Data Privacy Policy for Cloud Services
Data Privacy Policy for Cloud Services
Revised: January 2023
This policy applies to Venafi machine identity management software and services that are accessed over the Internet. Below is a description of the personally identifiable information (“personal data”) that Venafi, Inc. and its group companies (“Venafi”) process on behalf of Venafi customers who use cloud services. This policy also explains how personal data is used and shared, and addresses legal requirements, including GDPR and CCPA.
Categories of Personal Data
Venafi cloud services collect only the following categories of personal data: user names, users emails, contact information, and IP addresses. Venafi is a “data processor” of this information as defined in the European Union’s General Data Protection Regulation (“GDPR”), which is further explained below in the section entitled “GDPR Information.”
Purpose of Processing Personal Data
Venafi processes data for the purpose of providing machine identity management services over the internet to Venafi customers. This includes personal data in the following contexts: (1) processing of user emails and contact information to allow users to log in and receive product notifications, communications and support; (2) processing of user IP addresses, to review product issues and develop and deliver product improvements, and (3) processing of user emails and IP addresses, to deliver customized communications about services and confirm contractual license usage.
Limited Access to and Use of Personal Data
Venafi processes the above personal data as authorized by customers of its business-to-business service offerings. Venafi cloud services do not access or process other personally identifiable data that may reside in users’ systems or servers, such as personal data belonging to the customers of users’ organizations. Venafi and its cloud services do not collect or request sensitive personal data, like health or demographic information, from anyone, nor does Venafi sell or transfer product users’ personally identifiable information to third parties for the purpose of delivering advertising.
Sharing of Personal Data
Venafi may share personal data between its group companies and with third-party service providers working to fulfil purposes described in this Privacy Policy or in an applicable service agreement or terms of use. Venafi transfers personal data to fulfill its service agreements with customers and where there is a legitimate purpose to do so in order to facilitate product support, product testing and security, product enhancements, or delivery of relevant product communications. When applicable, data transfers are subject to regional privacy laws, as described below under “GDPR Information” and “CCPA Information.”
Venafi Cookie Use
Cookies are a standard feature of websites and web applications that allow Venafi or authorized partners to store small amounts of data about visitors to a website or service. Some cookies allow SaaS applications to maintain users’ login state and customized settings. Other cookies help Venafi deliver better service, for example by tracking user paths anonymously through an application in order to learn which areas of a SaaS application are useful and which areas may need improvement. Users can choose to accept cookies by adjusting their browser settings. However, disabling cookies means Venafi products and services may be diminished because some features may not work.
How Long Venafi Processes Personal Data
Venafi will process data of its users until doing so is no longer needed to provide services or until a customer directs that data be permanently deleted, such as after the termination of a subscription. Venafi will follow its retention policies and the instructions of its customers regarding data handling after the termination of a subscription, and will only retain personal data for longer than this if it is necessary to do so to comply with audit or legal requirements, after which point Venafi will destroy the data. If a user’s company is no longer subscribed to Venafi services, Venafi may still retain contact information for users if they previously opted in to receive Venafi marketing or sales communications and have not opted out.
Data Security
Venafi uses technical, operational, and organizational measures to protect sensitive data (whether personally identifiable or not) and detect security threats. These measures include:
- Secure access controls, and other processes to support secure delivery of solutions.
- Encryption technologies to protect high value or sensitive data in transit (on the system edges currently) and at rest.
- Operational procedures for managing security incidents.
- Vulnerability scanning to uncover security vulnerabilities and prioritizing those for remediation.
- Independent third-party penetration testing of the environment.
- Periodic backup of critical databases.
GDPR Information
Venafi Inc., the data processor for Venafi cloud services, is located at 175 E. 400 South, Suite 300, Salt Lake City, Utah 84111 USA. Venafi processes data on behalf of its customers to fulfill its cloud service agreements, and this includes personal information where there is a need to use that information to deliver, analyze, or improve service, provide product support, and enable relevant product communications.
International Data Transfers
Venafi may transfer, access, or store users’ personal data outside the country where it originated or is hosted when the transfer is made for purposes disclosed in this Privacy Policy or authorized in an applicable service agreement or terms of use. For users who reside in countries with legal protections for data transfers, this means that Venafi may process users’ personal data outside the European Union (EU), European Economic Area (EEA), United Kingdom (UK), or other country with legal protections for data transfers.
If transferring the personal data of EU, EEA, or UK data subjects from a region with a higher level of privacy protection to a region with a lower level of privacy protection, Venafi will work with its customers to ensure that the data is treated securely and in accordance with this Privacy Policy and the General Data Protection Regulation (GDPR). For example, Venafi will rely on GDPR-approved data transfer mechanisms—such as contractual agreements including data protection safeguards—unless an exception applies.
CCPA Information
Venafi does not sell product users’ personally identifiable information or share it with third party advertisers. While Venafi may share data with service providers for the purposes described in this Privacy Policy, third parties are not permitted to use such data for their own purposes or purposes not described in this Privacy Policy.
Exercising Privacy Rights (EU, UK, California)
For users in some regions, the law gives you rights over your personal information, such as the right in some circumstances to raise an objection or request deletion of your data. Users of Venafi services who wish to exercise individual privacy rights should direct the request to their employer, Venafi’s customer. Anyone who believes an individual request is appropriately directed at Venafi should email privacy@venafi.com, but Venafi will refer the request to the customer when required.
Other Applicable Policies
This Privacy Policy applies to data collection through Venafi cloud services. When website visitors interact with Venafi or Venafi websites, forums, or events in other ways, Venafi may collect additional non-sensitive personal data from them, such as contact information and technical identifiers. The collection of such information is governed by Venafi’s company privacy policy, https://www.venafi.com/privacy.
Contact Venafi
To ask questions about this policy, please email privacy@venafi.com. If you have a security question or wish to disclose a potential security vulnerability, please follow the process outlined here: https://www.venafi.com/security.