SECRET DOUBLE OCTOPUS SERVICES (PLATFORM) PRIVACY POLICY AND COOKIE POLICY

Last Updated: Aug 24, 2023

This Privacy Policy (the “Privacy Policy” or “Policy”) describes the personal data that SECRET DOUBLE OCTOPUS LTD., and its subsidiaries, (“SDO”, “we”, “us”, “our”) collects, uses, processes, shares and stores the following categories of personal data:

  1. Customer Data” means personal data that SDO collects, processes and manages on behalf of and under the instruction of a legal entity with whom SDO has signed an agreement for the provision of the Services (“Customers”).
    When the Customer enters into a service agreement directly with SDO, we process such Customer Data on behalf of and under the instruction of the respective Customer, in accordance with our data processing addendum and other agreements with them.
    When the Customer does not enter into a service agreement directly with SDO but rather through a reseller (“Reseller”), we process such Customer Data on behalf of and under the instruction of the respective Reseller, in accordance with our data processing addendum and other agreements with them. Accordingly, this Privacy Policy does not apply to such processing done on the Customers’ or Reseller’ behalf. To learn about the privacy policy and practices of our Customer, please contact them directly.
  2. User Data” means personal data concerning Customers’ employees, IT agent, representatives, administrators, or other individuals authorized by Customers (collectively, “Users”) to access and use the Services and which have been supplied with user identifications and passwords during the performance of an agreement with SDO for provision of its Services.
  3. Business Contact Data” means personal data concerning our Customers’ internal persons who directly or indirectly engage with SDO and/or our Resellers’ internal persons who directly engage with SDO, e.g., billing contacts and authorized signatories on behalf of the Customer or the Reseller(collectively, “Business Contact”).

SDO provide Customers with a tool for managing passwordless authentication of Customer’s Users through, at the Customer’s choice, either authentication server that can be installed on premise and managed by the Customer (“On-premise solution”) or a Cloud managed by ourselves (“SDO Cloud”), the Octopus Authenticator mobile app or FIDO token through which Customer’s Users can approve the authentication request (collectively the “Solution”) and reports, maintenance, support and any other service as detailed in the relevant agreement with a Customer (collectively the “Services”).

Please see our full Privacy Policy below in order to better understand our practices in detail. If you have questions or concerns regarding this Policy please contact us at: [email protected]

Please note that this Privacy Policy supplements our General Terms and Conditions.

This Privacy Policy is divided into the following sections:

Section 1
Data Controller/Data Processor
Section 2
What Personal Data Do We Process About You?
Section 3
For What Purposes Do We Use Your Personal Data?
Section 4
With Whom Do We Share Your Personal Data?
Section 5
How Is Your Personal Data Transferred Outside Of the European Union/European Economic Area?
Section 6
How Long Do We Store Your Personal Data For?
Section 7
How Do We Keep Your Personal Data Secure?
Section 8
What Rights Do You Have Regarding Your Personal Data?
Section 9
How Do We Approach Changes To This Privacy Policy?
Section 10 Contact Us
  1. Data Controller/Data Processor/Data sub-processor

    The GDPR distinguishes between the data controller, who determines the purposes and means of processing; and the data processor, who processes the data on behalf of the data controller. Below we explain how these roles apply to our Services.

    SDO is the data controller of Business Contact Data. With respect to such data, we assume the responsibilities of data controller, as set forth in this Privacy Policy. In such instances, our service providers processing such data will assume the role of data processor.

    When the Customer enters into a service agreement directly with SDO, SDO is the data processor of Customer Data, which we process on behalf of our Customer who is the data controller of such data; and our service providers who process such Customer Data on our behalf are the sub-processors of such data. Accordingly, SDO processes Customer Data strictly in accordance with our Customer’s reasonable instructions and as further stipulated in our data processing addendum published in our website https://doubleoctopus.com/dpa/.

    When the Customer does not enter into a service agreement directly with SDO but rather through a Reseller, SDO is the sub-processor of Customer Data, which we process on behalf of our Reseller who is the data processor of such data. Accordingly, SDO processes Customer Data strictly in accordance with our Reseller’s reasonable instructions and as further stipulated in our data processing addendum and other agreements with such Reseller. SDO is both a data controller and data processor of User Data. Such data is processed by SDO for its own purposes (as described in Section 3 below), as an independent data controller; whilst those certain portions of it which are included in Customer Data will be processed by us on our Customer’s behalf, as a data processor, or on our Reseller’s behalf, as a sub-processor.

    Accordingly, SDO processes Customer Data strictly in accordance with our Customers’ reasonable instructions, or our Resellers’ reasonable instructions, and as further stipulated in our data processing addendum and other agreements with such Customer or Reseller.

    Our Customers are solely responsible for determining whether and how they wish to use our Services, and for ensuring that all individuals using the Services on the Customer’s behalf or at their request, as well as all individuals whose personal data may be included in Customer Data processed through the Services, have been provided with adequate notices and given informed consent to the processing of their personal data, where such consent is necessary or advised, and that all legal requirements applicable to the collection, recording, use or other processing of data through our Services are fully met by the Customer, including specifically in the context of an employment relationship.

  2. What personal data do we process about you?

    When we use the term “personal data” in this Privacy Policy, we mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an individual.

    We may collect or generate the following types of personal data about individuals through the Services:

    1. Business Contact Data
      • Identification data (e.g., first name, last name, country);
      • Contact details (e.g., work email, phone number);
      • Business details (e.g., company’s name, job title);
      • Communications (e.g., correspondences, call and video recordings, and transcriptions and analyses thereof);
      • Contractual and billing details.
    2. User Data (for SDO Cloud only)
      • Identification data (only users names);
      • Encrypted Passwords;
      • Electronic network activity information, (e.g., connectivity; date and time of the use; time and length of the use; location, device data (like type, OS, device id, browser version, locale and language settings used, operating system); activity log; session recordings; log-in credentials to the Services).To collect this data we use cookies and other tracking technologies (hereinafter “Cookies”). Cookies are small text files sent by your browser to your device to store or retrieve information on your browser or device. Cookies can be persistent (Cookies that remain on your device for a set period of time or until you delete them) or session (Cookies that are deleted as soon as you close your browser). When you use the Services, we and our third-party providers may place a number of Cookies on your device. These Cookies are “strictly necessary” which means that Cookies help make the Service usable by enabling basic functions like access to secure areas of the Service, authenticate Users, prevent fraudulent use of the SDO Cloud, and to allow the Services and its features to function properly. The Cookies we use are the following:
        Category Cookie Name Purpose Validity
        Strictly Necessary ptkn Stores SSO session identifier for Portal authorization and SSO-enabled SAML services 1 year*
        Strictly Necessary tid Stores trust identifier for trusted browsers (per user) after a successful adaptive (strong) authentication 7 years*
        Strictly Necessary webauthn-session Stores webauthn in order to pass data between 2 requests of webauthn registration and assertion Session

        * Both SSO session identifier & trust identifier are managed by the server. SSO session identifier is valid until the Portal SSO Timeout is elapsed. This is configurable in Octopus Management Console.

    3. Customer Data
      • Personal data contained in Customer Data which is provided by our Customers and processed on their behalf and under their instruction, or processed on behalf of the Reseller and its instruction, in accordance with our data processing addendum or other agreement with them.
  3. For what purposes do we use your personal data?

    We may process the following categories of personal data through the Services, as data controller as further described in Section 1, for the following purposes:

    Purposes Example of use of Business Contact Data Legal Basis
    Management of our Customer / Reseller relationship
    • to designate the Customer’s representative and/or the Reseller’s representative with whom to discuss and deal;
    • to invoice the purchase of our Services.
    Necessary for the performance of the contract concluded between SDO and the Customer or between SDO and the Reseller
    Purposes Example of use of User Data Legal Basis
    Providing our Services
    • to install the Solution in Customer’s IT system in case of On-Premise Solution or on cloud managed by SDO;
    • to provide and manage authentication;
    • to test and monitor the Services;
    • to provide support and technical assistance.
    Necessary for the performance of the contract concluded between SDO and the Customer or between SDO and the Reseller
    Improving our Services
    • to evaluate, develop, enhance, analyze and improve our Services.
    Legitimate interest of SDO to improve its Solution, its Services and User’s experience
    Supporting and enhancing our data security measures
    • to monitor, investigate bugs, and improve our Services;
    • to prevent and mitigate the risks of fraud, error or any illegal, criminal or prohibited activity.
    Legitimate interest of SDO to secure its Solution and User’s experience
    Purposes Example of use of Business Contact and User Data Legal Basis
    Pre-litigation or litigation management
    • to take action against any identified security breach;
    • to manage any dispute or litigation.
    Legitimate interest of SDO in defending its rights and interests
    Compliance with legal and regulatory obligations
    • to perform any reporting and notifications obligations we may be subject to, to competent governmental agencies and authorities;
    • to process your requests to exercise your rights.
    Legal and regulatory obligations to which SDO is subject

    Customer Data that we process on behalf of our Customers or on behalf of our Resellers (as listed in Section 1) is processed only on behalf of Customers or Resellers. Therefore, Customers, as data controllers are responsible for determining the purposes and legal basis.

  4. With whom do we share your personal data?

    We may share Business Contact, User and Customer Data with the following recipients:

    Recipients Purposes
    Within the SDO group companies To provide and manage SDO’s Services.
    Service providers and sub-contractors (including hosting, data security services, billing and payment processing services, fraud detection and prevention services, product analytics, session or activity recording services, remote access services, content transcription and analysis services, performance measurement, content and data enrichment providers, insurers) To perform services on our behalf or complementary to our own. Depending on each of their specific roles and purposes in facilitating and enhancing our Services, and may only use the data as determined in our agreements with them.
    Governmental, administrative or judiciary authorities Exclusively in case of a subpoena, search warrant or court order (or similar requirement), or in compliance with applicable laws and regulations.

    Such disclosure or access may occur if we believe in good faith that:

    (a) we are legally compelled to do so;

    (b) disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding actual or suspected illegal activity, fraud, or other wrongdoing; or

    (c) such disclosure is required to protect our legitimate business interests, including the security or integrity of our products and services.

    Lawyers and all interested parties Exclusively in the case of the management of possible disputes and other legal matters where appropriate
    Other third parties In connection with any proposed or actual reorganization, restructuration, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of SDO business, assets or stock (including in connection with any bankruptcy, insolvency or similar proceedings)
  5. How is your personal data transferred outside of the European union/economic area?

    When we transfer personal data from within the EU/EEA to countries or international organizations that are based outside the EU/EEA, the transfer takes place on the basis of:

    • an adequacy decision by the European Commission; or
    • in the absence of an adequacy decision and after having carried out an assessment of the level of protection of your rights on the territory of the third country where the recipient of your personal data is established, other legally permitted safeguards such as standard contractual clauses (“SCCs”) for the transfer of personal data to third countries.
  6. How long do we store your personal data for?

    We retain personal data for as long as we deem it as reasonably necessary in order to maintain and expand our relationship and provide you with our Services; in order to comply with our legal and contractual obligations; or to protect ourselves from any potential disputes (i.e. as required by laws applicable to log-keeping, records and bookkeeping, and in order to have proof and evidence concerning our relationship, should any legal issues arise following your discontinuance of use), all in accordance with our Data Retention Policy.

    In accordance with our Data Retention Policy (which can be provided upon contacting [email protected]), the length of time we store your personal data depends on the purposes for which we collect and use it and/or as required to comply with applicable laws and to establish, exercise or defend our legal rights.

    Customer Data that we process on behalf of our Customers or on behalf of our Resellers (as listed in Section 1) is processed only on behalf of Customers or Resellers. Therefore, Customers, as data controllers are responsible for determining the retention period. Therefore, we will process the personal data under their instruction and will delete it from our SDO Cloud in accordance with our data processing addendum or other agreement with such Customer or Reseller.

    If you have questions or concerns regarding Customer Data retention period, please contact the respective Customer directly.

  7. How do we keep your personal data secure?

    1. Business Contact and User Data

      SDO has implemented technical and organizational measures to protect personal data, in particular against potential data breaches, either by accident or unlawfully, and against the destruction, loss, modification, unauthorized access or divulgation. However, we do not promise or guarantee that any personal data will be absolutely protected from unauthorized disclosure or use.

      We restrict (and require our service providers to restrict) access to personal data to personnel who need to know that personal data to facilitate the operation of our Services. If you have found a vulnerability or would like to report a security incident, you may send an email to [email protected].

    2. Customer Data

      When the Customer chooses the SDO Cloud solution, we implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration unauthorized disclosure or access. We also regularly monitor our systems for possible vulnerabilities and attacks, and regularly seek new ways and for further enhancing the security of our Services.

      All information that is processed through the SDO Cloud is processed on secure data servers located in the EU (Germany) in case of EU Customers. In order to keep personal data secure, we implement the following main measures in addition to the highly considered Cloud sub-processor’s measures: all personal data is encrypted; access limited to DevOps personnel; 2 factor authentications for our administrators; run third party penetration tests; update latest patches.

      In case of On-Premise Solution the server is managed by Customers, which as data controllers are responsible for determining the security measures. If you have questions or concerns regarding security measures for On-Premise Solutions, please contact the respective Customer directly.

  8. What rights do you have regarding your personal data?

    1. General Provisions

      Individuals have rights concerning their personal data. At any time, you may contact us at: [email protected] and request to know what personal data we store about you. We will consider all such requests and provide our response within a reasonable period (and in any event within any time period required by applicable laws).

      When you ask us to exercise any of your rights under this Policy and the applicable laws, we may need to ask you to provide us with certain credentials to make sure that you are who you claim you are, to avoid disclosure to you of personal data which is related to others that you are not authorized to receive, and to ask you questions to understand better the nature and scope of data that you request to access.

      We may redact from the data we will make available to you any personal data related to others.

    2. EU Data Subject Requests

      If you are based in the EU/EEA, you are entitled to request us to:

      • access your personal data in order to obtain clear, transparent and understandable information on how we process your personal data and on your rights (as provided in this Policy), as well as a copy of your personal data;
      • rectify your personal data in case your personal data are obsolete, inaccurate or incomplete;
      • object the processing of your personal data when the processing is based on SDO’s legitimate interest. SDO will no longer process your personal data unless SDO demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, such as the respect of a legal obligation (e.g. legal obligation involving the retention of documents), or for the establishment, exercise or defense of legal claims;
      • in certain circumstances under applicable laws, restrict the processing of some of your personal data during a limited period of time;
      • withdraw your consent when it has been obtained and processing is based on consent;
      • in certain circumstances under applicable laws, request data portability, meaning that you can receive the personal data originally provided by you in a structured and commonly used format or that the data subject can request the transfer of the personal data provided by him or her to another data controller;
      • in certain circumstances under applicable laws, delete your personal data (also known as the right to be forgotten);
      • lodge a complaint with your national data protection authority.

      If you have a complaint about how we use your personal data, we would always prefer you to contact us first. However, you may also make a complaint to your local data protection authority in the EU/EEA country where we are based. If you are unsure which data protection authority to contact, please contact us at [email protected].

    3. Customer Data provisions

      Customer Data that we process on behalf of our Customers or on behalf of our Resellers (as listed in Section 1) is processed only on behalf of Customers or Resellers. Therefore, Customers, as data controllers are responsible for answering and implementing your request to exercise your rights. If you send your request to us, we will transfer it to the respective Customer, or to the respective Reseller, as applicable, in accordance with our data processing addendum or other agreement with such Customer or Reseller.

      You may also send your request to exercise your rights directly to the respective Customer.

  9. How do we approach changes to this privacy policy?

    We will change this Privacy Policy from time to time. Any changes we make to our privacy policy in the future will be posted on this page and, if we have your e-mail address, we may also, notify you by email. The effective date of any change of Privacy Policy will be clearly marked on the top of each new Privacy Policy posted.

  10. Contact us

    If you have any comments or questions regarding this Privacy Policy or the information practices in connection with the Services, please contact us at [email protected].

Copyright © 2023, SDO All rights reserved.