Revised: January 2023
This policy applies to Venafi machine identity management software and services that are accessed over the Internet. Below is a description of the personally identifiable information (“personal data”) that Venafi, Inc. and its group companies (“Venafi”) process on behalf of Venafi customers who use cloud services. This policy also explains how personal data is used and shared, and addresses legal requirements, including GDPR and CCPA.
Categories of Personal Data
Venafi cloud services collect only the following categories of personal data: user names, users emails, contact information, and IP addresses. Venafi is a “data processor” of this information as defined in the European Union’s General Data Protection Regulation (“GDPR”), which is further explained below in the section entitled “GDPR Information.”
Purpose of Processing Personal Data
Venafi processes data for the purpose of providing machine identity management services over the internet to Venafi customers. This includes personal data in the following contexts: (1) processing of user emails and contact information to allow users to log in and receive product notifications, communications and support; (2) processing of user IP addresses, to review product issues and develop and deliver product improvements, and (3) processing of user emails and IP addresses, to deliver customized communications about services and confirm contractual license usage.
Limited Access to and Use of Personal Data
Venafi processes the above personal data as authorized by customers of its business-to-business service offerings. Venafi cloud services do not access or process other personally identifiable data that may reside in users’ systems or servers, such as personal data belonging to the customers of users’ organizations. Venafi and its cloud services do not collect or request sensitive personal data, like health or demographic information, from anyone, nor does Venafi sell or transfer product users’ personally identifiable information to third parties for the purpose of delivering advertising.
Sharing of Personal Data
Venafi Cookie Use
Cookies are a standard feature of websites and web applications that allow Venafi or authorized partners to store small amounts of data about visitors to a website or service. Some cookies allow SaaS applications to maintain users’ login state and customized settings. Other cookies help Venafi deliver better service, for example by tracking user paths anonymously through an application in order to learn which areas of a SaaS application are useful and which areas may need improvement. Users can choose to accept cookies by adjusting their browser settings. However, disabling cookies means Venafi products and services may be diminished because some features may not work.
How Long Venafi Processes Personal Data
Venafi will process data of its users until doing so is no longer needed to provide services or until a customer directs that data be permanently deleted, such as after the termination of a subscription. Venafi will follow its retention policies and the instructions of its customers regarding data handling after the termination of a subscription, and will only retain personal data for longer than this if it is necessary to do so to comply with audit or legal requirements, after which point Venafi will destroy the data. If a user’s company is no longer subscribed to Venafi services, Venafi may still retain contact information for users if they previously opted in to receive Venafi marketing or sales communications and have not opted out.
Venafi uses technical, operational, and organizational measures to protect sensitive data (whether personally identifiable or not) and detect security threats. These measures include:
- Secure access controls, and other processes to support secure delivery of solutions.
- Encryption technologies to protect high value or sensitive data in transit (on the system edges currently) and at rest.
- Operational procedures for managing security incidents.
- Vulnerability scanning to uncover security vulnerabilities and prioritizing those for remediation.
- Independent third-party penetration testing of the environment.
- Periodic backup of critical databases.
Venafi Inc., the data processor for Venafi cloud services, is located at 175 E. 400 South, Suite 300, Salt Lake City, Utah 84111 USA. Venafi processes data on behalf of its customers to fulfill its cloud service agreements, and this includes personal information where there is a need to use that information to deliver, analyze, or improve service, provide product support, and enable relevant product communications.
International Data Transfers
Exercising Privacy Rights (EU, UK, California)
For users in some regions, the law gives you rights over your personal information, such as the right in some circumstances to raise an objection or request deletion of your data. Users of Venafi services who wish to exercise individual privacy rights should direct the request to their employer, Venafi’s customer. Anyone who believes an individual request is appropriately directed at Venafi should email email@example.com, but Venafi will refer the request to the customer when required.
Other Applicable Policies
To ask questions about this policy, please email firstname.lastname@example.org. If you have a security question or wish to disclose a potential security vulnerability, please follow the process outlined here: https://www.venafi.com/security.