Last modified: March 27, 2020
Securify (“Securify,” “we,” “our,” or “us”), recognizes that your privacy is very important and we take it seriously. Securify provides multi-factor authentication and other services to users (“User,” “Users,” “you,” or “your”) and Enterprise Users (“Enterprise User”, “Enterprise Users”) around the world. Your use of our website (the “Site”), the mobile application (the “Application”) and the services made available on the Site (“Services”) is subject to these Privacy Rules, “Terms & Conditions” (these “Terms”) for individual users (http://securifyid.com/legal/terms-conditions/) and Securify Data Processing Agreement for corporate users.
1. Information we collect
We collect and receive information from you and your devices in the following cases:
- When you make a job application (via sending your CV in Hardcopy or Digital format, apply for a vacant position from our web sites)Through your visit to our web sites and using our Applications,Giving your contact details physically (mostly in an event, bilateral meetings or other similar physical organizations)Using our services (mobile apps, management console, API, plugins)
1.1 Information you provide when you apply for a job
You provide several personal data to us mostly in your resume and sensitive information l in connection with your job application. Some of the personal data your provide us are listed below:
- Name Surname
- Identity number / Passport number
- Certificate of Identity Register Copy
- Email address
- Phone/mobile number
- Date of Birth
- Marital Status,
- Education Background
- Professional Experience (Your previous employments, name of companies, your positions etc.)
- Project Experience (The project information you were involved, date of the projects, your position etc.)
- Your Publications
- Your areas of interest
- Your hobbies and social life
- Your references (with a commitment that you have taken their consent beforehand)
1.2 Information collected when you visit our web sites
We may also collect contact and/or professional data about you in person, through means like online forms and/or communications, and through our websites. For example, you may provide your name, surname and contact information, as well as professional information to us when you sign up to learn more about Securify’s products and services, download content, register for an event, and visit our offices.
1.3 Information collected physically
During our physical marketing efforts and business activities, you may provide us your contact and professional details especially in business card format or orally. If you attend an event, we may also receive contact and professional details about you by filling in a form or by providing us a business card or other method where you share Personal Data with us, as well as pictures and videos taken that can be shared on social media to express Enterprise activities. Typically, contact data includes your name and contact methods, such as telephone number, email address, and mailing address, and professional data includes details such as the organization you are affiliated with, your job title, and industry.
1.4 Information collected when you use our services
Information collected by our systems will be detailed in the following sub-sections:
1.4.1 Mobile Applications
We have Android and IOS Mobile Applications. So, when you download our apps from online stores and start using, we collect information in the following phases:
During First Registration: In order to be able to use our mobile services, you should sign-up by entering your name, surname, email address, phone number. After you entered your information, we sent a registration code to your e-mail address and wants you enter this code in our app in order to finalize your registration. During your registration we generate symmetric and asymmetric key pairs in order to use them in digital signing and encryption of transactions as well. According to our usage, we can store these keys in mobile app, in backend server or in both.
When You Add a New Service: You may add either a Enterprise or individual service. Individual services can only be used in TOTP (Time-Based One-Time Password) Authentication (RFC-6238). In this authentication mechanism, a third-party service (i.e. Twitter, Facebook, LinkedIn) can be added by scanning a QR code or enter a secret key manually in order to perform second factor authentication. If you scan the QR code we obtain your secret key and the name of your third-party service and if you add manually, we store the name you gave to the service and the secret key. We store your secret key both in your mobile app and in our backend servers in order to regenerate OTP and recover it when you move your app to another phone or reinstall the app as a backup for your own convenience. We also highlight that in order to let you scan QR code, we need your camera permissions.
In Enterprise services, you enter a code provided from your service provider and we just keep service provider’s id and the user-id provided for the service. User id is only a number produced by your corporation/service provider to pseudonmyse your identity , that is later shared by your corporation/service provider with us in order to uniquely identity your transaction. User id can be just a pseudonmysed number and we do not require it to be a personally identifying number. But if your service provider provides such as personal data as user id, it is the responsibility of your service provider which is also included in our contract with your service provider.
During Authentication: During authentication we use several information about you and your device, app and transaction in order to improve your security during authentication and store them for publc and third party audit purposes, as well as improvements to our services. This information may include your email address, your user-id, your Internet Protocol (IP) address, OS platform, your browser type and version, browser timezone, browser time offset, browser agent, screen resolution, the date and time of your transaction, keystroke timings, geolocation, time spent on each page, your clicks, your scrolls.
1.4.2 Management Console
For Enterprise Users that has contract with us, we provide a web-based management console for identity and access management of their employees and/or customers. In this console, employes or customer data is provided to the system by the Enterprise . In such cases, data controller is the Enterprise and we are in data processor role. So, the responsibility to meet the data privacy and other related legal requirements with the endnuser or employee is primarily on the Enterprise .
As a Enterprise User of our Site, Application and services your data controller may keep and process your personal data under the following sections of management console:
Directory Section: In directory section, information about users, groups, identities and zones can be stored in the system. Personal data can be kept within users or identities module. However, neither our system nor the processes require users’ personal data to operatecorrectly. Our system just needs a user ids and/or email addresses which might be anonymous records that cannot be directly linked with the users’ identities. We recommend our Enterprise Users as data controllers to utilise pseudonmysied user-ids for a better EU’s GDPR and Turkish PPDA (KVKK) compliance. According to the Enterprise User configuration, the users’ data can also be retrieved from an already existing third-party system such as Active Directory, Office 365, Radius etc.
Applications Section: In the applications section, Enterprise User can define its services and html forms in order to manage access to them. Applications section processes ordinary data, such as service name, form html id, field html. The only personal data processed under this section isthe logs that are kept about the services used by individual userid’s. .
Policies Section: In this section, Enterprise User can define rules to allow or deny the user groups to use the defined services or forms according to time period or IP addresses.
Licences Section: In licences section we keep Enterprise or individual licencing information that includes the product name, licence name, start date, expritation date, users’ email address (for individual users), Enterprise information, Enterprise email address, phone number etc.
Audit Section: In audit section, system stores several information about the authentication transactions for security and controls, including Enterprise name, service name, user-ids, Internet Protocol (IP) address, OS platform, browser type and version, browser time zone, browser time offset, browser agent, screen resolution, the date and time of the transaction, users’ keystroke timings, geolocation, time spent on each page, clicks, scrolls.
Threat Management Section: In threat management section, the system checks the collected data regarding the users’ authentication transactions and perform static and automatic analysis. Automatic analysis includes analysing users’ historical and behavioural data using machine learning or statistical techniques and detect anomalies. In this section, Enterprise should define risk-based authentication parameters and actions when an anomaly is detected in users’ authentication transaction. Actions includes to trigger a third-party system or send notification emails or SMS. Therefore, the information such as IP address and service name of the third-party application or the e-mail and SMS information of the persons to be notified should be entered to the system.
1.4.3 API Services
Since our backend services runs through API services, the data mentioned in the previous systems should be transferred using these API’s.
We sometimes provide some plugins in order to interact with third party systems. In the settings page of these plugins, the system may store users’ email addresses, API Keys, some other relevant configuration data.
How we collect information
We collect information by fair and lawful means, with your knowledge and consent. We also let you know why we’re collecting it and how it will be used. You are free to refuse our request for this information, with the understanding that we may be unable to provide you with some of your desired services without it.Use of information
We use your data in order to increase the security of your authentication processes and prevent any malicious cyber attack against your identities.
We may use a combination of identifying and non-identifying information to understand who our visitors are, how they use our services, and how we may improve their experience of our Services in the future. We do not disclose the specifics of this information publicly, but may share aggregated and anonymised versions of this information, for example, in website and customer usage trend reports.
We may use your personal details to contact you with updates about our Services, along with promotional content that we believe may be of interest to you. If you wish to opt out of receiving promotional content, you can follow the “unsubscribe” instructions provided alongside any promotional correspondence from us.
Data processing and storage
We only transfer data within jurisdictions subject to data protection laws that reflect our commitment to protecting the privacy of our users.
We only retain personal information for as long as necessary to provide a service, or to improve our services in future. While we retain this data, we will protect it within commercially acceptable means to prevent loss and theft, as well as unauthorised access, disclosure, copying, use or modification. That said, we advise that no method of electronic transmission or storage is 100% secure, and cannot guarantee absolute data security.
If you request your personal information be deleted, or where your personal information becomes no longer relevant to our operations, we will erase it from our system within a reasonable timeframe.
Third-party access to information
We use third-party services for:
- Analytics tracking
- Advertising and promotion
- Content marketing
- Email marketing
- Payment processing
These services may access our data solely for the purpose of performing specific tasks on our behalf. We do not share any personally identifying information with them without your explicit consent. We do not give them permission to disclose or use any of our data for any other purpose.
We may, from time to time, allow limited access to our data by external consultants and agencies for the purpose of analysis and service improvement. This access is only permitted for as long as necessary to perform a specific function. We only work with external agencies whose privacy policies align with ours.
We will refuse government and law enforcement requests for data if we believe a request is too broad or unrelated to its stated purpose. However, we may cooperate if we believe the requested information is necessary and appropriate to comply with legal process, to protect our own rights and property, to protect the safety of the public and any person, to prevent a crime, or to prevent what we reasonably believe to be illegal, legally actionable, or unethical activity.
We do not otherwise share or supply personal information to third parties. We do not sell or rent your personal information to marketers or third parties.
Limits of our policy
Our website may link to external sites that are not operated by us. Please be aware that we have no control over the content and policies of those sites, and cannot accept responsibility or liability for their respective privacy practices.
Changes to this policy
Your rights and responsibilities
As our user, you have the right to be informed about how your data is collected and used. You are entitled to know what data we collect about you, and how it is processed. You are entitled to correct and update any personal information about you, and to request this information be deleted. You may amend or remove your account information at any time, using the links in our web sites.
You are entitled to restrict or object to our use of your data, while retaining the right to use your personal information for your own purposes. You have the right to opt out of data about you being used in decisions based solely on automated processing.
Securify Ltd. is the data controller of your personal information in individual services but data processor in the Enterprise services.