Skip to Main Content

VikingCloud Audit & Certification Privacy Notice

This privacy notice (the “Privacy Notice or “Notice””) describes how we collect, store, use, and share your personal information and explains your rights in relation to your information. In this Privacy Notice, when we say “you” and “your” we mean a visitor to our website, a person who we have identified as a potential client / who has contacted us about our products and services (Prospects), or if you are a registered contact for one of our clients (Client Representatives). Note the use of personal information as part of delivering our services is subject to our clients’ privacy notices.

This Privacy Notice has been written in alignment with the requirements of the General Data Protection Regulation (GDPR), the UK GDPR, Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD), South Africa’s Protection of Personal Information Act (POPIA), Canada’s Personal Information protection and Electronic Documents Act (PIPEDA) and India’s Digital Personal Data Protection Act (DPDPA).

Who we are.

When we say ‘we’, ‘us’ or ‘our’ in this Privacy Notice we are referring to VikingCloud Audit & Certification, LLC (“VAC”), a Delaware limited liability company (registered number 6678455) whose registered office is at 111 North Wabash Ave., Suite 100 #3290, Chicago, IL 60602.

Where do we get your information from?

We collect information from you in a variety of ways, such as when you:

  • Visit our website (see our Cookie Notice for more information on the tracking technologies we use)
  • Complete a form on our website
  • Share your contact details with us at an event or conference (or for some events, the event organizer will share details of all attendees with us)

We may also receive leads from other suppliers. When we acquire information from these sources, we will notify you on the source.

Your employer may also share your details with us if they have nominated you to manage the services we provide to them (i.e., you’re a Client Representative / named as a contact in our contracts).

What kinds of information do we collect about you?

The information we collect is:

  • Personal – your name, country, and, if you are based in the US, your state. We may also collect your address solely to send you merchandise on a case-by-case basis (you decide whether this is a personal or work address).
  • Employment – your employer and role/job title.
  • Work contact details – your work email address and phone number.
  • Professional interests – if you complete a form on our website or talk to one of our sales or relationship management colleagues, we will collect details on your interests and opinions, such as the service(s) you believe your employer needs.
  • Meeting recordings – if you have a meeting with us, you may agree to the meeting being recorded (or request us to record it).
  • CCTV footage/building access logs – if you visit any of our offices, we will capture images of you and record information relating to your visit.
  • Website server logs – if you visit one of our websites, we automatically collect server logs containing your IP address and your approximate location (town/city level).
  • Cookie information – please see our Cookie Notice for information on what information we collect using such technologies / how your information is used.

How do we use your personal information, and what are our legal grounds?

Worldwide, a number of data protection and privacy laws require organizations to process personal information only where we have a 'lawful basis' (a legal justification for the collection, storage and further use of personal information, as outlined in your local law). In the table below, you can see more details on legal bases under the GDPR, which is aligned to LGPD and POPIA.

Please make sure you read the 'Use of Your Information' column below regardless of your location.

Legal requirements and obligations for obtaining and managing consent.

Where we process your personal information based on consent under the GDPR (or similar laws such as LGPD or POPIA), the requirements for consent means consent can only be used in specific circumstances (where people have free choice, and their information can be deleted at any time).

Where we are using non-GDPR standard consent, such as within Canada and India, we imply your consent by providing you with this Privacy Notice at the point of collecting your personal information. However, please note that if you withdraw your consent, we may not delete your information if we have a good reason for keeping it.

Reason for using your personal information:Legal ground:

Website Monitoring

If you provide your consent via our cookie tool, we will set and access cookies and UTMs (a type of tracking technology) when you visit our website. See our Cookie Notice for more information.

Call recording for Conversation Intelligence

Where you have provided your consent, we record sales calls and use artificial intelligence (AI) tools to transcribe and analyze the conversation. We use this analysis to monitor, evaluate and improve the quality, consistency and effectiveness of our sales communications and customer engagement.

The AI system processes the audio recording to:

  • generate a written transcript of the call;
  • identify key discussion topics and agreed follow-up actions; and
  • analyze tone of voice to produce a sentiment assessment of the interaction.

The sentiment analysis is intended to help us understand how our communications are received and to improve service delivery.

The call recording, transcript, and AI-generated insights are stored within our Customer Relationship Management (CRM) systems and linked to your business contact profile, together with other professional contact details and interaction history that we hold about you (see “What kinds of information do we collect about you?” for further information).

Your call data and associated AI outputs are not used to train, retrain, or improve the underlying AI models

Consent

Under EU laws, we can only use non-essential cookies (such as analytics cookies) if we receive your consent.














We rely on your consent to record sales calls and to use artificial intelligence (AI) tools to transcribe and analyze the conversation.


At the start of the call, you will be asked to confirm whether you agree to the recording and AI-based analysis. If you do not provide consent, the call will not be recorded.

You may withdraw your consent at any time during the call or, post call, by contacting us using the details set out in the “Contact” section.

Legal Duties

We may disclose or share your personal information to comply with a legal obligation, such as a court order.

Where we do so we’ll only provide the minimum information needed to comply.

Necessary for compliance with a legal obligation

Your personal information may be processed to meet any legal obligations we are subject to.

Protecting Life

We may disclose your information to the police or other authorities if we have serious concerns about you or another’s wellbeing.

Necessary to protect vital interests

This will usually only apply to protect someone’s life.

Necessary for legitimate interests.

We also use your information when we have a ‘legitimate interest’ and this does not unfairly impact you or your privacy rights. Each activity is assessed, and your rights and freedoms are considered to make sure that we are not being intrusive or doing anything beyond your reasonable expectations.

We will assess the information we need, so we only use the minimum amount. If you want further information about processing under legitimate interests, you can contact us using the details in the Contact section of this Privacy Notice.

You also have the right to object to any use of your information where we use ‘legitimate interests’ as a lawful basis. We will reassess our interests and yours, considering your individual circumstances. If we have a very strong reason for the use of your information, we may continue to use your information.

We use ‘legitimate interests’ in the following circumstances:

Reason for using your personal information:Legitimate interest(s):

Sales & Marketing

Events

Where we acquire your information from events and conferences, our salespeople will contact you about our products and services and we will add you to our email marketing list.

We need to promote our products and services to run a successful business.

Analysis and management reporting

We analyze and report on our sales activities. Where we do so, we do this to produce aggregated reports - i.e., facts and figures, which no longer contain personal information.

Key KPIs which are analyzed relate to matters such as the success of our sales activities. We also analyze who attended our webinars and attendance times to assess and improve such activities.


We need to analyze and assess our performance to optimize our resources.

Relationship Management

Client Representative

If you are a Client Representative, we will use your contact details to keep in touch about the services. This will mainly be data your employer is responsible for, but if it’s not a core part of the agreement, then we’re responsible for this use of your data.

ZoomInfo

We use ZoomInfo to ensure our CRM records remain accurate (we share your name, role, and employer as well as business contact details).

We need to keep in touch with our clients to ensure you are happy and our products and services are fulfilling your business needs (i.e., for retention purposes).

Technical security and support

Logs are automatically reviewed to produce alerts for manual review, with alerts being generated if there are indications of errors, problems with our technology, or security concerns. Logs often include usernames, emails, activities, and the dates and times of these.

We need to ensure the security of our systems and our information, as well as make sure our technology is working effectively / as intended.

Online tracking / minors.

At present, we do NOT respond to Do Not Track signals your browser sends. But you can use our cookie tool to let us know your preferences.

We do not collect information relating to minors. Therefore. we do not sell or share the personal information of consumers under 16 years of age.

Who do we share your personal information with?

We share your personal information with other organizations. The organizations we share personal information with are as follows;

  • Our website provider
  • Other group entities (who provide Legal, Financial, Human Resources, Marketing, Sales, IT, Information Security and Data Protection / Privacy services to VAC)
  • Government Bodies and Regulators
  • Professional services providers and consultants, such as contractors, external auditors, and lawyers
  • Certification bodies, if you raise a matter in relation to our certification activities that requires their attention…
  • As part of an actual or contemplated business sale, merger, consolidation, change in control, transfer of substantial assets, or reorganization.

Overseas transfers.

The information that we process about you will be stored in the United States. It may also be stored or accessed by authorized individuals who operate in a variety of countries, or who work for us or for one of our suppliers.

If you are based in the EU, the UK or Switzerland, we need to have specific protections in place to transfer your information to another country. We also need to let you know which methods we use.

  • Some countries have been assessed by the relevant authorities as being ‘adequate’, which means their legal system offers a level of protection for your information which is equal to the level of protection in your country. This applies to some of our suppliers, as well as some of the transfers of information within VAC.
  • The EU Commissioner and the UK have also approved Binding Corporate Rules (BCRs) to protect information shared within a group of companies. This requires the group to commit to meeting EU / UK standards across all regions. These rules need to be approved by all the EU supervisory authorities (or the ICO, the UK regulator) and require extensive monitoring and oversight. Some of our suppliers have BCRs.
  • Where the country or mechanism has not been assessed as ‘adequate’, the method we use most frequently is the EU’s Standard Contractual Clauses (SCCs) (with additions to make these work for the UK and Switzerland). These contract terms place European standards on companies in other jurisdictions. The European Commission approved standard contractual clauses are available via https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en
    • We have SCCs in place to allow sharing between group entities globally.
    • We have SCCs in place with some of our service providers - we carry out due diligence checks of their practices and where necessary, we agree on additional controls to ensure that your information is treated securely and in accordance with this Privacy Notice.

Please contact us if you would like more information on our SCCs.

If you are based in a country outside of the countries above, there may be local obligations we have to meet. See below for details of the additional controls which we will apply to protect your information:

  • Brazil / South Africa – these laws contain the same requirements as the GDPR in relation to international transfers. We have extended the EU SCCs to cover your information and are working to implement Brazil’s new SCCs.
  • Canada – clear privacy notices explaining the transfer. We also need to tell you who to contact for more information. Please write to the VAC Data Protection Team using details in the 'Contact’ section below.

How long do we keep personal information for?

Unless otherwise set out in this Privacy Notice, any information we process about you will be retained by us until we no longer need it for the purposes for which it was collected, as set out in this Privacy Notice. We will base that decision on criteria, including:

  • Any legal or regulatory requirements to delete or retain the information for a specific timeframe,
  • Our legitimate business reasons for keeping the information, such as to analyze and assess our activities,
  • The likelihood of a claim arising where we’d need to defend our conduct, and
  • Whether the information is likely to remain up to date.

We will review and delete or destroy personal information on a regular basis. If we are unable, using reasonable endeavors, to delete or destroy personal information, we will ensure that the personal information is encrypted or protected by security measures so that it is not readily available or accessible by us.

Automated decisions / profiling.

Automated decisions are decisions made by a computer or AI system without a human being directly involved. Profiling is the use of information about you to analyze or predict certain aspects, such as your likely reactions, preferences, or behavior.

When you provide your consent to call recording and AI analysis during sales calls, the AI system performs profiling by analyzing your tone of voice and the words you use to generate a sentiment assessment. This assessment categorizes interactions as positive, neutral, or negative, helping our team understand how the conversation is perceived.

The insights generated by AI are not used to make automated decisions that have legal or significant effects on you. They are solely used to assist our colleagues in monitoring calls, identifying potential issues, and improving the quality of our sales and service interactions. A human colleague reviews the AI insights and decides how to act on them.

We do not use this profiling to score or rank individuals, and it is not used for model training or any other purpose beyond improving internal service quality and communication.

Security.

We align to the International Standard for Information Security (ISO27001) as well as that relating to Privacy (ISO27701). This involves setting up a system to manage risks around both information security and data protection / privacy, as well as putting in place measures and objectives to keep improving.

An example of a measure we take is to enforce TLS1.2 (when transferring information externally / to our suppliers). TLS1.2 is a network protocol for encrypting information in transit.

Access to your information is only provided to our people who have a need to know. We implement role-based access control so only those with a relevant role are given permission. We audit access on a regular basis.

Your rights.

There are several rights available under global data protection and privacy laws. These do not usually require any fee, and we must respond within one (1) calendar month in most circumstances.

Not all rights apply in all situations, and some regions have different timeframes. If you require further details of timeframes and what applies in your jurisdiction, please contact our Global Data Protection Manager using the Contact details below.

The easiest way to exercise any of your rights is to enquire if a right is applicable in a specific circumstance or to check what timescales apply would be to contact our Data Protection Team as set out below.

If we need further information to comply with your request, including any identification, we will let you know. However, wherever possible, we will seek to identify you by way of information we already have; for example, if you contact us via the email address that you have registered with us, we will not normally need anything further (except if the data or the nature of the request is sensitive).

Right of access / right to know.

You have the right to ask for access to and receive copies of your personal information. You can also ask us to provide a range of information relating to how we collect/use your information.

Right to rectification / right to correct.

If you believe the personal information we hold about you is inaccurate or incomplete, you can ask us to correct that information.

Right of erasure / right to be forgotten / right to delete / right to anonymization.

In some circumstances, you have the right to ask us to delete and/or anonymize personal information we hold about you.

Right to restrict processing / right to have information preserved.

In some circumstances, you are entitled to ask us to restrict the processing of your personal information. This means we will stop using your personal information, but we will not delete it. Or you could ask us not to delete your information.

Data portability.

You have the right to ask us to provide your personal information in a format that allows you to share your personal information with another provider.

Right to object.

You are entitled to object to us processing your personal information if the processing is based on legitimate interests. You also always have the right to object to our use of your information for marketing purposes.

Right to non-discrimination.

If you exercise your privacy rights, we will never discriminate against you for making a request. Under the CCPA, we are legally obliged to not discriminate in response to requests.

Changes to this Privacy Notice.

This Privacy Notice was last updated on 5 June 2026.

Any changes we may make to the Privacy Notice will be posted on this page and, where appropriate, notified by email. Please check back frequently to see any updates or changes.

Contact.

Our Data Protection Team can be contacted using the following email address: dataprotectionprivacy@vikingcloudcertification.com or alternatively by writing to us on the 1st Floor Block 71A, The Plaza, Park West Business Park, Dublin 12, Ireland.

Questions, comments, and requests regarding the Privacy Notice are welcomed and should be sent to dataprotectionprivacy@vikingcloudcertification.com .

If you have any concerns about the ways in which we process your personal information, we encourage you to contact us. In many countries you also have a right to complain to the relevant supervisory authority. However, most regulators require that you contact us first so that we can address your concerns.

Please see below for details of the relevant regulators: