SecureAuth

Data Privacy Framework Statement

Effective Date:  March 22, 2024

  1. Data Privacy Framework

SecureAuth Corporation complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. SecureAuth Corporation has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. SecureAuth Corporation has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.

To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

  1. Introduction & What This Statement Covers

We at SecureAuth Corporation (“SecureAuth”, “we”, “us”, “our”) care about protecting personal data. This Data Privacy Framework Statement (the “Statement”) tells you how we process the personal data we process on behalf of our customers while providing, implementing, and supporting our services.

Our services include identity and access management solutions (such as SecureAuth IdP or Arculix by SecureAuth), the provision of our consulting services, customer support (via Zendesk and Jira), and other systems that we use to assist our customers, (collectively, the “Services”).

This Statement also describes how we handle personal data through the services available through these subdomains: downloads.secureauth.com, docs.secureauth.com, cloud.secureauth.com, community.secureauth.com, www.secureauth.com, and support.secureauth.com.

This Statement does not apply to personal data we collect by other means, such as personal data that we receive directly through our marketing website(s) or the personal data of our employees.

Our customers use our platform to process their own employees’, customers’, and vendors’ personal data. In that case, we act only as a service provider. In general, we only access such personal data if required by law, or if the customer asks us to in connection with customer support or account administration matters in relation to the Services.

  1. Our Role with Respect to Personal Data

SecureAuth acts as an agent, also known as a data processor, for the personal data we process for our customers while providing our Services. This means that the organization that entered into the contract governing use of the Services (the “Customer Agreement”) (our “Customer”) chooses the type of personal data they give us to process on their behalf. This organization may be your employer or someone else. We usually do not have a direct relationship with the people whose personal data we get from our Customers.

  1. Why We Process Personal Data

We process personal data according to the instructions of our Customers.

  1. How We Obtain Personal Data

We receive personal data:

  • From our Customer and its representatives while providing the Services.
  • From providers of third-party services that integrate with our Services
  • When the information is submitted to our websites.
  • When you participate in a focus group, contest, activity, or event, apply for a job, ask for support, interact with our social media, or otherwise communicate with us.
  1. What Personal Data We Process

We process the following types of personal data:

  • Biographical information: name.
  • Professional information: company/employer.
  • Contact information: email and phone number.
  • Account information: username, user ID, and password.
  • Usage information: Services metadata, log data, messages, and the date and time the Services are used.
  • Device information: device type, unique device identifier, operating system, settings, application ID, crash data, browser type and settings, and host address.
  • Location information: location from IP addresses.
  • Cookie information and similar tracking information.
  • Personal data received from other companies’ services.
  1. Our Purposes to Process Personal Data

We process your personal data for the following purposes:

  • To provide, update, maintain and protect our Services, websites, and business.
  • To follow the law, legal process, or regulation.
  • To communicate with you and respond to your requests, comments, and questions.
  • To develop and provide search, learning and productivity tools and additional features.
  • To send emails and other communications about the Services, including security and account-related communications and marketing communications.
  • To administer accounts and keep track of billing and payments.
  • To contact you regarding billing, account management, and other administrative matters, such as invoicing and payments tracking.
  • To investigate and help prevent security issues and abuse.
  • To provide application logs to Customer administrators for troubleshooting and monitoring of the applications.
  • To assist our Customers as they request.
  1. How Long We Keep Personal Data

We keep personal data for as long as instructed as our Customer tells us to. We delete the personal data that our Customers give us within six (6) months after our agreement with the Customer ends.

We will not delete this personal data within the six-month period if the law says we have to keep it, the Customer asks us to keep it longer, or the information cannot be traced back to a specific person anymore and it is considered fully anonymized and consequently is no longer considered personal data.

  1. How We Share Personal Data

9.1. How We Share Personal Data with Other Companies

Our service providers provide:

  • Internet hosting services.
  • Customer service and support ticket management software.
  • Analytics services.
  • Video conferencing and screensharing software.
  • Cloud desktop management services.
  • Customer identity and engagement services.
  • Monitoring services.
  • Project management software.
  • Marketing software.
  • Telephone and web conferencing services.
  • Email, communications, and collaboration software.
  • CRM software.

In the context of an onward transfer of your personal information, SecureAuth remains responsible for the processing of personal information we receive under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF Principles and which we subsequently transfer to a third party acting as an agent on our behalf. As required by law, SecureAuth remains liable under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF Principles if its agent processes such personal information in a manner inconsistent with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF Principles, unless another party is responsible for the event giving rise to the damage.

We also reserve the right to use, transfer, sell, and share aggregated, anonymous data for any legal business purpose. Such data does not include any personal data.

We may disclose your personal data if we sell or transfer all or some of our business interests, assets, or both, or in connection with a corporate restructuring.

9.2. How We Share Personal Data with Law Enforcement

We disclose your personal data if the law requires it, or if we think it is necessary for official investigations or legal proceedings. These proceedings may be started by government or law enforcement officials, or private parties.

If we must disclose your personal data to governmental or law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your personal data.

  1. Cookies

Cookies are small files that are stored on your device and contain information about your device. We use cookies to show ads, make our websites and Services work better, authenticate you, analyzing how our websites and Services are used, remember your settings, and improve our websites and Services.

There are two types of cookies: session cookies and persistent cookies. We use both types of cookies. Session cookies are deleted when you close your browser. Persistent cookies stay on your device even after you close your browser, but they have an expiration date. Most of the cookies that our Services and websites place on your device are first-party cookies, which means that they are placed directly by us. Other parties, such as Google, may also place their own cookies through our Services. You can read the policies of these third parties to learn more about the way in which they collect and process information about you.

You can change your browser settings to reject all or some cookies if you prefer not to accept them. However, this may limit the features of the Services you can use. You can learn more about cookies and how to manage them by visiting https://www.aboutcookies.org/.

You can also set your browser to send a “Do Not Track” signal but note that our Services are not set up to respond to “Do Not Track” signals from browsers. You can learn more about “Do Not Track” signals by visiting https://allaboutdnt.com/.

  1. Data Integrity & Security

We have implemented and will maintain reasonably designed technical, administrative, and physical measures to protect personal information from unauthorized access, alteration, destruction, use, or disclosure.

12DPF Statement. Your Privacy Rights

Upon written request to SecureAuth, SecureAuth will provide individuals from the European Union, the United Kingdom, and Switzerland with reasonable access to personal information that SecureAuth holds about them, and will allow them to correct, amend, or delete such information if it is inaccurate or has been processed in violation of the Data Privacy Framework Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the particular case, or where the rights of other individuals would be violated.

SecureAuth also enables individuals to opt out of the disclosure of their personal information to third parties or its use for purposes materially different from those for which it was originally collected or subsequently consented by the individuals, in compliance with the Data Privacy Framework Principles.

When SecureAuth obtains Personal Data in its role as a Processor for its Customers, SecureAuth’s Customers are responsible for providing individuals with access to the Personal Data and the right to correct, amend or delete the information where it is inaccurate or has been processed in violation of the Data Privacy Framework Principles, as appropriate. In such circumstances, individuals should direct their questions to the appropriate SecureAuth Customer. When an individual is unable to contact the appropriate Customer, or does not obtain a response from the Customer, SecureAuth will provide reasonable assistance in forwarding the Consumer’s request to the Customer.13. Resolving Disputes

13.1. VeraSafe Data Privacy Framework Dispute Resolution Procedure

We have agreed to participate in the dispute resolution process provided by VeraSafe, the VeraSafe Data Privacy Framework Dispute Resolution Procedure (“Dispute Resolution”). This will be used if a complaint or dispute cannot be resolved through our internal procedures. As per the terms of the Dispute Resolution, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the Dispute Resolution, please visit this link: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/ and submit the required information.

13.2. Binding Arbitration

If your dispute or complaint cannot be resolved by us, nor through the dispute resolution program established by VeraSafe, you may have the right to require that we enter into binding arbitration with you pursuant to the Data Privacy Framework’s Recourse, Enforcement and Liability Principle and Annex I of the Data Privacy Framework.

  1. U.S. Regulatory Oversight

SecureAuth is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

  1. Changes to this Statement

We may make changes to this Statement from time to time. If we make any material change to this Statement, we will let you know by posting the updated Statement to this web page and updating the “Effective Date” at the top of the Statement. You can find a summary of the most recent changes to this Statement at https://www.secureauth.com/updates-to-privacy-notices/ .

  1. Contact Us

If you have any questions or concerns about this Statement or how we process your personal data, please reach out to us. You can:

  • ContactKaran Dua, our Data Privacy Officer, by email at privacy@secureauth.com
  • Call us on 1-866-859-1526, or
  • Reach us by postal mail at:

SecureAuth Corporation

49 Discovery Suite 220

Irvine CA 92618

U.S.

Please allow up to four weeks for us to reply.

Privacy Seal

Pin It on Pinterest