a limited number of third-party service providers to assist us in providing our Services to customers. These third-party providers may provide customer support to our customers, perform professional services, perform database monitoring and other technical operations, assist with the transmission of data, and provide data storage services.

These third parties may access, process, or store personal information in the course of providing their services. Domo maintains contracts with these third parties restricting their access, use and disclosure of personal information in compliance with our Data Privacy Framework obligations, including the onward transfer provisions, and Domo remains liable if they fail to meet those obligations and we are responsible for the event giving rise to damage, unless we prove that we are not responsible for the event giving rise to the inconsistent processing.

We may also share your personal information that we control or process in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Choice and Access

Where appropriate, Domo provides you with access to the personal information that we maintain about you and the ability to correct, amend or delete that information when it is inaccurate or has been processed in violation of the Principles by contacting us as indicated under “Contact Information” below. We will review your request in accordance with the Principles and may limit or deny access to personal information where providing such access is unreasonably burdensome or expensive under the circumstances, or as otherwise permitted by the Principles.

When we process personal information as a data processor in the context of our Services, we only process and disclose the data as necessary to provide the Services and as authorized in our agreements with our customers. Our customers control how the information they upload to the Services is disclosed and used and how it can be modified. Accordingly, if you wish to request access, to limit use, or to limit disclosure of personal information uploaded to the Subscription Services by our customer, please contact the customer who submitted your data to our Services. If you provide us with the name of our customer that is processing your personal information, we will refer your request to that customer, and will support the customer as needed in responding to your request.

Recourse and Enforcement

In compliance with the Data Privacy Framework, Domo commits to refer unresolved complaints concerning our handling of personal information received in reliance on the Data Privacy Framework to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your Principles-related complaint from us, or if we have not addressed your Principles- related complaint to your satisfaction, please visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you. As set forth in Annex I of the Principles, in certain circumstances, an individual has the right to invoke binding arbitration to resolve complaints not resolved by other means.

The U.S. Federal Trade Commission (FTC) has jurisdiction over Domo’s compliance with the Data Privacy Framework. Domo is subject to the investigatory and enforcement powers of the FTC.

Changes to This Notice

This Notice may be changed from time to time, consistent with the requirements of the Data Privacy Framework. You can determine when this Notice was last revised by referring to the "Last Updated" date on the first page of this Notice. Any changes to this Notice will become effective when we post the revised version on our website.

If you have any questions related to this Privacy Notice or our privacy practices, please contact us at:

Domo, Inc.
Attn: Privacy Officer
802 East 1050 South
American Fork, Utah 84003
Email: privacy@domo.com
Telephone: 1.800.899.1000 (9:00 AM to 5:00 PM Mountain)

To submit an individual rights request, please use our privacy request form.