1 Kiuwan’s compliance to GDPR
GDPR stands for the General Data Protection Regulation and is effective as of May 25th, 2018.
GDPR replaces national privacy and security laws (for example, Organic Spanish Law 15/1999 of 13th of December, of Personal Character Data Protection) that previously existed within the EU with a single, comprehensive EU-wide law that governs the use, sharing, transfer and processing of any personal data that originates from the EU.
- Kiuwan commits to follow appropriate security measures and precautions in accordance with GDPR.
- Kiuwan will assist with notifying regulators of breaches and promptly communicating any breaches to customers and users.
- Kiuwan will ensure that employees authorized to process personal data have committed to confidentiality.
- We will hold any subprocessors that handle personal data, including our data center partners, to the same data management, security, and privacy practices and standards to which we hold ourselves.
- Kiuwan will assist our customers, insofar as possible, to respond to data subject requests our customers may receive under the GDPR.
1.1 Kiuwan processing of personal data
Regulation (EU) 2016/6791, the European Union’s (‘EU’) new General Data Protection Regulation (‘GDPR’), regulates the processing by an individual, a company or an organization of personal data relating to individuals in the EU.
Personal data constitutes any information related to a natural person (or ‘Data Subject’), that can be used to directly or indirectly identify the person.
Examples of personal data are:
- a name and surname;
- a photo;
- a home address;
- an email address such as firstname.lastname@example.org;
- bank details;
- an identification card number;
- medical information;
- posts on social networking websites;
- location data (for example the location data function on a mobile phone);
- an Internet Protocol (IP) address;
- a cookie ID;
According to the business nature of Kiuwan, the degree of personal data processed by Kiuwan is quite low (you can find exact information under “What personal information we collect” section).
The most significant changes in the new policy are:
- More understandable language
- To make the policy easier to understand, we use clear and plain language to illustrate our activities.
- More transparency and control over your information
- In a plain language we want to make you clearly understand what information we collect from you, how, for what purposes, for how long and how you can access, update and object to its use.
- Our policy explains how you can make choices about your information, and the measures we’ve put in place to keep your information secure.
- What personal information we collect
- How we use personal information
- How we share personal information
- How we store and secure personal information
- How you can access and control your personal information
- Other important privacy information
Kiuwan offers a wide range of products (either cloud or on-premise). We will commonly refer to all Kiuwan products, together with other services and websites, as “Services” in this policy.
3.1 On-premise and cloud-based Services
Kiuwan Services can be provided through cloud-based or on-premise versions of the products.
Where the Services are provided under on-premise versions, a contract with an organization (for example, your employer or contractor) exists and that organization controls the complete infrastructure of Kiuwan as well as the information gathered and processed by the Services. Under on-premise , Kiuwan does not host, store, transmit, receive or collect any information about you (including your content), except in cases where supplied and permitted by your administrator.
In case you are using cloud-based version you should read this document.
Everything that follows applies only to cloud-based service.
4 What personal information we collect
4.1 User Profile
All the personal information we collect from you is stored as a User Profile.
User profile information includes following information:
- Email address
- Last Name
- Phone number
- Company Name
- Work Address
We collect User Profile information from different sources:
- when you provide it to us,
- when you use our Services, and
- when other sources provide it to us
4.2 Information you provide to us
We collect information about you when you enter it into the Services or otherwise provide it directly to us.
4.2.1 Content you provide through our Websites
We collect information that you submit to Kiuwan websites (Public Website and Services Website) .
You also provide content to us when you provide feedback or when you participate in any interactive features, surveys, contests, promotions, sweepstakes, activities or events.
4.2.2 Information you provide through our Support Channels
The Services also include our customer support, where you may choose to submit information regarding a problem you are experiencing with the Service.
Whether you designate yourself as a technical contact, open a support ticket, speak to one of our representatives directly or otherwise engage with our support team, you will be asked to provide contact information, a summary of the problem you are experiencing, and any other documentation, screenshots or information that would be helpful in resolving the issue.
4.2.3 Content you provide through our Services
The Services include the Kiuwan products you use, where we collect and store operational information related to your activity. This content does not include includes any other personal information about you except your Kiuwan username and email.
Examples of content we collect and store include:
- analyses you have executed,
- action plans you have created, and
- any feedback you provide to us.
4.2.4 Payment Information
We collect certain payment and billing information when you register for purchased Services. This info includes designated billing representatives (including name and contact information) as well as payment information (such as payment card details, which we collect via secure payment processing services).
4.3 Information we collect automatically when you use the Services
We automatically collect information about you when you use Kiuwan Services, including browsing our websites and taking certain actions within the Services.
4.3.1 Analytics of Service Use
We keep track of certain information when you visit and interact with any of our Services. This information includes the features you use and how you interact with the Services and it’s collected through analytics techniques.
4.3.2 Connection Information
We collect information about the connection you use to access the Services. This information includes your connection type, browser type and IP address.
We use your IP address and/or country preference in order to approximate your location to provide you with a better Service experience.
4.3.3 Cookies and Other Tracking Technologies
|Google Analytics||__utma||Analysis cookie||http://www.google.com/analytics/learn/privacy.html|
|Google Maps||APISID||Technical cookie||http://www.google.com/intl/en/policies/privacy|
|Kiuwan Website||cookie-agreed-en||Technical cookie|
|Kiuwan App||qmm_user_locale_32||Personalization cookie|
In other Kiuwan sites, other third party cookies are installed to all visitors, even if they are not registered users in the correspondent platforms:
- Kiuwan in Facebook.
- Cookies: datr, reg_fb_gate y reg_fb_ref.
- Their purpose is detailed in the Facebook cookie usage page.
- Kiuwan in Twitter.
- Cookies: guest_id, __utma, __utmb, __utmc, __utmz, original_referer y _twitter_sess.
- Their purpose is detailed in the Twitter cookie usage page.
4.4 Information we receive from other sources
We receive information about you from other Service users, from third-party services, and from our business and channel partners.
4.4.1 Other users of the Services (Account Owner)
The Administrator of your Kiuwan account provides your initial User Profile information.
Other users of our Services may provide information about you when they submit content through the Services. For example, your name and email address from other Service users when they provide it in order to invite you to the Services.
4.4.2 Other services you link to your account (3rd party auth system)
We receive information about you when you or your administrator integrate or link a third-party service with our Services.
For example, if you log into the Services using a 3rd party auth system, we receive your name and email address to authorize your use of the Service.
4.4.3 Kiuwan Partners
We work with a global network of partners who provide consulting, implementation, training and other services around Kiuwan products. Some of these partners also help us to market and promote our products, generate leads for us, and resell our products.
We receive information from these partners, such as billing information, billing and technical contact information, company name, what Kiuwan products you have purchased or may be interested in, evaluation information you have provided, what events you have attended, and what country you are in.
5 How we use personal information
If you are an individual in the European Economic Area (EEA), we collect and process information about you only where we have legal bases for doing so under applicable EU laws. This means we collect and use your information only where:
- We need it to provide you and customize the Services, as well as to protect the safety and security of the Services;
- It satisfies a legitimate interest (which is not overridden by your data protection interests), such as for research and development, to market and promote the Services and to protect our legal rights and interests;
- We need to process your data to comply with a legal obligation, or
- You give us consent to do so for another specific purpose
If you have consented to our use of information about you for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place. Where we are using your information you have the right to object to that use though, in some cases, this may mean no longer using the Services.
Below you can find specific purposes for which we use the information we collect about you.
For any other purpose not listed below, we will not use such information unless you have provided an explicit consent. For example, if we would want to publish your testimonials to promote the Services, we always will ask for your consent.
5.1 To provide the Services and personalize your experience
We use information about you to provide the Services to you, manily to authenticate you when you log in and provide customer support.
Our Services also include customized features that personalize your interaction with the Services depending on your permissions, most of them in the form to allow/deny you to access some features and/or data.
5.2 For research and development
We are always looking for ways to make our Services smarter, faster, secure and useful to you.
We use analytics data about how people use our Services and feedback provided directly to us to troubleshoot and to identify trends, usage, activity patterns and areas for integration and improvement of the Services.
5.3 To communicate with you about the Services
We use your contact information to send transactional communications via emails and in-app messages, notifying when analyses have been finished, reminding you of subscription expirations, sending you technical notes, updates and new versions, security alerts, and administrative messages. Also, responses to your questions and requests when providing customer support.
We also send you communications as you onboard to a particular Service to help you become more proficient in using that Service. These communications are part of the Services and in most cases you cannot opt out of them. If an opt out is available, you will find that option within the communication itself or in your account settings.
5.4 To market, promote and drive engagement with the Services
We use your contact information and information about how you use the Services to send promotional communications that may be of specific interest to you, including by email and in-app messages.
These communications are aimed at driving engagement and maximizing what you get out of the Services, including information about new features, survey requests, newsletters, and events we think may be of interest to you. We also communicate with you about new product offers, promotions and contests. You can control whether you receive these communications as described below under “Opt-out of communications.”
5.5 To provide customer support
We use your information to resolve technical issues you find, to respond to your requests for assistance and to repair and improve the Services.
5.6 For safety and security
We use information about you and your Service use to verify accounts and activity, to monitor suspicious or fraudulent activity and to identify violations of Service policies.
5.7 To protect our legitimate business interests and legal rights
Where required by law or where we believe it is necessary to protect our legal rights, interests and the interests of others, we use information about you in connection with legal claims, compliance, regulatory, and audit functions, and disclosures in connection with the acquisition, merger or sale of a business.
6 How we share personal information
We share information we collect about you in the ways discussed below, including in connection with possible business transfers, but we do not sell or provides information about you to advertisers or other third parties.
6.1 Sharing with other Service users
If you are an administrator for a particular Kiuwan account, we may share your contact information with current or past Service users, for the purpose of facilitating Service-related requests.
6.2 Sharing with third parties
Kiuwan adheres to a strict policy for ensuring the privacy of your personally identifiable information (such as full name, address, e-mail address, and/or other identifiable information). We will never share your information with third parties outside Kiuwan unless you give express permission for us to do so, or unless we are required to do so under applicable law.
6.2.1 Kiuwan Partners
We work with third parties who provide consulting, sales, and technical services to deliver and implement customer solutions around the Services. We may share your information with these third parties in connection with their services, such as to assist with billing and collections, to provide localized support, and to provide customizations. We may also share information with these third parties where you have agreed to that sharing.
6.2.2 Service Providers
Although not currently, we might work with third-party service providers to provide website and application development, hosting, maintenance, backup, storage, virtual infrastructure, payment processing, analysis and other services for us, which may require them to access or use information about you.
If a service provider needs to access information about you to perform services on our behalf, they do so under close instruction from us, including policies and procedures designed to protect your information.
6.2.3 Third Party Apps
You, your administrator or other Service users may choose to add new functionality to integrate the behavior of the Services by communicating third party apps with the Services. Doing so may give third-party apps access to your account and information about you like your name and email address, and any content you choose to use in connection with those apps.
6.2.4 Compliance with Enforcement Requests and Applicable Laws; Enforcement of Our Rights
In exceptional circumstances, we might share information about you with a third party if we believe that sharing is reasonably necessary to
- comply with any applicable law, regulation, legal process or governmental request, including to meet national security requirements,
- enforce our agreements, policies and terms of service,
- protect the security or integrity of our products and services,
- protect Kiuwan, our customers or the public from harm or illegal activities, or
- respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person.
6.2.5 Business Transfers
7 How we store and secure personal information
7.1 Information storage and security
Kiuwan uses some of the most advanced technology for Internet security available today.
We implement safeguards designed to protect your information during transmission through the Internet and while stored on our hosted systems.
Secure Socket Layer (SSL) technology protects your information in transit using encryption and authentication server both of your computer and data between the data center, ensuring that your data in transit is safe, secure and available only to registered users in your organization.
In addition to SSL encryption, your account / data are protected by a mandatory User ID and Password. Any password-protected areas of the Service can be accessed only with a valid password. Each password owner is responsible for keeping the password secret and confidential, and for notifying Kiuwan if the password may have been stolen or otherwise might be misused.
Regarding data storage, our servers are securely located in a state-of-the-art facility in Ireland managed by Amazon AWS, a premier provider of managed hosting and advanced connectivity solutions. Kiuwan has chosen Amazon because of their reputation for quality service and support as well as their unparalleled reputation for reliably posting many of the internet’s most trafficked web systems.
For further info on Security measures please visit Security Policy at https://www.kiuwan.com/security-policy/
7.2 How long we keep information
How long we keep information we collect about you depends on the type of information, as described in further detail below.
7.2.1 Account and User Profile information
We retain your account data and profile information for as long as the Kiuwan account is active.
After user deletion, user profile information (as described above at “Account and Profile Information”) is logically deleted (i.e. it’s not accessible) although is physically maintained as long as the account is active.
Once the Kiuwan account expires or is deleted (by the Kiuwan account administrator), account information is logically deleted (cannot be accessed through any of the Services functionalities) but it’s physically maintained during 3 months so it can be recovered in case it’s decided to re-activate the Services.
After such time, we will physically delete or, if this is not possible (for example, because the information has been stored in backup archives), then we will securely store your information and isolate it from any further use until physical deletion is possible.
We might also retain some of your information if necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations, and to continue to develop and improve our Services.
Where we retain information for Service improvement and development, we take steps to eliminate information that directly identifies you, and we only use the information to uncover collective insights about the use of our Services, not to specifically analyze personal characteristics about you.
7.2.2 Analyses and related information
Any Kiuwan analysis contains two main sets of information:
- Global Indicators (Risk Index, Global Indicator, EffortToTarget, etc..), i.e. overall indicators/metrics about the analysis
- Full details on defects and vulnerabilities (nature of the defect, associated file and line number, etc.)
Complete and detailed analysis information is maintained as long as the Kiuwan account is active and data antiquity is not older than 3 months.
The Data Purge Policy applies differently depending the scope of the analysis (baseline or delivery).
- For Baseline Analyses
- Full analysis data is maintained for analysis not older than 3 months , with the following exceptions:
- Full information of last 5 analyses of every application are always maintained (regardless of its antiquity)
- If the analysis contains a live Action Plan (i.e. not expired), full analysis data are also maintained (regardless of its antiquity).
- For those analyses older than 3 months:
- Global Indicators are always maintained, as well as fired Rules and their total number of defects
- Full details on defects are vulnerabilities are deleted (i.e. detailed defects information and file metrics)
- Full analysis data is maintained for analysis not older than 3 months , with the following exceptions:
- For Delivery Analyses
- Resolved deliveries analyses
- Analysis information is maintained at the same degree of detail that its associated baseline. In other words, if the baseline contains full info, the delivery will also contain full info. If the baseline is purged, the delivery will be purged as well.
- In-progress deliveries analyses
- Full analysis data is maintained as long as its associated baseline also maintains full detail.
- Once the baseline analysis is purged, the delivery analysis data are completely deleted.
- Resolved deliveries analyses
7.2.3 Marketing information
Deleting an account in the application does not mean to unsubscribe from periodical email marketing communications. Users can always unsubscribe from these communications directly clicking the appropriate link in the received emails.
Unless explicitly requested not to receive any marketing emails, we will retain information about your marketing preferences to send to you email marketing communications
8 How you can access and control your personal information
You have certain choices available to you when it comes to your information. Below is a summary of those choices, how to exercise them and any limitations.
8.1 Your Rights
Below you can find your rights when you provide to us your personal data.
|Access||To access your information|
|Update||To update / modify your information|
|Deletion||To delete your information|
|Object||To object to our use of your information (including for marketing purposes)|
|Copy||To request a copy of your information|
|Revocation||To revoke a previously granted right to use your information|
Below, we describe the tools and processes for exercising these rights.
- You can exercise some of the choices by logging into the Services and using settings available within the Services or your account profile.
- If you are not the Kiuwan Account Owner (see “Notice to End Users” below), you might need to contact your Kiuwan Account Owner to fulfill some request.
- For all other requests, you may contact us as provided in the 9.4 Holder Details section below to request assistance.
Your request and choices may be limited in certain cases: for example, if fulfilling your request would reveal information about another person, or if you ask to delete information which we or your administrator are permitted by law or have compelling legitimate interests to keep.
If you have unresolved concerns, you may have the right to complain to a data protection authority in the country where you live, where you work or where you feel your rights were infringed.
8.1.1 Access and update your information
Our Services and related documentation give you the ability to access and update certain information about you from within the Service.
For example, you can access and update your profile information within your Account >> Profile settings.
8.1.2 Delete your information
You can delete your data according to the following scenarios:
- If you are not the account owner (i.e. you are an end user), you should contact your Kiuwan Account Owner to request to deactivate your user account.
- If you are the Kiuwan Account Owner, you can delete any user account (as long as associated data). In case you delete your own account, the complete account will be deleted.
Please be aware that deactivating your account does not delete your information; your information remains for some time just for reactivation purposes. Please see 2.7.2 How long we keep information.
In case you want all the information to be deleted immediately, please contact us. Please note, however, that we may need to retain certain information for record keeping purposes, to complete transactions or to comply with our legal obligations.
8.1.3 Request that we stop using your information (objection / revocation)
In some cases, you may ask us to stop accessing, storing, using and otherwise processing your information where you believe we don’t have the appropriate rights to do so.
For example, if you believe a Services account was created for you without your permission or you are no longer an active user, you can request that we delete your account as provided in this policy.
Where you gave us consent to use your information for a limited purpose, you can contact us to withdraw that consent, but this will not affect any processing that has already taken place at the time. You can also opt-out of our use of your information for marketing purposes by clicking on the unsubscribe link or contacting us.
When you make such requests, we may need time to investigate and facilitate your request. If there is delay or dispute as to whether we have the right to continue using your information, we will restrict any further use of your information until the request is honored or the dispute is resolved.
8.1.4 Opt out of communications
You may opt out of receiving promotional communications from us by using the unsubscribe link within each email, updating your email preferences within your Service account settings menu, or by contacting us to have your contact information removed from our promotional email list or registration database.
Even after you opt out from receiving promotional messages from us, you will continue to receive transactional messages from us regarding our Services. You will continue receiving these transactional messages as long as you’re an active user of the Services.
8.1.5 Turn off Cookie Controls
Relevant browser-based cookie controls are described at 188.8.131.52 Cookies and Other Tracking Technologies
9 Other important privacy information
9.1 List of Kiuwan Data Subprocessors
|3rd party service /vendor||Purpose||Country||Website|
|Amazon AWS||Data hosting||Ireland||https://aws.amazon.com/|
|Mandrill||Transactional Email Service||USA||http://www.mandrill.com/|
|Intercom||Sales, Marketing and Support Messaging||USA||https://www.intercom.com/|
|Chargebee||Billing and Invoicing||USA, India||https://www.chargebee.com/|
|BigQuery Google Cloud Platform||Data hosting||USA||https://cloud.google.com/bigquery/|
|SalesForce||Customer Relationship Management||USA||https://www.salesforce.com/|
9.2 Notice to End Users
Unless you are the owner of a single-user kiuwan account, most probable you will be a user of a corporate Kiuwan account owned by an organization (your company or contractor).
That organization acts as the administrator of the Services and is responsible for the user accounts over which it has control. This responsibility is personalized through the Kiuwan Account Owner. The Owner is a named user who has the ability to grant admin privileges to other users. Together the owner and the users with admin privileges will be considered as “administrators”.
If you are not an “administrator” user, you are considered as a End User and, regarding your personal data, administrators are able to:
- require you to reset your account password;
- restrict, suspend or terminate your access to the Services;
- access information in and about your account;
- change the email address associated with your account;
- change your information, including profile information;
- restrict your ability to edit, restrict, modify or delete information
9.4 Holder details
Holder: Kiuwan Software, S.L.
Registered address: C/. Norias, 80 | 28221 Majadahonda (Madrid).
Registered details: Register office in Madrid, Tomo 26.937, Sheet 115, Section 8, Page M-485430, entry 1ª.
Email Address: email@example.com
If you have questions or concerns about how your information is handled, please direct your inquiry to above email address.