Effective Date: May 7, 2024
SecureAuth Corporation complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. SecureAuth Corporation has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. SecureAuth Corporation has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.
To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
We at SecureAuth Corporation (“SecureAuth”, “we”, “us”, “our”) care about protecting personal data. This Data Privacy Framework Statement (the “Statement”) tells you how we process the personal data we process on behalf of our customers while providing, implementing, and supporting our services.
Our services include identity and access management solutions (such as SecureAuth IdP or Arculix by SecureAuth), the provision of our consulting services, customer support (via Zendesk and Jira), and other systems that we use to assist our customers, (collectively, the “Services”).
This Statement also describes how we handle personal data through the services available through these subdomains: downloads.secureauth.com, docs.secureauth.com, cloud.secureauth.com, community.secureauth.com, www.secureauth.com, and support.secureauth.com.
This Statement does not apply to personal data we collect by other means, such as personal data that we receive directly through our marketing website(s) or the personal data of our employees.
Our customers use our platform to process their own employees’, customers’, and vendors’ personal data. In that case, we act only as a service provider. In general, we only access such personal data if required by law, or if the customer asks us to in connection with customer support or account administration matters in relation to the Services.
SecureAuth acts as an agent, also known as a data processor, for the personal data we process for our customers while providing our Services. This means that the organization that entered into the contract governing use of the Services (the “Customer Agreement”) (our “Customer”) chooses the type of personal data they give us to process on their behalf. This organization may be your employer or someone else. We usually do not have a direct relationship with the people whose personal data we get from our Customers.
We receive personal data:
We process the following types of personal data:
We process your personal data for the following purposes:
We keep personal data for as long as instructed as our Customer tells us to. We delete the personal data that our Customers give us within six (6) months after our agreement with the Customer ends.
We will not delete this personal data within the six-month period if the law says we have to keep it, the Customer asks us to keep it longer, or the information cannot be traced back to a specific person anymore and it is considered fully anonymized and consequently is no longer considered personal data.
Our service providers provide:
In the context of an onward transfer of your personal information, SecureAuth remains responsible for the processing of personal information we receive under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF Principles and which we subsequently transfer to a third party acting as an agent on our behalf. As required by law, SecureAuth remains liable under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF Principles if its agent processes such personal information in a manner inconsistent with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF Principles, unless another party is responsible for the event giving rise to the damage.
We also reserve the right to use, transfer, sell, and share aggregated, anonymous data for any legal business purpose. Such data does not include any personal data.
We may disclose your personal data if we sell or transfer all or some of our business interests, assets, or both, or in connection with a corporate restructuring.
We disclose your personal data if the law requires it, or if we think it is necessary for official investigations or legal proceedings. These proceedings may be started by government or law enforcement officials, or private parties.
If we must disclose your personal data to governmental or law enforcement officials, we may not be able to ensure that those officials will maintain the privacy and security of your personal data.
Cookies are small files that are stored on your device and contain information about your device. We use cookies to show ads, make our websites and Services work better, authenticate you, analyzing how our websites and Services are used, remember your settings, and improve our websites and Services.
There are two types of cookies: session cookies and persistent cookies. We use both types of cookies. Session cookies are deleted when you close your browser. Persistent cookies stay on your device even after you close your browser, but they have an expiration date. Most of the cookies that our Services and websites place on your device are first-party cookies, which means that they are placed directly by us. Other parties, such as Google, may also place their own cookies through our Services. You can read the policies of these third parties to learn more about the way in which they collect and process information about you.
You can change your browser settings to reject all or some cookies if you prefer not to accept them. However, this may limit the features of the Services you can use. You can learn more about cookies and how to manage them by visiting https://www.aboutcookies.org/.
You can also set your browser to send a “Do Not Track” signal but note that our Services are not set up to respond to “Do Not Track” signals from browsers. You can learn more about “Do Not Track” signals by visiting https://allaboutdnt.com/.
We have implemented and will maintain reasonably designed technical, administrative, and physical measures to protect personal information from unauthorized access, alteration, destruction, use, or disclosure.
Upon written request to SecureAuth, SecureAuth will provide individuals from the European Union, the United Kingdom, and Switzerland with reasonable access to personal information that SecureAuth holds about them, and will allow them to correct, amend, or delete such information if it is inaccurate or has been processed in violation of the Data Privacy Framework Principles, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the particular case, or where the rights of other individuals would be violated.
SecureAuth also enables individuals to opt out of the disclosure of their personal information to third parties or its use for purposes materially different from those for which it was originally collected or subsequently consented by the individuals, in compliance with the Data Privacy Framework Principles.
When SecureAuth obtains Personal Data in its role as a Processor for its Customers, SecureAuth’s Customers are responsible for providing individuals with access to the Personal Data and the right to correct, amend or delete the information where it is inaccurate or has been processed in violation of the Data Privacy Framework Principles, as appropriate. In such circumstances, individuals should direct their questions to the appropriate SecureAuth Customer. When an individual is unable to contact the appropriate Customer, or does not obtain a response from the Customer, SecureAuth will provide reasonable assistance in forwarding the Consumer’s request to the Customer.
We have agreed to participate in the dispute resolution process provided by VeraSafe, the VeraSafe Data Privacy Framework Dispute Resolution Procedure (“Dispute Resolution”). This will be used if a complaint or dispute cannot be resolved through our internal procedures. As per the terms of the Dispute Resolution, VeraSafe will provide appropriate recourse free of charge to you. To file a complaint with VeraSafe and participate in the Dispute Resolution, please visit this link: https://www.verasafe.com/privacy-services/dispute-resolution/submit-dispute/ and submit the required information.
If your dispute or complaint cannot be resolved by us, nor through the dispute resolution program established by VeraSafe, you may have the right to require that we enter into binding arbitration with you pursuant to the Data Privacy Framework’s Recourse, Enforcement and Liability Principle and Annex I of the Data Privacy Framework.
SecureAuth is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
We may make changes to this Statement from time to time. If we make any material change to this Statement, we will let you know by posting the updated Statement to this web page and updating the “Effective Date” at the top of the Statement. You can find a summary of the most recent changes to this Statement at https://www.secureauth.com/updates-to-privacy-notices/.
If you have any questions or concerns about this Statement or how we process your personal data, please reach out to us. You can:
SecureAuth Corporation
49 Discovery Suite 220
Irvine CA 92618
Please allow up to four weeks for us to reply.