Revised: December 2022
This policy applies to Venafi machine identity management software and services that are accessed over the Internet. Below is a description of the personally identifiable information that Venafi, Inc. and its group companies (“Venafi”) and Venafi service providers collect from users (“users” or “customers”) through cloud services. This policy also addresses legal requirements and where to direct requests to modify or delete personal information.
Personal Data Venafi Collects and Purpose of Collection
When providing machine identity management services that are accessed over the Internet, Venafi may collect and process the following limited categories of personally identifiable user data: user names and credentials, email addresses, other contact information, and IP addresses. This user data is processed for the following purposes: (i) to allow SaaS users to log into Venafi services and receive product notifications, communications and technical support; (ii) to provide service, and enable fulfillment of contractual or license obligations between Venafi, users, and their organizations; (iii) for product analytics purposes to improve product navigation and performance; and (iv) to verify license compliance.
Limited Access to and Use of Personal Data
Venafi limits the amount of personally identifiable data collected during the use of cloud services to the user data described above. Venafi cloud services do not access or process personally identifiable data that may reside in users’ systems or servers, such as personal data belonging to the customers of users’ organizations. Venafi and its cloud services do not collect or request sensitive personal data, like health or financial information, from any users of its products or services, nor does Venafi sell or transfer product users’ personally identifiable information to third parties for the purpose of delivering advertising.
Sharing of Personal Data
Venafi Cookie Use
Cookies are a standard feature of websites and web applications that allow Venafi or authorized partners to store small amounts of data about visitors to a website or service. Some cookies allow SaaS applications to maintain users’ login state and customized settings. Other cookies help Venafi deliver better service, for example by tracking user paths anonymously through an application in order to learn which areas of a SaaS application are useful and which areas may need improvement. Users can choose to accept cookies by adjusting their browser settings. However, disabling cookies means Venafi products and services may be diminished because some features may not work.
How Long Venafi Stores Personal Data
Venafi will store personal data of users for as long as it is necessary for Venafi’s provision of service and the fulfillment of contractual, license, or legal obligations. If a user or user’s organization terminates their subscription or closes their account, Venafi may retain personally identifiable information beyond the subscription term if it is necessary to do so to comply with audit or legal requirements, after which point Venafi will delete the data. Venafi may also retain personally identifiable information for users who previously opted in to receive Venafi marketing or sales communications and have not opted out, and will retain that information unless and until the user opts out.
Security of Personal Data
Venafi uses technical, operational, and organizational measures to protect sensitive data (whether personally identifiable or not) and detect security threats. These measures include:
- Secure access controls, and other processes to support secure delivery of solutions.
- Encryption technologies to protect high value or sensitive data in transit (on the system edges currently) and at rest.
- Operational procedures for managing security incidents.
- Vulnerability scanning to uncover security vulnerabilities and prioritizing those for remediation.
- Independent third-party penetration testing of the environment.
- Periodic backup of critical databases.
Legal Basis for Data Processing
International Data Transfers
Exercising Privacy Rights (EU, UK, California)
For users in some regions, the law gives you rights over your personal information, such as the right in some circumstances to request deletion of information. For information about EU GDPR rights visit: https://gdpr-info.eu/ and review Chapter 3. For information about UK rights visit: https://ico.org.uk/global/privacy-notice/your-data-protection-rights/. For information about California rights, visit: https://oag.ca.gov/privacy/ccpa. Anyone who wishes to exercise any of their privacy rights should email email@example.com.
Other Applicable Policies
To exercise privacy rights, or ask questions about this policy, please email firstname.lastname@example.org. If you have a security question or wish to disclose a potential security vulnerability, please follow the process outlined here: https://www.venafi.com/security.