GDPR Policy

Last Updated: September 10, 2020

This GDPR Policy governs Tiero’s collection and use (“Processing”) of the Personally Identifiable Information of persons residing in the European Union and other jurisdictions that have adopted the EU’s Data Protection Regulation (GDPR”), and is incorporated by reference into Tiero’s Privacy Policy.  

The capitalized terms that appear in this GDPR Policy have the same meanings as in Tiero’s Terms of Use and Privacy Policy, unless they are defined in this policy.  The capitalized terms that are defined in this policy have the same meanings as in the GDPR.  Please click here [] for the text of the GDPR. 

By using the Services, you agree to this GDPR Policy.  IF YOU DO NOT AGREE TO THIS GDPR POLICY, YOU MAY NOT USE THE SERVICES. 


This GDPR Policy protects the Personally Identifiable Information of residents of countries that have adopted the GDPR (“Data Subjects”).

When Processing the Personally Identifiable Information of such persons, Tiero will abide by the requirements of the GDPR, whether we are considered an entity that determines the purposes and means of the Processing of Data Subjects’ Personally Identifiable Information (“Data Controller”) and/or an entity that process the information (“Data Processor”).

When Processing the Personally Identifiable Information of the customers of an entity, the entity agrees that it will have the responsibilities of the Data Controller and that Tiero will have the responsibilities of the Data Processor under the GDPR.  Thus, the entity agrees that it will be responsible for its customers’ information, and that Tiero will not have any responsibilities for the information, except in connection with the processing of the information.

When processing the Personally Identifiable Information of the customers of an entity, the entity may require that Tiero use certain third-party Data Processors to provide the Services.  In such situations, the entity agrees that it authorizes Tiero to share its customers’ data with such third-Party Data Processors.  The entity also agrees that it will be responsible for providing any and all instructions to such third-party Data Processors regarding its customers’ information.  The entity agrees that the third-party Data Processors will not be considered subcontractors of Tiero.


Data Subjects who create an Account to use the Services or sign a separate agreement to use the Services will be asked to affirmatively consent to the Processing of their Personally Identifiable Information and the receipt of electronic communications pursuant to Tiero’s Privacy Policy.  Data Subjects are not required to provide their consent.  However, if Data Subjects do not consent to the Processing of their Personally Identifiable Information, they will not be able to use the Services, and if they do not wish to provide certain types of information, their use of the Services may be adversely affected and they may not receive certain communications. 


The purpose of Processing Data Subjects’ Personally Identifiable Information is to provide the Services set forth on our Website. 


The legal bases for the Processing of Data Subjects’ Personally Identifiable Information may include one or more of the following: 

  • The Data Subject’s consent, which may be provided when the Data Subject creates an Account to use the Services. 
  • Entry into a separate agreement with Tiero requiring the collection and use of such information. 
  • Tiero’s legal obligations (other than its contractual obligations to the Data Subject), such as when Tiero is required to respond to governmental demands for such information. 
  • Tiero’s legitimate interest in collecting and using such information, such as when we use the Data Subject’s information to improve the Services. 


Data Subjects have the following rights under the GDPR. 

  • The right to be informed about Tiero’s policies regarding their Personally Identifiable Information, including with respect to the purposes of Processing the information, the legal basis for the Processing, the recipients of the information, where the Processing of the information takes place, and contacting Tiero. 
  • The right to accestheir information. 
  • The right to the correction of their information. 
  • The right to the deletion of their information (i.e., the “right to be forgotten”), including if the information is no longer required for the purpose for which it was collected, if they withdraw their consent for the Processing of their information, if they request the deletion of their information, and if the Processing of the information has been unlawful. 
  • The right to restrict the Processing of their information, including if they contest the accuracy of the information or if the Processing of the information is unlawful. 
  • The right to receive a copy of the information that they provided to Tiero in a structured, commonly used, and machine-readable format and to transmit the information to another entity. 
  • The right to object to the Processing of their information, including if the legal bases for the Processing no longer apply, or if the information is used for direct marketing purposes or profiling related to direct marketing purposes. 
  • The right not to be subject to decisions based solely on automated decisionmaking processes. 

To exercise any of these rights, Data Subjects may contact Tiero as provided below. 


Tiero may process Data Subjects’ Personally Identifiable Information or use thirdparty Data Processors to process such information.  Tiero operates internationally, and such information may be processed in the United Sates or the European Union.  Tiero’s servers are located in the United Sates, and the servers of third-party Data Processors may be located in the United States or the European Union. 

Whewe process Data Subjects’ Personally Identifiable Informationwhether the information is processed in the United States or the European Union, we will take commercially reasonable steps to safeguard the privacy of the information.  This includes following the security policies and procedures set forth in Tiero’s Privacy Policy and/or obtaining reasonable commitments from third-party Data Processors regarding the protection of such information. 

When we process the Personally Identifiable Information of the customers of an entity, we will provide such entities with copies of our security policies regarding the processing of such information upon request. 


When Data Subjects’ Personally Identifiable Information is transferred outside of the European Union, we will use standard contractual clauses approved by the European Union, adopt other means under European Union law for ensuring adequate safeguards regarding the disclosure of such information, or obtain your consent to the use or disclosure of such information.  If Data Subjects would like a copy of our standard contractual clauses or more information on the appropriate safeguards we have implemented with third Data Processors to protect their information, please contact Tiero as provided below. 


Questions, complaints, and other communications regarding any aspect of this GDPR Policy should be addressed to Tiero at 

Data Subjects who wish to direct their questions, complaints, or other communications to the person at Tiero who monitors compliance with the GDPR (“Data Protection Officer”), including with regard to all issues related to the Processing of their Personally Identifiable Information and the exercise of their rights under the GDPR, should contact Tiero as follows.  Data Subjects who are not satisfied with the Data Protection Officer’s responses and who wish to obtain the contact information of the entity authorized to act on Tiero’s behalf in the European Union (“Representative”), or the entities responsible for overseeing compliance with the GDPR in the countries where Tiero provides the Services (“Supervisory Authority”), should also contact Tiero as follows. 

Mr. James Gorman
Chief Information Security Officer
Tiero LLC
1201 Seven Locks Road, Suite 214
Potomac, Maryland 20854
(650) 425-3050