Last Updated: Aug 24, 2023
SDO provide Customers with a tool for managing passwordless authentication of Customer’s Users through, at the Customer’s choice, either authentication server that can be installed on premise and managed by the Customer (“On-premise solution”) or a Cloud managed by ourselves (“SDO Cloud”), the Octopus Authenticator mobile app or FIDO token through which Customer’s Users can approve the authentication request (collectively the “Solution”) and reports, maintenance, support and any other service as detailed in the relevant agreement with a Customer (collectively the “Services”).
Data Controller/Data Processor
What Personal Data Do We Process About You?
For What Purposes Do We Use Your Personal Data?
With Whom Do We Share Your Personal Data?
How Is Your Personal Data Transferred Outside Of the European Union/European Economic Area?
How Long Do We Store Your Personal Data For?
How Do We Keep Your Personal Data Secure?
What Rights Do You Have Regarding Your Personal Data?
|Section 10||Contact Us|
The GDPR distinguishes between the data controller, who determines the purposes and means of processing; and the data processor, who processes the data on behalf of the data controller. Below we explain how these roles apply to our Services.
When the Customer enters into a service agreement directly with SDO, SDO is the data processor of Customer Data, which we process on behalf of our Customer who is the data controller of such data; and our service providers who process such Customer Data on our behalf are the sub-processors of such data. Accordingly, SDO processes Customer Data strictly in accordance with our Customer’s reasonable instructions and as further stipulated in our data processing addendum published in our website https://doubleoctopus.com/dpa/.
When the Customer does not enter into a service agreement directly with SDO but rather through a Reseller, SDO is the sub-processor of Customer Data, which we process on behalf of our Reseller who is the data processor of such data. Accordingly, SDO processes Customer Data strictly in accordance with our Reseller’s reasonable instructions and as further stipulated in our data processing addendum and other agreements with such Reseller. SDO is both a data controller and data processor of User Data. Such data is processed by SDO for its own purposes (as described in Section 3 below), as an independent data controller; whilst those certain portions of it which are included in Customer Data will be processed by us on our Customer’s behalf, as a data processor, or on our Reseller’s behalf, as a sub-processor.
Accordingly, SDO processes Customer Data strictly in accordance with our Customers’ reasonable instructions, or our Resellers’ reasonable instructions, and as further stipulated in our data processing addendum and other agreements with such Customer or Reseller.
Our Customers are solely responsible for determining whether and how they wish to use our Services, and for ensuring that all individuals using the Services on the Customer’s behalf or at their request, as well as all individuals whose personal data may be included in Customer Data processed through the Services, have been provided with adequate notices and given informed consent to the processing of their personal data, where such consent is necessary or advised, and that all legal requirements applicable to the collection, recording, use or other processing of data through our Services are fully met by the Customer, including specifically in the context of an employment relationship.
We may collect or generate the following types of personal data about individuals through the Services:
|Strictly Necessary||ptkn||Stores SSO session identifier for Portal authorization and SSO-enabled SAML services||1 year*|
|Strictly Necessary||tid||Stores trust identifier for trusted browsers (per user) after a successful adaptive (strong) authentication||7 years*|
|Strictly Necessary||webauthn-session||Stores webauthn in order to pass data between 2 requests of webauthn registration and assertion||Session|
* Both SSO session identifier & trust identifier are managed by the server. SSO session identifier is valid until the Portal SSO Timeout is elapsed. This is configurable in Octopus Management Console.
We may process the following categories of personal data through the Services, as data controller as further described in Section 1, for the following purposes:
|Purposes||Example of use of Business Contact Data||Legal Basis|
|Management of our Customer / Reseller relationship||
||Necessary for the performance of the contract concluded between SDO and the Customer or between SDO and the Reseller|
|Purposes||Example of use of User Data||Legal Basis|
|Providing our Services||
||Necessary for the performance of the contract concluded between SDO and the Customer or between SDO and the Reseller|
|Improving our Services||
||Legitimate interest of SDO to improve its Solution, its Services and User’s experience|
|Supporting and enhancing our data security measures||
||Legitimate interest of SDO to secure its Solution and User’s experience|
|Purposes||Example of use of Business Contact and User Data||Legal Basis|
|Pre-litigation or litigation management||
||Legitimate interest of SDO in defending its rights and interests|
|Compliance with legal and regulatory obligations||
||Legal and regulatory obligations to which SDO is subject|
Customer Data that we process on behalf of our Customers or on behalf of our Resellers (as listed in Section 1) is processed only on behalf of Customers or Resellers. Therefore, Customers, as data controllers are responsible for determining the purposes and legal basis.
We may share Business Contact, User and Customer Data with the following recipients:
|Within the SDO group companies||To provide and manage SDO’s Services.|
|Service providers and sub-contractors (including hosting, data security services, billing and payment processing services, fraud detection and prevention services, product analytics, session or activity recording services, remote access services, content transcription and analysis services, performance measurement, content and data enrichment providers, insurers)||To perform services on our behalf or complementary to our own. Depending on each of their specific roles and purposes in facilitating and enhancing our Services, and may only use the data as determined in our agreements with them.|
|Governmental, administrative or judiciary authorities||Exclusively in case of a subpoena, search warrant or court order (or similar requirement), or in compliance with applicable laws and regulations.
Such disclosure or access may occur if we believe in good faith that:
(a) we are legally compelled to do so;
(b) disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding actual or suspected illegal activity, fraud, or other wrongdoing; or
(c) such disclosure is required to protect our legitimate business interests, including the security or integrity of our products and services.
|Lawyers and all interested parties||Exclusively in the case of the management of possible disputes and other legal matters where appropriate|
|Other third parties||In connection with any proposed or actual reorganization, restructuration, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of SDO business, assets or stock (including in connection with any bankruptcy, insolvency or similar proceedings)|
When we transfer personal data from within the EU/EEA to countries or international organizations that are based outside the EU/EEA, the transfer takes place on the basis of:
We retain personal data for as long as we deem it as reasonably necessary in order to maintain and expand our relationship and provide you with our Services; in order to comply with our legal and contractual obligations; or to protect ourselves from any potential disputes (i.e. as required by laws applicable to log-keeping, records and bookkeeping, and in order to have proof and evidence concerning our relationship, should any legal issues arise following your discontinuance of use), all in accordance with our Data Retention Policy.
In accordance with our Data Retention Policy (which can be provided upon contacting [email protected]), the length of time we store your personal data depends on the purposes for which we collect and use it and/or as required to comply with applicable laws and to establish, exercise or defend our legal rights.
Customer Data that we process on behalf of our Customers or on behalf of our Resellers (as listed in Section 1) is processed only on behalf of Customers or Resellers. Therefore, Customers, as data controllers are responsible for determining the retention period. Therefore, we will process the personal data under their instruction and will delete it from our SDO Cloud in accordance with our data processing addendum or other agreement with such Customer or Reseller.
If you have questions or concerns regarding Customer Data retention period, please contact the respective Customer directly.
SDO has implemented technical and organizational measures to protect personal data, in particular against potential data breaches, either by accident or unlawfully, and against the destruction, loss, modification, unauthorized access or divulgation. However, we do not promise or guarantee that any personal data will be absolutely protected from unauthorized disclosure or use.
We restrict (and require our service providers to restrict) access to personal data to personnel who need to know that personal data to facilitate the operation of our Services. If you have found a vulnerability or would like to report a security incident, you may send an email to [email protected].
When the Customer chooses the SDO Cloud solution, we implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration unauthorized disclosure or access. We also regularly monitor our systems for possible vulnerabilities and attacks, and regularly seek new ways and for further enhancing the security of our Services.
All information that is processed through the SDO Cloud is processed on secure data servers located in the EU (Germany) in case of EU Customers. In order to keep personal data secure, we implement the following main measures in addition to the highly considered Cloud sub-processor’s measures: all personal data is encrypted; access limited to DevOps personnel; 2 factor authentications for our administrators; run third party penetration tests; update latest patches.
In case of On-Premise Solution the server is managed by Customers, which as data controllers are responsible for determining the security measures. If you have questions or concerns regarding security measures for On-Premise Solutions, please contact the respective Customer directly.
Individuals have rights concerning their personal data. At any time, you may contact us at: [email protected] and request to know what personal data we store about you. We will consider all such requests and provide our response within a reasonable period (and in any event within any time period required by applicable laws).
When you ask us to exercise any of your rights under this Policy and the applicable laws, we may need to ask you to provide us with certain credentials to make sure that you are who you claim you are, to avoid disclosure to you of personal data which is related to others that you are not authorized to receive, and to ask you questions to understand better the nature and scope of data that you request to access.
We may redact from the data we will make available to you any personal data related to others.
If you are based in the EU/EEA, you are entitled to request us to:
If you have a complaint about how we use your personal data, we would always prefer you to contact us first. However, you may also make a complaint to your local data protection authority in the EU/EEA country where we are based. If you are unsure which data protection authority to contact, please contact us at [email protected].
Customer Data that we process on behalf of our Customers or on behalf of our Resellers (as listed in Section 1) is processed only on behalf of Customers or Resellers. Therefore, Customers, as data controllers are responsible for answering and implementing your request to exercise your rights. If you send your request to us, we will transfer it to the respective Customer, or to the respective Reseller, as applicable, in accordance with our data processing addendum or other agreement with such Customer or Reseller.
You may also send your request to exercise your rights directly to the respective Customer.
Copyright © 2023, SDO All rights reserved.