1. INTRODUCTION

Keyfactor, Inc. (“Keyfactor”) provides digital certificate issuance and management system services. At Keyfactor, the privacy and security of our customers and visitors are of paramount importance. Keyfactor is committed to protecting the data you share with us.

If you are a California resident/consumer, please visit the “Keyfactor Privacy Policy for California Consumers” page for information specific to Keyfactor’s compliance with the provisions of the California Consumer Privacy Act of 2018 (“CCPA”).

This Privacy Policy contains an overview of the approach that Keyfactor takes to processing information that can be used to directly or indirectly identify an individual. Such information is known as Personal Data in the European Union (“EU”) and the European Economic Area (“EEA”) and as Personal Information and/or Personally Identifiable Information (“PII”) in the United States. Keyfactor collects and processes certain Personal Data and Personal Information through Users’ and Visitors’ interactions with and use of its platforms and website.

For the purposes of this Policy, Keyfactor defines the term “User” as an entity external to Keyfactor with which, or individual with whom, Keyfactor has an established business relationship and the term “Visitor” as an individual who visits our front-end website (i.e., https://www.keyfactor.com).

Keyfactor treats all information stored on its platforms as confidential. We store all information securely and permit access to such information to authorized personnel only. Keyfactor implements and maintains appropriate technical, security and organizational measures to protect Personal Data and Personal Information against unauthorized or unlawful access, processing, use, accidental loss, destruction, damage, theft and/or disclosure.

Keyfactor complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) as set forth by the U.S. Department of Commerce.  Keyfactor has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) regarding the processing of personal data received from the European Union in reliance on the EU-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/

2. COLLECTION AND USE

2.1 GENERAL

The following sections cover the specifics regarding each of the two groups from which data is collected—namely, website Visitors and Users.

2.2 WEBSITE VISITORS

If you are a Visitor to our website only, and not a User of our platform, then this section applies to you.

  • Except where prohibited by applicable laws or regulations, a User or Visitor to this website will be deemed to have consented to Keyfactor’s collection and processing of select Personal Data or Personal Information. Keyfactor will seek your explicit, voluntary consent to process Personal Data and/or Personal Information that the company collects on this website or that you submit of your own accord to the site where and to the extent required by applicable law. Should you decline to consent to the processing of your Personal Data or Personal Information, please refrain from any further use this website.
  • Except as described above, Keyfactor reserves the option to collect, record and analyze Personal Data and Personal Information of Visitors to its website. We may record your IP address and use cookies. Keyfactor may collect Personal Data and/or Personal Information generated by way of your page view activity. Keyfactor may also collect and process any Personal Data and Personal Information that you voluntarily share with us through our website forms, including any forms that you may complete when registering for Keyfactor events or signing up for more information about Keyfactor through newsletters and the like. If you provide your social media details to Keyfactor, we may retrieve publicly available information about you from applicable social media sites.
  • Keyfactor may collect and process the following Personal Data and/or Personal Information through your interactions with our website: your IP address; your first and last name; your postal and email address; your telephone number; your job title; select social network data; your areas of interest, including interest in Keyfactor products; certain information about the company for which you work (e.g., company name and address); and information pertinent to your relationship with Keyfactor.
  • Keyfactor gathers data about visits to the company’s website. Such information includes, but is not necessarily limited to, the following: the number of Visitors; the number of unique visits; geolocation data; the length of time Visitors spend on the site; and the pages that Visitors click.
2.2.1 PURPOSE OF PROCESSING PERSONAL DATA

Keyfactor uses the Personal Data and Personal Information it collects to communicate with Visitors, to customize content for Visitors, to display ads on other websites of interest to Visitors, and to improve the website by analyzing how Visitors navigate the website.

2.2.2 SHARING PERSONAL DATA

Keyfactor may share Personal Data and Personal Information (and which, as described in our Privacy Policy for California Consumers, may include your communications with us) with service provider vendors or sub-processor contractors in order to provide a requested service or transaction or in order to analyze Visitor behavior on its website. If applicable, Keyfactor adheres to the notice and consent policies and practices set forth in the General Data Protection Regulation (EU) 2016/679 and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (“GDPR”) with respect to the onward transfer of Personal Data. When engaged in the onward transfer of Personal Data applicable to EU/EEA/UK Data Subjects, Keyfactor enters into agreements with its customers to facilitate the transfer of such Data under the auspices of the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses for the Transfer of Personal Data to Third Countries (“SCCs”) as well as the United Kingdom’s International Data Transfer Agreement Addendum (“UK IDTA Addendum”).

2.2.3 COOKIES

Cookies are small pieces of information sent by a website to a Visitor’s computer. Cookies cannot be used to run programs or deliver viruses to your computer. When you visit our website, you encounter a banner at the bottom of the page which reads as follows: “We use cookies to personalize your experience with our website. By using our site, you agree to our privacy policy.” If you click “Okay” next to that notification, you agree to the placement of cookies on your device. Should you decline to accept our site’s cookies, Keyfactor cannot guarantee that your experience on the site will be a fulfilling one. The use of cookies is widespread and enhances a Visitor’s interaction with the site.

2.2.4 LINKS TO OTHER SITES

Please be aware that, when visiting Keyfactor’s site, Visitors may encounter links to other sites that lie outside of Keyfactor’s possession or control. Keyfactor is not responsible for the content or privacy policies that rest on the other sites.

2.3 USERS

2.3.1 GENERAL

Keyfactor collects certain types of data from Users in order to provide services to them. In this section, we will describe how Keyfactor collects and utilizes such data. We will also explain how geographical differences may affect the application of certain components of this Policy. If a User enters or transfers data such as texts, questions, contacts, media files, etc., into the Keyfactor website, that data remains the property of the User.  Keyfactor cannot share such data with a third party without the express consent of the User.

2.3.2 COLLECTION OF USER DATA

A User may submit Personal Information and/or Personal Data such as the individual’s first and last name, the name of the company/employer for which the individual works, an email address, physical address, telephone number, and other relevant data during the User registration process on the Keyfactor platform and/or at some later date. Keyfactor utilizes such information to identify Users and provide them with support, services, mailings, sales and marketing actions, billing information and to meet various contractual obligations.

Keyfactor Users can access, edit, update or delete their contact details at any time by contacting the Keyfactor Data Protection Officer (“DPO”). Our DPO’s contact information appears in section 10 of this Privacy Policy. Keyfactor will not retain a User’s Personal Information or Personal Data any longer than necessary to fulfill the purposes for which it was collected and will comply with the requirements of applicable laws and/or regulations pertinent to the retention of such data.

2.3.3 PROCESSING OF PERSONAL DATA FROM THE EUROPEAN UNION (“EU”) AND EUROPEAN ECONOMIC AREA (“EEA”)

Keyfactor collects, processes, uses, stores and transmits the Personal Data of all European Data Subjects in the EU and EEA—whether they are Visitors to the site or Users of the same—in a manner consistent with the provisions of the GDPR.

In compliance with the EU-U.S. DPF, Keyfactor commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF.

2.3.4 CONTROLLER

In some instances, Keyfactor processes Personal Data as a Controller and in others as a Processor. We have based that assessment upon the definitions of those terms that are provided in the GDPR.

The Keyfactor entity by which you are employed or with which you, as a User external to Keyfactor, have entered into an agreement pertinent to the use of Keyfactor’s platform, is the Controller of User Personal Data for GDPR purposes. Keyfactor requires that all Users conduct the processing of such Personal Data in adherence to the provisions of the GDPR.

Keyfactor stores all Personal Data collected by Keyfactor Users (i.e., Keyfactor’s employees, contractors and sub-processors) in hosting facilities that the company has thoroughly vetted. All hosting is performed in accordance with applicable security controls. Keyfactor manages the transfer of Personal Data into and out of the EU/EEA/UK in accordance with the provisions of the GDPR, the SCCs and the UK IDTA Addendum.

2.3.5 PROCESSING IN THE UNITED STATES OF AMERICA

Keyfactor solely processes the Personal Information of Users whose accounts rest in the U.S. in data centers that are situated in the US. Keyfactor has adopted physical, technical and organizational safeguards for the protection of the Personal Information it processes in the U.S. Those measures substantially mirror the safeguards the company has implemented for the protection of EU Data Subjects’ Personal Data. Such safeguards are designed to protect the Personal Information in Keyfactor’s possession against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure, access, use or processing. Keyfactor will promptly notify affected Users should it become aware that a party or entity has obtained unauthorized access to, or use of, the User’s Personal Information.

Keyfactor stores all Personal Information and other data collected by Keyfactor Users in secure hosting facilities maintained by vetted providers. We have entered into contracts with hosting providers that have been written in a manner designed to ensure that the providers perform all hosting duties in accordance with applicable security controls. Keyfactor works hard to protect and safeguard the Personal Information in the company’s possession and in keeping with all applicable laws and regulations governing the protection of such Personal Information.

3. RETENTION AND DELETION

Keyfactor will not retain the Personal Information in its possession longer than necessary to fulfill the purposes for which it was collected. We will comply with all applicable laws and/or regulations governing the retention of such data. Users must request that Keyfactor delete the Users’ data when necessary.

4. ACCEPTANCE OF THESE CONDITIONS

Keyfactor assumes that all Users of its platforms have carefully read this document and have agreed to its contents. If you do not agree with the provisions of this Privacy Policy, please refrain from using our website and platform. We reserve the right to change our Privacy Policy as necessity dictates. Should you continue to use the Keyfactor website and platform after having been informed of any changes to these provisions, Keyfactor will deem such ongoing use an implied acceptance of its revised Privacy Policy. This Privacy Policy is an integral part of Keyfactor’s terms of use.

5. OUR LEGAL OBLIGATION TO DISCLOSE PERSONAL INFORMATION

Keyfactor reserves the right to reveal a User’s Personal Information to a third party without his/her/their prior permission when the company has reason to believe that it must disclose such information in order to:

  • (a) Establish the identity of, to contact, or to initiate legal proceedings against a person or persons who are suspected of infringing Keyfactor’s intellectual property rights in the company’s products or services; or
  • (b) To protect the interests of others who could be harmed by the User’s activities or in instances in which entities or persons might (whether willfully or negligently) violate another party’s interests in rights and/or property.

Keyfactor also reserves the right to disclose Personal Information to third parties when necessary to comply with legal or regulatory obligations and/or law enforcement requests. Keyfactor will solely exercise the rights to which it alludes in this section in a manner that is consistent with the provisions of applicable data privacy/data protection laws and regulations.

It is important to inform you that Keyfactor is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). We may share your information with the FTC if required by law or in response to a legal process.

At Keyfactor, we understand that individuals should have control over their personal data. We offer the following choices and means for limiting the use and disclosure of personal data:

  • Opt-Out: You can opt out of receiving promotional communications from us by following the instructions provided in those communications or by contacting us directly.
  • Account Settings: You can review and modify your account settings to control the personal data we collect and how it is used.
  • Data Access and Deletion: You can request access to your personal data or ask for its deletion, subject to applicable legal requirements.
  • Cookie Settings: You can manage your preferences for cookies and similar technologies through your browser or device settings.
  • Third-Party Cookies: We may use third-party services that use cookies and similar technologies. You can manage these by visiting the third-party’s privacy policy or cookie policy.
  • Data Security: We implement robust security measures to protect your personal data. While we strive to protect your data, no method of transmission over the internet or electronic storage is entirely secure. If you have concerns about the security of your data, please contact us.

6. CONFIDENTIALITY AND SECURITY

Keyfactor limits access to your Personal Information to those employees, vendors, service providers, and consultants who require access to such information in order to perform their jobs and provide products or services to you.

Keyfactor maintains physical, electronic, and procedural safeguards that are designed to comply with industry standards surrounding the protection of your Personal Information.

As Keyfactor collects and uses Personal Information about our customers for processing purposes, we reserve the right to contract with vendors who can assist us with such processing. Keyfactor requires that such vendors maintain the confidentiality of the Personal Information entrusted to them for processing and that they refrain from using such data for any purpose other than supporting Keyfactor’s provision of services to its customers.

Keyfactor takes responsibility for the security and privacy of your personal information, both within our organization and when transferred to third parties. In the event of any breach of your data privacy or confidentiality due to our actions or negligence, we are committed to:

  • Informing you promptly: In case of a data breach, we will promptly notify you and the appropriate regulatory authorities in accordance with applicable data protection laws.
  • Remedying the situation: We will take appropriate steps to mitigate the consequences of a data breach and prevent its recurrence.
  • Liability for third parties: While we exercise diligence in selecting and contracting with third parties, we cannot assume direct liability for their actions. However, we will work with them to ensure that any issues related to data protection are addressed promptly and effectively.

7. AGE RESTRICTIONS

Keyfactor’s services are solely meant to be purchased and used by those over the age of 18. We neither target provision of our services to individuals below the age of 18 nor do we intend that such services be consumed by or designed to attract the attention of such individuals. If you know or have reason to believe that any individuals under the age of 18 have shared their Personal Information or Personal Data with Keyfactor, please contact us using a method described in section 10 or 11 of this Privacy Policy.

8. HOW TO ACCESS, UPDATE OR DELETE YOUR PERSONAL DATA OR PERSONAL INFORMATION

Customers and Visitors may submit requests to Keyfactor in order to obtain access to, updates or deletion of their Personal Data or Personal information by contacting us as described in sections 10 or 11 below. If you submit such a request to Keyfactor, and we discover that we require the Personal Data or Personal Information at issue in order to provide the products or services you have purchased, Keyfactor will honor the request to the extent required by applicable laws and regulations. As part of that assessment, we will determine the extent to which: (a) our access and/or processing of the Personal Data or Personal Information may be necessary to provide the services purchased; (b) we may require ongoing access to such information for legitimate business purposes; and/or (c) we may be compelled to maintain such information because of legal, regulatory or contractual recordkeeping requirements or other obligations. You may choose to opt out of disclosure of your Personal Data and Personal Information to third parties and cease the processing of such Personal Data or Personal Information.

9. BINDING ARBITRATION

Binding Arbitration: Under certain conditions, you may have the right to invoke binding arbitration to resolve disputes related to your privacy and data protection rights. This means that if we cannot resolve a dispute through our regular channels, we both agree to resolve it through arbitration rather than in court. If you wish to invoke binding arbitration, please contact us at [email protected] and include “Arbitration Request” in the subject line. We will work with you to mutually select an independent arbitrator to address your concerns.

10. CHANGES IN OUR PRIVACY POLICY

We reserve the right to modify this Privacy Policy at any time. If we decide to change our Privacy Policy, we will post those changes to this site as well as any other sites, links or resource materials Keyfactor deems appropriate. We are committed to ensuring that you are aware of the information we collect, how we use it, and under what circumstances, if any, we disclose it. If we make material changes to this Privacy Policy, we will notify you here, by email, or by means of a notice on our home page at least thirty (30) days prior to our implementation of such changes. Keyfactor reserves the right to update its Privacy Policy on a more expedited basis as necessary to comply with applicable legal and regulatory bodies implementation of new and/or amended laws and regulations.

11. KEYFACTOR’S DATA PROTECTION OFFICER

Keyfactor maintains a “Data Protection Officer” who is responsible for all matters related to privacy and data protection. You can reach our Data Protection Officer at the following address:

Keyfactor, Inc.

Attn: Data Protection Officer

6150 Oak Tree Boulevard, Suite 200

Independence, OH 44131

(877) 715-5448

[email protected]

12. DATA PRIVACY FRAMEWORK – ACCOUNTABILITY FOR ONWARD TRANSFER PRINCIPLE

As noted in Section 1 (Introduction) of this Privacy Policy, Keyfactor participates in the EU-U.S. Data Privacy Framework (or, “DPF”) Program developed by the U.S. Department of Commerce and the European Commission, the UK Government and the Swiss Federal Administration. The stated purpose of the Program is “to provide U.S. organizations with reliable mechanisms for Personal Data transfers to the United States from the European Union, United Kingdom and Switzerland while ensuring data protection that is consistent with EU, UK and Swiss law.

As a participant in the DPF Program, Keyfactor has committed to do the following:

  1. Inform individuals about each element listed in the DPF Notice Principle (many of which Keyfactor addresses above in this Privacy Policy) and to acknowledge Keyfactor’s potential liability in cases of onward transfers to third parties.
  2. Comply with the DPF Notice Principle and Choice Principle when transferring Personal Data to a third party acting as a controller.
  3. When participating in an onward transfer of Personal Data, Keyfactor will—in alignment with the “Recourse Enforcement and Liability” Principle—be responsible for processing such Personal Data in compliance with DPF principles and for requiring that any third party agents acting on Keyfactor’s behalf do the same.
  4. Acknowledge that Keyfactor will be held liable under the DPF Principles if an agent of Keyfactor processes Personal Data received via onward transfer in a manner inconsistent with DPF Principles unless Keyfactor proves that it is not responsible for the event giving rise to the damage.

In keeping with the express provisions of the DPF Notice Principle, Keyfactor has provided the information below in clear and conspicuous language:

  1.  Keyfactor participates in the EU-U.S. DPF and has provided a link to, or the web address for, the Data Privacy Framework List.
  2. Keyfactor describes the types of personal data collected in this Privacy Policy and, where applicable, the U.S. entities or U.S. subsidiaries of the organization also adhering to the DPF Principles.
  3. Keyfactor commits to subject the processing and transfer of all Personal Data received from the EU to the to the DPF Principles in reliance on the EU-U.S. DPF.
  4.  Keyfactor has described the purposes for which it collects and uses Personal Data of individuals in this Privacy Policy.
  5. Keyfactor has provided in this Privacy Policy information about how to contact the organization with any inquiries or complaints. In the EU, Keyfactor has chosen to use the panel established by the EU Supervisory Authorities (or Data Protection Authorities) as its independent recourse mechanism (IRM).
  6.  Keyfactor has disclosed the type or identity of third parties to which it discloses Personal Data and the purposes for which it does so in this Privacy Policy.
  7. Keyfactor has confirmed the right of individuals to access their Personal Data in this Privacy Policy.
  8. Keyfactor has informed individuals of the choices and means the organization offers individuals for limiting the use and disclosure of their Personal Data in this Privacy Policy.
  9.  Keyfactor has confirmed the identity of the independent dispute resolution body designated to address complaints and provide appropriate recourse free of charge to individuals in the EU, and it is the panel established by the EU Supervisory Authorities (or Data Protection Authorities).
  10.  Keyfactor acknowledges that it is subject to the investigatory and enforcement powers of the FTC.
  11. Keyfactor acknowledges that, under certain conditions, an affected individual may invoke binding arbitration under the “Recourse Enforcement and Liability” provisions of the DPF.
  12. Keyfactor acknowledges in this Privacy Policy that it is required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
  13. Keyfactor acknowledges that it may be held liable in cases of onward transfers to third parties.

Interested to learn more? The “Key Requirements for DPF Program Participating Organizations” page of the DPF site covers topics such as “Informing individuals about data processing,” “Providing free and accessible dispute resolution,” “Cooperating with the U.S. Department of Commerce,” “Maintaining data integrity and purpose limitation,” “Ensuring accountability for data transferred to third parties,” “Transparency related to enforcement actions” and “Ensuring commitments are kept as long as data is held.”

13. FURTHER INFORMATION

To find details about the sub-processors employed by the Keyfactor in the provision of its services, kindly visit the following link – https://www.keyfactor.com/annex-iii-to-standard-contractual-clauses/

To find details surrounding the technical and organizational measures employed by Keyfactor in the provision of its services, kindly visit the following link – https://www.keyfactor.com/annex-ii-to-standard-contractual-clauses/

If you have any further questions regarding the data Keyfactor collects, or how we use it, please contact us in writing at:

Keyfactor, Inc.

6150 Oak Tree Boulevard, Suite 200

Independence, OH 44131

[email protected]