Data Privacy Policy for Cloud Services
Data Privacy Policy for Cloud Services
Revised: December 2022
This policy applies to Venafi machine identity management software and services that are accessed over the Internet. Below is a description of the personally identifiable information that Venafi, Inc. and its group companies (“Venafi”) and Venafi service providers collect from users (“users” or “customers”) through cloud services. This policy also addresses legal requirements and where to direct requests to modify or delete personal information.
Personal Data Venafi Collects and Purpose of Collection
When providing machine identity management services that are accessed over the Internet, Venafi may collect and process the following limited categories of personally identifiable user data: user names and credentials, email addresses, other contact information, and IP addresses. This user data is processed for the following purposes: (i) to allow SaaS users to log into Venafi services and receive product notifications, communications and technical support; (ii) to provide service, and enable fulfillment of contractual or license obligations between Venafi, users, and their organizations; (iii) for product analytics purposes to improve product navigation and performance; and (iv) to verify license compliance.
Limited Access to and Use of Personal Data
Venafi limits the amount of personally identifiable data collected during the use of cloud services to the user data described above. Venafi cloud services do not access or process personally identifiable data that may reside in users’ systems or servers, such as personal data belonging to the customers of users’ organizations. Venafi and its cloud services do not collect or request sensitive personal data, like health or financial information, from any users of its products or services, nor does Venafi sell or transfer product users’ personally identifiable information to third parties for the purpose of delivering advertising.
Sharing of Personal Data
Venafi may share personal data between its group companies and with third-party service providers working to fulfil purposes described in this Privacy Policy or in an applicable service agreement or terms of use. Venafi shares users’ personal data with their consent or when there is a legitimate business purpose to do so, such as when sharing is necessary to fulfill a service agreement or provide service. Data transfers within group companies or to service providers are subject to applicable regional privacy laws, as described below in the sections titled “GDPR Information” and “CCPA Information.”
Venafi Cookie Use
Cookies are a standard feature of websites and web applications that allow Venafi or authorized partners to store small amounts of data about visitors to a website or service. Some cookies allow SaaS applications to maintain users’ login state and customized settings. Other cookies help Venafi deliver better service, for example by tracking user paths anonymously through an application in order to learn which areas of a SaaS application are useful and which areas may need improvement. Users can choose to accept cookies by adjusting their browser settings. However, disabling cookies means Venafi products and services may be diminished because some features may not work.
How Long Venafi Stores Personal Data
Venafi will store personal data of users for as long as it is necessary for Venafi’s provision of service and the fulfillment of contractual, license, or legal obligations. If a user or user’s organization terminates their subscription or closes their account, Venafi may retain personally identifiable information beyond the subscription term if it is necessary to do so to comply with audit or legal requirements, after which point Venafi will delete the data. Venafi may also retain personally identifiable information for users who previously opted in to receive Venafi marketing or sales communications and have not opted out, and will retain that information unless and until the user opts out.
Security of Personal Data
Venafi uses technical, operational, and organizational measures to protect sensitive data (whether personally identifiable or not) and detect security threats. These measures include:
- Secure access controls, and other processes to support secure delivery of solutions.
- Encryption technologies to protect high value or sensitive data in transit (on the system edges currently) and at rest.
- Operational procedures for managing security incidents.
- Vulnerability scanning to uncover security vulnerabilities and prioritizing those for remediation.
- Independent third-party penetration testing of the environment.
- Periodic backup of critical databases.
GDPR Information
Legal Basis for Data Processing
Venafi Inc. is the data controller of personal data collected under this Privacy Policy and is located at 175 E. 400 South, Suite 300, Salt Lake City, Utah 84111 USA. As described in this Privacy Policy, Venafi cloud services collect personal information that is provided when users sign up for, log into, or use the service. Venafi collects, processes, or transfers such personal information where it has a legal basis to do so, including when: (i) users directly provide the information to Venafi, (ii) users provide consent for Venafi to collect information (informed by this Privacy Policy); (iii) the information is needed to carry out legitimate contractual or business obligations; or (iv) collecting information is based on Venafi’s legitimate interests and not outweighed by users’ fundamental rights.
International Data Transfers
Venafi may transfer, access, or store users’ personal data outside the country where it originated or is hosted when there is a legal basis to do, and the transfer is made for one of the purposes disclosed in this Privacy Policy or in an applicable service agreement or terms of use. For users who reside in countries with legal protections for data transfers, this means that Venafi may collect, transfer, access, or store users’ personal data outside the European Union (EU), European Economic Area (EEA), United Kingdom (UK), or other country with legal protections for data transfers. The purposes of making such a transfer include: delivering service, fulfilling contract and license requirements, processing contact details, providing product analytics and updates, verifying license compliance, and providing product support.
If transferring the personal data of EU, EEA, or UK data subjects from a region with a higher level of privacy protection to a region with a lower level of privacy protection, Venafi will ensure that the data is treated securely and in accordance with this Privacy Policy and the General Data Protection Regulation (GDPR). For example, Venafi will use GDPR-approved data transfer mechanisms—such as contractual agreements including data protection safeguards—unless an exception applies. For any user who does not consent to transfer of personal data, please email privacy@venafi.com.
CCPA Information
For purposes of the California Privacy Rights Act (CCPA), please note that Venafi does not sell product users’ personally identifiable information or share any personal data collected from its cloud services with third party advertisers. While Venafi may share data between its group companies and with third-party service providers for the purposes described in this Privacy Policy, third parties are not permitted to use such data for their own purposes or purposes not described in this Privacy Policy.
Exercising Privacy Rights (EU, UK, California)
For users in some regions, the law gives you rights over your personal information, such as the right in some circumstances to request deletion of information. For information about EU GDPR rights visit: https://gdpr-info.eu/ and review Chapter 3. For information about UK rights visit: https://ico.org.uk/global/privacy-notice/your-data-protection-rights/. For information about California rights, visit: https://oag.ca.gov/privacy/ccpa. Anyone who wishes to exercise any of their privacy rights should email privacy@venafi.com.
Other Applicable Policies
This Privacy Policy applies to data collection through Venafi cloud services. When a Venafi customer interacts with other Venafi.com websites or communicates with Venafi about the purchase, licensing, or use of Venafi products or services, Venafi may collect additional personal data or contact information to fulfill its business obligations and legitimate interests. The collection of such information is governed by Venafi’s company privacy policy, available at https://www.venafi.com/privacy.
Contact Venafi
To exercise privacy rights, or ask questions about this policy, please email privacy@venafi.com. If you have a security question or wish to disclose a potential security vulnerability, please follow the process outlined here: https://www.venafi.com/security.