Privacy Shield Privacy Notice
Effective Date: January 31, 2023
1. Introduction & What This Notice Covers
We at SecureAuth Corporation (“SecureAuth”, “we”, “us”, “our”) care about protecting personal data. This Privacy Shield Privacy Notice (the “Notice”) tells you how we process the personal data we process on behalf of our customers while providing, implementing, and supporting our services.
Our services include identity and access management solutions (such as SecureAuth IdP), the provision of our consulting services, customer support (via Zendesk and Jira), and other systems that we use to assist our customers, (collectively, the “Services”).
This Notice also describes how we handle personal data through the services available through these subdomains: downloads.secureauth.com, docs.secureauth.com, cloud.secureauth.com, community.secureauth.com, www.secureauth.com, and support.secureauth.com.
This Notice does not apply to personal data we collect by other means, such as personal data that we receive directly through our marketing website(s) or the personal data of our employees.
Our customers use our platform to process their own employees’, customers’, and vendors’ personal data. In that case, we act only as a service provider. In general, we only access such personal data if required by law, or if the customer asks us to in connection with customer support or account administration matters in relation to the Services.
2. Our Role with Respect to Personal Data
SecureAuth acts as an agent, also known as a data processor, for the personal data we process for our customers while providing our Services. This means that the organization that entered into the contract governing use of the Services (the “Customer Agreement”) (our “Customer”) chooses the type of personal data they give us to process on their behalf. This organization may be your employer or someone else. We usually do not have a direct relationship with the people whose personal data we get from our Customers.
3. Why We Process Personal Data
We process personal data according to the instructions of our Customers.
4. How We Obtain Personal Data
We receive personal data:
- From our Customer and its representatives while providing the Services.
- From providers of third-party services that integrate with our Services
- When the information is submitted to our websites.
- When you participate in a focus group, contest, activity, or event, apply for a job, ask for support, interact with our social media, or otherwise communicate with us.
5. What Personal Data We Process
We process the following types of personal data:
- Biographical information: name.
- Professional information: company/employer.
- Contact information: email and phone number.
- Account information: username, user ID, and password.
- Usage information: Services metadata, log data, messages, and the date and time the Services are used.
- Device information: device type, unique device identifier, operating system, settings, application ID, crash data, browser type and settings, and host address.
- Location information: location from IP addresses.
- Cookie information and similar tracking information.
- Personal data received from other companies’ services.
6. Our Purposes to Process Personal Data
We process your personal data for the following purposes:
- To provide, update, maintain and protect our Services, websites, and business.
- To follow the law, legal process, or regulation.
- To communicate with you and respond to your requests, comments, and questions.
- To develop and provide search, learning and productivity tools and additional features.
- To send emails and other communications about the Services, including security and account-related communications and marketing communications.
- To administer accounts and keep track of billing and payments.
- To contact you regarding billing, account management, and other administrative matters, such as invoicing and payments tracking.
- To investigate and help prevent security issues and abuse.
- To provide application logs to Customer administrators for troubleshooting and monitoring of the applications.
- To assist our Customers as they request.
7. How Long We Keep Personal Data
We keep personal data for as long as instructed as our Customer tells us to. We delete the personal data that our Customers give us within six (6) months after our agreement with the Customer ends.
We will not delete this personal data within the six-month period if the law says we have to keep it, the Customer asks us to keep it longer, or the information cannot be traced back to a specific person anymore and it is considered fully anonymized and consequently is no longer considered personal data.
8. How We Share Personal Data
8.1. How We Share Personal Data with Other Companies
We share personal data with our affiliates, business partners, and service providers, who process personal data on our behalf. These third parties must agree to use the personal data only to help us in providing our Services or if the law says they have to.
Our service providers provide:
- Internet hosting services.
- Customer service and support ticket management software.
- Analytics services.
- Video conferencing and screensharing software.
- Cloud desktop management services.
- Customer identity and engagement services.
- Monitoring services.
- Project management software.
- Marketing software.
- Telephone and web conferencing services.
- Email, communications, and collaboration software.
- CRM software.
Some of these third parties may be located outside of the United States. However, we require the third party to protect your personal data as well as we do. Sharing your personal data with these third parties does not change our responsibility to protect your personal data within the scope of our Privacy Shield certification. However, we will not be liable if we are not responsible for any unauthorized or improper processing, and we will only be liable to the extent that we are responsible for any unauthorized or improper processing.
We also reserve the right to use, transfer, sell, and share aggregated, anonymous data for any legal business purpose. Such data does not include any personal data.
We may disclose your personal data if we sell or transfer all or some of our business interests, assets, or both, or in connection with a corporate restructuring. Finally, we may disclose your personal data to our subsidiaries or affiliates, but only if necessary for business purposes.
8.2. How We Share Personal Data with Law Enforcement
We disclose your personal data if the law requires it, or if we think it is necessary for official investigations or legal proceedings. These proceedings may be started by government or law enforcement officials, or private parties.
If we must disclose your personal data to governmental or law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your personal data.
There are two types of cookies: session cookies and persistent cookies. We use both types of cookies. Session cookies are deleted when you close your browser. Persistent cookies stay on your device even after you close your browser, but they have an expiration date. Most of the cookies that our Services and websites place on your device are first-party cookies, which means that they are placed directly by us. Other parties, such as Google, may also place their own cookies through our Services. You can read the policies of these third parties to learn more about the way in which they collect and process information about you.
You can change your browser settings to reject all or some cookies if you prefer not to accept them. However, this may limit the features of the Services you can use. You can learn more about cookies and how to manage them by visiting https://www.aboutcookies.org/.
You can also set your browser to send a “Do Not Track” signal but note that our Services are not set up to respond to “Do Not Track” signals from browsers. You can learn more about “Do Not Track” signals by visiting https://allaboutdnt.com/.
10. Data Integrity & Security
We have implemented and will maintain reasonably designed technical, administrative, and physical measures to protect personal information from unauthorized access, alteration, destruction, use, or disclosure.
11. Your Privacy Rights: Access & Review
If we process your personal data, you may have the right to request access to, update, correct, or delete it.
If we received your personal data in reliance on the Privacy Shield (as defined below):
- You may have the right to opt out of our disclosure of your personal data with third parties and to revoke your consent to our disclosure your personal data with third parties.
- You may have the right to opt out of your personal data being used for any purpose that is materially different from the purpose(s) for which the personal data was originally collected or which you subsequently authorized.
If you want to access or review your personal data, you should contact the SecureAuth Customer who provided your personal data to us directly. SecureAuth does not have full rights to access all the personal data our customers provide us. So, if you decide to contact us instead of our Customer, please provide the name of the SecureAuth customer when you contact us, and we will forward your request to them and assist them as they respond to your request.
12. Privacy Shield Frameworks
SecureAuth complies with the principles of the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework (the “Privacy Shield”), set forth by the U.S. Department of Commerce when processing of personal data from the European Economic Area, the United Kingdom, or Switzerland, or otherwise received in reliance on the Privacy Shield.
We pledge to continue to follow the Privacy Shield Principles and have certified our adherence to the Department of Commerce. We also certify that we will continue to adhere to the Privacy Shield Principles regarding personal data received in reliance on Privacy Shield.
SecureAuth does not currently use the Privacy Shield as its data transfer mechanism from the European Economic Area, the United Kingdom and Switzerland and uses the EU 2021 Standard Contractual Clauses as its primary data transfer mechanism for personal data governed by the EU GDPR, the UK GDPR and the Swiss data protection laws.
To find out more about Privacy Shield and see our certification, please visit https://www.privacyshield.gov and https://www.privacyshield.gov/participant?id=a2zt0000000GwMaAAK&status=Active, respectively.
13. VeraSafe Privacy Program
SecureAuth is a member of the VeraSafe Privacy Program. This means that an independent company, VeraSafe, has evaluated our data governance and security regarding personal data processed within the scope of this Notice for compliance with the VeraSafe Privacy Program Certification Criteria. The criteria require us to maintain high standards for data privacy, as well as specific best practices for notice, onward transfers, choice, access, data security, data quality, recourse, and enforcement.
14. Resolving Disputes
14.1. VeraSafe Privacy Shield Dispute Resolution Procedure
We have agreed to participate in the dispute resolution process provided by VeraSafe, the VeraSafe Privacy Shield Dispute Resolution Procedure (“Dispute Resolution”). This will be used if a complaint or dispute cannot be resolved through our internal procedures. As per the terms of the Dispute Resolution, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the Dispute Resolution, please visit this link: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/ and submit the required information.
14.2. Binding Arbitration
If you have a complaint or dispute about how we handle your personal data, we will try to resolve it through our internal processes. If we can’t resolve it and it cannot be resolved through the Dispute Resolution established by VeraSafe, you may have the right to take further action.
One option you may have would be requesting binding arbitration under the Privacy Shield Framework. This means that you can ask a neutral third party to review and make a decision on your complaint. To do this, you must follow the process outlined in the Privacy Shield Framework under the “Recourse, Enforcement and Liability Principle” and Annex I of the Privacy Shield.
15. U.S. Regulatory Oversight
SecureAuth is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
16. Changes to this Notice
We may make changes to this Notice from time to time. If we make any material change to this Notice, we will let you know by posting the updated Notice to this web page and updating the “Effective Date” at the top of the Notice. You can find a summary of the most recent changes to this Notice at https://www.secureauth.com/updates-to-privacy-notices/.
17. Contact Us
If you have any questions or concerns about this Notice or how we process your personal data, please reach out to us. You can:
- Contact Paul Kincaid, our VP, Information/Product Security & DevOps, by email at email@example.com
- Call us on 1-866-859-1526, or
- Reach us by postal mail at:
38 Discovery, Suite 100
Irvine, CA 92618
We will do our best to respond to you within a month.