TruU Authorized Users of Services Privacy Policy of TruU, Inc. 2024
Overview
TruU Inc. (“TruU”, “we” and its derivatives) provides cybersecurity services in the identity and access management industry. The purpose of our Services is to prevent breaches and unauthorized access to your employer’s network, software, data, applications and physical premises (the, “Cybersecurity Purposes”). We do not sell, lease or otherwise commercialize your personal information or biometrics in any way. We do not offer our services direct to consumers and all information collected from you is solely used for Cybersecurity Purposes. To be clear, we collect information solely in relation to the business, employee or contractor capacity and not in any individual or consumer capacity. The type of information we collect from you varies depending upon the services requested by your employer and the configuration requested for identity and access. All information collected is done so in compliance with the United States National Institute of Standards and Technology for Cybersecurity and in compliance with applicable law
We have designed our system to protect your privacy and anonymize your data to an extreme degree to provide as much protection to your information as reasonably possible. Examples of the type of information we collect include:
- Information provided by your employer such as an employee ID number that only your employer can trace back to you and not TruU;
- We also collect and process device data such as IP Address and proximity signals for device location including for determining whether there has been an unauthorized access to employer data such as if there would be a device log-in from Amsterdam The Netherlands and twenty minutes later the same device log-in from Dallas, Texas;
- An anonymized, digitized representation of the manner in which you interact with your keyboard and mouse but never what you type but rather how you type;
- Spectral voice analysis that is converted to a digitized sequence representing cadence, tone and timber of your voice but never what you say but rather how it is said; and,
- an alphanumeric that corresponds to a non-invertible representation of your face.
As defined by the United States National Institute of Standards and Technology: “The use of biometrics (something you are) in authentication includes both measurement of physical characteristics and behavioral characteristics.” We anonymize this data using the latest hashing and randomizing technologies.
The reason why we collect this information is to prevent hackers (including those for economic gain from ransomware and IP theft and international espionage) from using your business access credentials. You remain in control of your information at all times. You may at any time request that we delete your information. Upon the termination of your relationship with your employer, your information will be deleted in whole, but for any information we are required or advised to keep by law or regulation; and then, only to the extent and for the time period so advised or required.
Your Employer may require you to use our system as a condition of continued employment given the Employer’s legal obligations to secure sensitive data and its reasonable concern over the safety and security of its systems and property.
As best Explained by the United States National Institute of Standards and Technology, Cybersecurity Subdivision (NIST Special Publication 800-63B Digital Identity Guidelines):
“A digital identity is always unique in the context of a digital service, but does not necessarily need to be traceable back to a specific real-life subject. In other words, accessing a digital service may not mean that the underlying subject’s real-life representation is known. Identity proofing establishes that a subject is actually who they claim to be. Digital authentication is the process of determining the validity of one or more authenticators used to claim a digital identity. Authentication establishes that a subject attempting to access a digital service is in control of the technologies used to authenticate. For services in which return visits are applicable, successfully authenticating provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously.
Statement of Principles
- TruU, Inc. (“TruU”) will never sell your Personal Information and will only transfer your information to your employer under an agreement between your employer and TruU for the Cybersecurity Purposes.
- TruU will only use your Personal Information at the request of your employer and with your consent, for the Cybersecurity Purposes which are designed for the purpose of preventing and detecting unauthorized access of your employer’s network, data, applications, or physical access to your employer’s sites.
- TruU has architected by design numerous security and privacy controls into our systems. We are committed to supporting the following principles that put you in control of when and how your Personal Information is used:
- You are in control of your own Personal Information that you provide to TruU.
- You must provide explicit consent to specific information we will collect from you, analyze and forward to your employer
- You can revoke authorization of use of your Personal Information at any time by emailing biometricdeletionrequest@truu.ai and this request will be communicated to your Employer as you may no longer have access to your software, data or work environment.
- You can request deletion of all your Personal Information at any time.
- Your Personal Information will be deleted upon termination of your relationship with your employer, but for that information required or advised to be kept by law or regulation and then only the information required or advised and only for the advised or required time.
Information We Collect from You
The type of information we collect from you varies depending upon the type and configuration of Services used by your employer in its identity and access management systems.
- Identifiers including name, business email address, business directory name, and, where applicable in additional services, government issued ID such as driver license.
- Electronic Device Information including type, IP address, device type, device identifier, Operating System, cookie ID, service provider, network settings, security protections, applications, tokens and device location.
- Biometric Information – At set-up of the identity and access services, we will create a biometric profile of you and then anonymize that profile through cryptography and create an alphanumeric; and, in most instances, we will use the TCM locked hardware in your existing device ensuring no data leaves your device. The biometric data may include:
- the way you interact with your keyboard and mouse together with typing patterns;
- a digital signature of your voice that does not record what is said but rather how it is said with timber, tone and cadence;
- a digital image of your face (blurring out background images) that is then translated into an anonymized non-recoverable representation alphanumeric based on measuring points of your face; and,
- mouse and keyboard interaction, video and audio sessions provided as part of liveness detection and in accordance with United States National Institute of Standards & Technology verification (“Biometric Information”).
- We acquire information from other trusted sources. These might include companies such as Wifi Access Points, mobile phone carriers and Internet Service Provider.
For additional information on our Biometric Use Policy please refer to this link.
When using our Cybersecurity Services we may automatically collect or receive certain information associated with you or your network device(s), such as your computer or mobile devices, including geographical location, and radio signals visible from your devices. This includes information about your use of our Services and your interactions with your employer’s network, data and software applications. Such information may be automatically collected through your company authorized devices. The information we automatically collect may also include geolocation information, such as information that identifies the approximate location of your device and your IP address, which may be used to estimate your location. For example, if you are typically working from Columbus and you logged into the employer network from Columbus, USA at 9:00 a.m., and then at 10:00 a.m. the TruU system warns the IT administrator at your employer that an attempt was made to log in using your credentials from Amsterdam Netherlands, your information will be used to trigger deviations from the baseline personal information we collected from you and your Employer.
The Why: Purposes for Which the Information is Used
The purpose of our Services is to prevent breaches and unauthorized access to your employer’s network, software, data, applications and physical premises (the, “Cybersecurity Purposes”). Our Services to your employer include transferring your information to your employer for:
- Identity and Access Management Services which confirm you as an authorized user of employer’s property, software, data, application and systems;
- Authenticating the device you are using as an authorized device and requesting your device to verify through its secure cryptoprocessor Trusted Platform Module biometric verification that you have authorized your device to use to verify you (e.g., where you have authorized a smartphone to use your fingerprint or faceID to log into the smartphone, our Service asks your device to provide us a yes/no as to whether you authenticated on that device without requesting the biometric used by the device such as fingerprint or faceID);
- To create a baseline of your Biometrics for comparison to active sessions while accessing company property, networks, data and software applications;
- Transmission of results of authentication (and not the actual audio or video) to your employer;
- Usage information to assess log-in attempts and software access attempts;
- Provide, maintain and improve the Cybersecurity Services;
- Provide end-user and IT support; and,
- Compliance, fraud detection and enforcement, investigation of the criminal, unauthorized access to your employer property, networks, data or software applications.
How Your Information is Shared
Private key information is typically stored on your device in a secure cryptoprocessor in accordance with ISO/IEC 11889. To the extent information is stored in the cloud to be used by the Risk Engine, it is anonymized consistent with Non-Recoverable Representation alphanumerics, encrypted and secured. We only share your information with your employer and its authorized representatives, software applications used by you in the course of performing your duties for your Employer, Active User Directory services and federated identity service providers for access to Employer authorized networks, software, data and applications. If requested by law enforcement or pursuant to valid law enforcement process we may share your information to regulators or law enforcement. We do not provide any government with our encryption keys, the ability to break our encryption keys or unfettered access to your data. Your employer may maintain its own Privacy Policy and policies in relation to the collection and use of information. We encourage you to read that policy. In the context of a merger, sales or asset transfer of TruU, your information may be transferred to an acquiring party in accordance with applicable law and regulations. We may share your information with third parties who perform services on our behalf and in compliance with the policies set forth herein.
Protecting Your Information
We are SOC-2 Compliant, meaning that a third party has tested and validated our systems and deemed them to be in accordance with industry standards. We have architected our system to ensure your privacy. We have adopted technical, administrative, and physical security procedures to help protect your information from loss, misuse, unauthorized access, and alteration, including ensuring data is encrypted at rest and in transit. Please note that no data transmission or storage can be guaranteed to be 100% secure.
To protect your information, we implement security measures such as encryption, firewalls, and intrusion detection and prevention systems.
Children’s Privacy
Our Cybersecurity Services are limited to those over 18 years of age. Our video detection is designed to blur out all images not involving the face and only records a non-recoverable representation (exemplified by landmark points on the face) and not the actual face itself. If you have reason to believe that a child under 18 years of age has provided us with information, please contact us at support@truu.ai and we will immediately delete such information, subject to and in compliance with applicable law.
Additional Information If You Are Located in US States including California and Illinois, European Union or European Economic Area
Residents of the United States including California. Pursuant to the California Consumer Privacy Act of 2018, as amended, residents of California are entitled to additional rights and disclosures regarding their Personal Information that can be found here. Additionally, any person located outside of California is encouraged to read the notification and contact us with any concerns or request a deletion of their personal information, i.e, Right to be Forgotten. If you are located within the European or European Economic Area additional disclosures and rights may be found here.
By providing your information to the Services you are consenting to the transfer of your information to the United States for processing and maintenance in accordance with this Privacy Policy and our Terms of Service. You are also consenting to the application of Delaware law and controlling U.S. Federal law in all matters concerning the TruU Service. If you are located outside the United States and accessing the Services, a separate Privacy Policy applicable to you will be available to you. If you cannot locate the privacy policy applicable to you, please contact legalandprivacy@truu.ai.
Updates
This Privacy Policy may be updated periodically to reflect new TruU features or changes in our Personal Information practices. We will post a notice for consumers at the top of this Privacy Policy of any significant changes. We will indicate at the top of the Privacy Policy when the policy was most recently updated.
Corporate Address and Contact Number
TruU, Inc. 2350 Mission College Blvd., Suite 780 Santa Clara, CA 95054
Toll Free: 1 877 214 2838
For Questions, Concerns or Legal Notices
To Request Deletion of Data or Exercise Rights in Relation Thereto:
biometricdeletionrequest@truu.ai
Copyright © 2024 TruU, Inc. All rights reserved.