SECRET DOUBLE OCTOPUS LTD
Last Updated: February 2019
Our Solution and Services provide Clients with a tool for managing authentication of Users to Client’s IT systems, based on cryptography. The Solution encrypts the content of electronic communications related to authentication of Users. Our Solution is installed on Client’s IT Systems and is operated by our Clients. Our Solution is not designed for or intended to have access to, Process, store or retain any Personal Information regarding to Users or any other Data Subjects which originates from usage of the Solution and/or from Clients’ IT Systems. We may have access to and view partial excerpts of such Personal Information in very limited situations, when our Clients enable our access to Client IT Systems, at their request, for provision of support services. However, we do not store or retain any such Personal Information following a support session.
Due to the nature of our Services, which are provided to enterprises who collect Personal Information of Data Subjects which we have no direct connection with, our Clients are responsible to communicate this Policy, if required, to Data Subjects whose Personal Information is stored on the Clients’ IT Systems.
(*All capitalized terms shall have the meaning as defined below)
“EEA” means the European Economic Area.
“GDPR” shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), as amended, replaced or superseded from time to time.
“Israeli Information Protection Legislation” shall mean the Israeli Privacy Protection Law 5741 – 1981 (“PPL”), the regulations promulgated pursuant thereto and the applicable guidelines issued by the Israeli Privacy Protection Authority, as amended, replaced or superseded from time to time.
“Applicable Laws” shall mean the GDPR, the Israeli Data Protection Legislation, and any other applicable privacy or other law to which SDO is subject.
“Personal Information” shall mean information that may identify an individual or is of a private and/or sensitive nature, such as an individual’s name, address or bank account.
“Non-Personal Information” shall mean information that does not personally identify a natural person and does not reveal a natural person’s specific identity, such as anonymized information.
“Processing” shall mean any operation performed on Personal Information including, inter alia, collection, transmission, analysis, storage.
“Data Subject” shall mean any natural person whose Personal Information is being collected and Processed.
“Client” shall mean a legal entity which has registered with SDO order to view a demonstration of the Solution or a legal entity with whom SDO has a signed agreement for the provision of the Solution and the Services.
“Client Information Technology Systems” or “Client IT Systems”, shall mean electronic communications networks operated by and under the responsibility of the Client which may contain Personal Information collected, stored or otherwise processed by the Client for its purposes.
“Services” means authentication services based on the SDO Solution to be provided by SDO to Clients including reports, maintenance, support and any other service as detailed in the relevant agreement with a Client.
“SDO Solution” or “Solution” means SDO’s version of its proprietary computer application, known as the Octopus Authenticator, used by SDO to provide the Services.
“Application” means the Octopus Authenticator mobile app through which Users can access the Solution.
“User(s)” shall mean Clients’ employees, representatives, contractors or other Data Subjects authorized by Clients to access and use the Services and download the Application and which have been supplied with user identifications and passwords (whether during a demonstration of the Solution or during performance of an agreement with SDO for provision of its Solution).
“User Data” shall mean any data, text, messages, information, documents or other materials which may include Personal Information provided or submitted by Users to, or in connection with, the Services in the course of using the Services.
“Client’s Data Subject” means any Data Subject whose Personal Information is stored on the Client’s IT Systems.
“Controller” shall mean the legal entity that decides on the purposes and the means of the Personal Information Processing and shall include the term “Database Owner” under the PPL.
“Processor” shall mean a natural person or legal entity which performs the Processing operations on behalf of the Controller and shall include the term “Database Holder” under the PPL.
“Subprocessor” shall mean any natural person or legal entity appointed by a Processor to Process Personal Information on its behalf, excluding any employee of the Processor or any such appointed person but including any contractor or affiliate of the Processor.
“Personal Information Breach” shall mean a breach of security or other incident leading to the accidental or unlawful destruction, loss, alteration, the unauthorized disclosure or use of, or access to, or harm to the integrity of, Personal Information transmitted, stored or otherwise Processed, and shall include any type of “Information Security Event” as defined in Israeli Information Protection Legislation.
This Policy was originally written in English. If you are reading a translation and it conflicts with the English version, please note that the English version prevails.
- THE TYPES OF PERSONAL INFORMATION THAT WE COLLECT
- We do not collect or generate Personal Information of or about the Users of the Solution or Client Data Subjects.
- PERSONAL INFORMATION THAT IS PROVIDED TO US
- If you are a User or a Client’s Data Subject, we will not have access to and/or Process your Personal Information in the scope of our Services. Our Solutions is installed on Client IT Systems and is intended to enable secure authentication. However, if due to the design, architecture, settings and/or configuration of a particular Client’s IT Systems, the Solution may become connected to other components of the Client’s IT Systems; or if the Client gives us access to the Client IT Systems, during a support session, (though this is not required for the provision of the Services), We may have access to partial excerpts of files containing your Personal Information. We do not store or retain this Personal Information.
- NON PERSONAL INFORMATION
- In addition to the categories of Personal Information described above, we will also Process further anonymized information that is not Processed by reference to a specific Data Subject. We may collect this Non-Personal Information through the Solution in the following ways:
- Information that your device sends (“Log Information”). This Log Information may include, but is not limited to, the User’s device type, operating system.
- Our application uses Mixpanel to collect an anonymized device identifier value. To clarify, Mixpanel is not used to collect other information.
- HOW WE USE NON PERSONAL INFORMATION
- We may use Non Personal Information in order to:
- compile anonymous, aggregate and statistical information in order to test, develop, improve, control and operate our Solution and Services;
- disclose to third party vendors, service providers, contractors or agents who perform tasks on our behalf in connection with the Solution and Services (for more information please see Section 7 “SHARING INFORMATION WITH OTHERS” below); and
- technical administration and troubleshooting of the use of the Solution and Services.
- THE LEGAL BASIS FOR USE OF PERSONAL INFORMATION
- It is hereby clarified that for the provision of our Solution and Services, we do not process Personal Information of Users. We may Process Personal Information solely if the Client enables us to view Personal Information of Users or Client Data Subjects during a support session. We will only Process such Personal Information where we have a legal basis to do so. The legal basis will depend on the purposes for which we received and/or collected and need to use the Personal Information. In almost all cases the legal basis will be to provide technical support to our customers.
- It is hereby clarified that the legal bases detailed above are the legal bases for actions to process Personal Information, carried out by us in accordance with the Applicable Laws. If processing of Personal Information is subject to other Applicable Laws, then the legal basis for processing Personal Information may differ accordingly.
For more information, see Section 8 “YOUR RIGHTS” below.
- YOUR RIGHTS
- Whereby Personal Information is Processed, the Data Subject may have certain rights such as to access, view, receive a copy of or request deletion of its Personal Information; and, in most cases, the Data Subject can exercise them free of charge.
- As mentioned above, we do not store or retain any Personal Information about Users or Clients Data Subjects on our Solution and as part of our Services.
- If you are a User or a Client’s Data Subject, we will normally not have access to your Personal Information and we will not Process it. We may have access solely to view your Personal Information in limited situations, solely as a result of specific circumstances (where the Client has technically enabled this, as mentioned above in Section 3.1). when we view your Personal Information, we do so as Processors. As a Processor, according to by Applicable Laws, we are obliged to notify the Client of your request. However, we are not authorized to comply with your request and you must refer to the Client in order to exercise your rights. If you cannot get in touch with the relevant Client, you may contact us and we will make commercially reasonable efforts to assist you, if we are able to identify you as a User or a Client Data Subject.
- We may retain certain information as deemed required by us in accordance with Applicable Laws, or for legitimate business reasons, for the duration as required under the Applicable Laws. In addition, we may delete any Personal Information pursuant to our policies, as in effect from time to time.
- When a Data Subject asks us to exercise any of its rights under this Policy and the Applicable Laws, we may need to ask the Data Subject to i) provide us certain credentials to identify the Data Subject in order to avoid unlawful disclosure to that Data Subject of Personal Information related to others; and ii) to ask the Data Subject questions to better understand the nature and scope of Information that it requests to access.
- We may redact from the Information which we will make available to the Data Subject, any Personal Information related to others.
- INFORMATION SECURITY
- We take the safeguarding of the Personal and Non-Personal Information very seriously, and use a variety of systems, applications and procedures to protect the Information from loss, theft, damage or unauthorized use or access when it is in our possession or control, including reasonable physical, technical and organizational measures which restrict access to the Information. These measures provide sound industry-standard security. However, although we make efforts to protect privacy, we cannot guarantee that the Solution will be immune from any wrongdoings, malfunctions, unlawful interceptions or access, or other kinds of abuse and misuse.
- We also regularly monitor our systems for possible vulnerabilities and attacks, and regularly seek new ways and for further enhancing the security of our Solution and protection of our Users’ privacy.
- Users should take steps to protect against unauthorized access to their password, phone, and computer by, among other things, signing off after using a shared computer, choosing a robust password that nobody else knows or can easily guess, and keeping log-in and password credentials private. In addition, Users should take steps to protect against unauthorized access to Personal Information stored on their premises as well as defining limited access rights to such Personal Information on a need to know basis.
- If a User receives an e-mail asking it to update its information with respect to the Solution and/or Services, it should not reply and should contact us at [email protected]
- SDO will comply with Applicable Laws in the event of any Personal Information Breach and will inform Data Subjects of such Breach if required by Applicable Laws.
- INFORMATION RETENTION
- We may retain different types of information for different periods, depending on the purposes for processing the information, our legitimate business purposes as well as pursuant to legal requirements under the applicable law. We may retain Personal Information for as long as necessary to support the collection and the use purposes under this Policy and for other legitimate business purposes, for example, for cyber-security management purposes, legal proceedings and tax issues.
- We may store aggregated Non-Personal Information without time limit. In any case, as long as a User uses the Solution, we will keep information about that User or Client Data Subject, unless we are legally required to delete it, or if that User exercises its rights to delete the Personal Information.
- OUR POLICY TOWARD CHILDREN
- Our Solution is not meant to be used by or for persons under 18, as such, we do not knowingly collect Personal Information from minors younger than 18. Insofar as Personal Information of a Client Data Subject and/or User may be collected by the Client, based on a Client Data Subject’s or User’s consent, the Client Data Subject/User must be above the age of 16 (or above the age of 13 if this is the legal requirement in your country). If these age requirements are not met, the Client is required to obtain the consent of the parent or guardian to provide and Process Personal Information in accordance with its Policy and Applicable Laws; lacking such consent, the Client should not collect the Personal Information of a Client Data Subject/User which is under the age of 18 and should not transfer to us, share with us or allow access of us to view this Personal Information within the Solution or Services.
- If we need to adapt the Policy to legal requirements, the amended Policy will become effective immediately or as required.
- A User’s continued use of the Solution and/or Services following such notice shall constitute the consent of the User to any changes made and a waiver of any claim or demand in relation to such changes. If a User does not agree to the new or different terms, it should not use and is free to discontinue using the Solution and/or Services (discontinuation of use of the Solution and/or Services is subject to any contractual obligations the Client may have towards SDO).
- APPLICABLE LAW AND DISPUTE RESOLUTION
- CONTACT US
- For further information about this Policy, please contact us at [email protected]
- We work hard to manage Personal Information responsibly. If you are unhappy about the way we do this, please contact us and we will make good-faith efforts to address your concerns. We are usually able to resolve privacy questions or concerns promptly and effectively. If you are not satisfied with the response you receive from us, you may escalate concerns to the applicable privacy regulator in your jurisdiction. Upon request, we will provide you with the contact details for that regulator.
Copyright © 2019, SDO All rights reserved.
Last Updated: February , 2019