SecureAuth Privacy Shield Privacy Notice

Effective on: January 6, 2020

Introduction and Scope

The SecureAuth Corporation (“SecureAuth”, “we”, “us”, “our”) takes the protection of personally identifiable information (“Personal Data”) very seriously. This Privacy Policy (the “Policy”) addresses data subjects whose Personal Data we may receive from our customers in the course of providing, implementing, and supporting our identity and access management solutions, (the “Products”), (collectively, the “Services”).

This Policy does not apply to Personal Data we collect by other means, such as Personal Data that we receive directly through our marketing website(s) or the Personal Data of our employees. In addition, our customers use our platform to process their own employees’, customers’, and vendors’ Personal Data. In that case, we act only as a service provider. In general we will only access such Personal Data at our customer’s request in connection with customer support or account administration matters. We will only do this to provide the services that our customer has directed us to provide, or if we are required by law.

Controllership

SecureAuth acts as an agent, also known as a data processor, for the Personal Data we process for our customers when providing our Services. This means that the organization (e.g., your employer or another entity or person) that entered into the contract governing use of the Services (the “Customer Agreement”) (our “Customer”) determines the type of Personal Data they provide for us to process on their behalf. We typically have no direct relationship with the individuals whose Personal Data we receive from our Customers.

Basis of Processing

Within the scope of this Policy, we process Personal Data based on the instructions of our Customers.

How We Receive Personal Data

We receive your Personal Data from our Customer (including from the employees, contractors, and other representatives of our Customer) in the course of providing the Services.

Categories of Personal Data

We may process the following types of Personal Data:

  • biographical information, such as first and last name;
  • contact information, such as email address, mobile device ID, and mobile phone number; and
  • account information, such as username

Purposes of Processing

We may process your Personal Data for the purposes of:

  • enabling the use of the Services;
  • providing application logs to Customer administrators for their troubleshooting and monitoring of the applications;
  • assisting our Customers per their request; and
  • responding to requests or questions.

Data Retention

We retain Personal Data for only as long as instructed by the respective Customer (who typically acts as a data controller). We delete the Personal Data submitted to us by you or our Customers within six months of the end of our service agreement with the Customer, unless applicable laws require otherwise, the Customer requests a different retention period, or the Personal Data has been fully anonymized and, thus, is no longer considered Personal Data.

Sharing Personal Data with Third Parties

We may share Personal Data with our subsidiaries, affiliates, and business partners, as well as with our service providers, who process Personal Data on our behalf, and who agree to use the Personal Data only to assist us in providing our Services or as required by law. Our service providers may provide:

  • Internet hosting services;
  • support ticket management software;
  • project tracking;
  • analytics services;
  • video conferencing and screensharing software;
  • cloud desktop management services;
  • customer identity and engagement services;
  • monitoring services;
  • phone system and web conferencing services;
  • email and communications software; and
  • CRM software.

Some of these third parties may be located outside of the United States. However, we will require the third party to maintain at least the same level of privacy and security for your Personal Data that we do. We remain liable for the protection of your Personal Data within the scope of our Privacy Shield certification that we transfer to third party service providers, except to the extent that we are not responsible for the event that leads to any unauthorized or improper processing.

Other Disclosure of Your Personal Data

We may disclose your Personal Data to the extent required by law, or if we have a good-faith belief that we need to disclose it in order to comply with official investigations or legal proceedings (whether initiated by governmental/law enforcement officials, or private parties). We may also disclose your Personal Data if we sell or transfer all or some of our company’s business interests, assets, or both, or in connection with a corporate restructuring. Finally, we may disclose your Personal Data to our subsidiaries or affiliates, but only if necessary for business purposes, as described in the section above.

We reserve the right to use, transfer, sell, and share aggregated, anonymous data for any legal business purpose. Such data does not include any Personal Data.

If we have to disclose your Personal Data to governmental/law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your Personal Data.

Cookies

A “cookie” is a small file stored on your device that contains information about your device. We may use cookies to provide basic relevant ads, website functionality, authentication (session management), usage analytics (web analytics), and to remember your settings, and generally improve our websites and Services.

We use session and persistent cookies. Session cookies are deleted when you close your browser. Persistent cookies may remain even after you close your browser, but always have an expiration date. Most of the cookies placed on your device through our Services are first-party cookies, since they are placed directly by us. Other parties, such as Google, may also set their own (third-party) cookies through our Services. Please refer to the policies of these third parties to learn more about the way in which they collect and process information about you.

If you would prefer not to accept cookies, you can change the setup of your browser to reject all or some cookies. Note, if you reject certain cookies, you may not be able to use all of our Services’ features. For more information, please visit https://www.aboutcookies.org/.

You may also set your browser to send a Do Not Track (DNT) signal. For more information, please visit https://allaboutdnt.com/. Please note that our Services do not have the capability to respond to “Do Not Track” signals received from web browsers.

Data Integrity & Security

We have implemented and will maintain technical, administrative, and physical measures that are reasonably designed to help protect Personal Data from unauthorized processing. This includes unauthorized access, disclosure, alteration, or destruction.

Access & Review

If we process your Personal Data, you may have the right to request access to (or to update, correct, or delete) such Personal Data.

If we have received your Personal Data in reliance on the Privacy Shield (as defined below), you may also have the right to opt out of our sharing your Personal Data with third parties and to revoke your consent to our sharing your Personal Data with third parties. You may also have the right to opt out of your Personal Data being used for any purpose that is materially different from the purpose(s) for which it was originally collected or for which you subsequently authorized. Such requests should be sent directly to the SecureAuth Customer who provided your Personal Data to us. SecureAuth has limited rights to access Personal Data our Customers submit to us. Therefore, if you contact us with such a request, please provide the name of the SecureAuth Customer who submitted your Personal Data to us. We will forward your request to the Customer and provide any needed assistance as they respond to your request.

EU-U.S. and Swiss-U.S. Privacy Shield Frameworks

For Personal Data processed in the scope of this Policy, SecureAuth complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework (the “Privacy Shield”), as adopted and set forth by the U.S. Department of Commerce regarding the processing of Personal Data transferred from the European Union, the European Economic Area, the United Kingdom, or Switzerland to the United States, or otherwise received in reliance on the Privacy Shield. We commit to adhere to the Privacy Shield Principles and have certified our adherence to the Department of Commerce.

To learn more about the Privacy Shield, and to view the SecureAuth Corporation’s certification, please visit https://www.privacyshield.gov and https://www.privacyshield.gov/list, respectively.

VeraSafe Privacy Program

SecureAuth is a member of the VeraSafe Privacy Program. This means that VeraSafe has assessed our data governance and data security (regarding Personal Data processed within the scope of this Privacy Policy) for compliance with the VeraSafe Privacy Program Certification Criteria. The certification criteria require that participants maintain a high standard for data privacy. Participants must also implement specific best practices regarding notice, onward transfer, choice, access, data security, data quality, recourse, and enforcement.

Dispute Resolution

Where a privacy complaint or dispute cannot be resolved through our internal processes, we have agreed to participate in the VeraSafe Privacy Shield Dispute Resolution Procedure. Subject to the terms of the VeraSafe Privacy Shield Dispute Resolution Procedure, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the VeraSafe Privacy Shield Dispute Resolution Procedure, please submit the required information here: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/

Binding Arbitration

If your dispute or complaint can’t be resolved by us, nor through the dispute resolution program established by VeraSafe, you may have the right to require that we enter into binding arbitration with you under the Privacy Shield’s “Recourse, Enforcement and Liability Principle” and Annex I of the Privacy Shield.

U.S. Regulatory Oversight

SecureAuth is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

Changes to this Policy

If we make any material change to this Policy, we will post the revised Policy to this web page. We will also update the “Effective” date.

Contact Us

If you have any questions about this Policy or our processing of your Personal Data, please write to us by email at privacy@secureauth.com or by postal mail at:

SecureAuth Corporation
8845 Irvine Center Dr
Irvine, CA 92618
USA

Please allow up to four weeks for us to reply.

Privacy Seal