TruU Authorized Users GDPR Data Privacy Policy. Updated 2024
Introduction
TruU is committed to protecting the privacy and security of personal data in accordance with the General Data Protection Regulation (GDPR) and other applicable laws and regulations. This GDPR Data Privacy Policy describes how we collect, use, and disclose personal data, as well as the rights of data subjects regarding their personal data. Please see the General Privacy Policy of TruU for further descriptions.
TruU Inc. (“TruU”, “we” and its derivatives) provides cybersecurity services in the identity and access management industry. The purpose of our Services is to prevent breaches and unauthorized access to your employer’s network, software, data, applications and physical premises (the, “Cybersecurity Purposes”). We do not sell, lease or otherwise commercialize your personal information or biometrics in any way. We do not offer our services direct to consumers and all information collected from you is solely used for Cybersecurity Purposes. To be clear, we collect information solely in relation to the business, employee or contractor capacity and not in any individual or consumer capacity. The type of information we collect from you varies depending upon the services requested by your employer and the configuration requested for identity and access.
Types of Personal Data Collected
We have designed our system to protect your privacy and anonymize your data to an extreme degree to provide as much protection to your information as reasonably possible. The type of information we collect from you varies depending upon the type and configuration of Services used by your employer in its identity and access management systems.
- Identifiers including name, business email address, business directory name, and, where applicable in additional services, government issued ID such as driver license.
- Electronic Device Information including type, IP address, device type, device identifier, Operating System, cookie ID, service provider, network settings, security protections, applications, tokens and device location.
- Biometric Information – At set-up of the identity and access services, we will create a biometric profile of you and then anonymize that profile through cryptography and create an alphanumeric; and, in most instances, we will use the TCM locked hardware in your existing device ensuring no data leaves your device. The biometric data may include:
- the way you interact with your keyboard and mouse together with typing patterns;
- a digital signature of your voice that does not record what is said but rather how it is said with timber, tone and cadence;
- a digital image of your face (blurring out background images) that is then translated into an anonymized non-recoverable representation alphanumeric based on measuring points of your face; and,
- mouse and keyboard interaction, video and audio sessions provided as part of liveness detection and in accordance with United States National Institute of Standards & Technology verification (“Biometric Information”).
- We acquire information from other trusted sources. These might include companies such as Wifi Access Points,mobile phone carriers and Internet Service Provider.
- When using our Cybersecurity Services we may automatically collect or receive certain information associated with you or your network device(s), such as your computer or mobile devices, including geographical location, and radio signals visible from your devices. This includes information about your use of our Services and your interactions with your employer’s network, data and software applications. Such information may be automatically collected through your company authorized devices. The information we automatically collect may also include geolocation information, such as information that identifies the approximate location of your device and your IP address, which may be used to estimate your location. For example, if you are typically working from Milan, Italy and you logged into the employer network from Milan at 13:03, and then at 13:22 the TruU system warns the IT administrator at your employer that an attempt was made to log in using your credentials from Amsterdam Netherlands, your information will be used to trigger deviations from the baseline personal information we collected from you and your Employer
For additional information on our Biometric Use Policy please refer to this link
The Why: Purposes of Processing Personal Data
The reason why we collect this information is to prevent hackers (including those for economic gain from ransomware and IP theft and international espionage) from using your business access credentials. You remain in control of your information at all times. You may at any time request that we delete your information. Upon the termination of your relationship with your employer, your information will be deleted in whole, but for any information we are required or advised to keep by law or regulation; and then, only to the extent and for the time period so advised or required.
Your Employer may require you to use our system as a condition of continued employment given the Employer’s legal obligations to secure sensitive data and its reasonable concern over the safety and security of its systems and property.
The purpose of our Services is to prevent breaches and unauthorized access to your employer’s network, software, data, applications and physical premises (the, “Cybersecurity Purposes”). Our Services to your employer include transferring your information to your employer for:
- Identity and Access Management Services which confirm you as an authorized user of employer’s property, software, data, application and systems;
- Authenticating the device you are using as an authorized device and requesting your device to verify through its secure cryptoprocessor Trusted Platform Module biometric verification that you have authorized your device to use to verify you (e.g., where you have authorized a smartphone to use your fingerprint or faceID to log into the smartphone, our Service asks your device to provide us a yes/no as to whether you authenticated on that device without requesting the biometric used by the device such as fingerprint or faceID);
- To create a baseline of your Biometrics for comparison to active sessions while accessing company property, networks, data and software applications;
- Transmission of results of authentication (and not the actual audio or video) to your employer;
- Usage information to assess log-in attempts and software access attempts;
- Provide, maintain and improve the Cybersecurity Services;
- Provide end-user and IT support; and,
- Compliance, fraud detection and enforcement, investigation of the criminal, unauthorized access to your employer property, networks, data or software applications.
How Your Information is Shared
Private key information is typically stored on your device in a secure cryptoprocessor in accordance with ISO/IEC 11889. To the extent information is stored in the cloud to be used by the Risk Engine, it is anonymized consistent with Non-Recoverable Representation alphanumerics, encrypted and secured. We only share your information with your employer and its authorized representatives, software applications used by you in the course of performing your duties for your Employer, Active User Directory services and federated identity service providers for access to Employer authorized networks, software, data and applications. If requested by law enforcement or pursuant to valid law enforcement process we may share your information to regulators or law enforcement. We do not provide any government with our encryption keys, the ability to break our encryption keys or unfettered access to your data. Your employer may maintain its own Privacy Policy and policies in relation to the collection and use of information. We encourage you to read that policy. In the context of a merger, sales or asset transfer of TruU, your information may be transferred to an acquiring party in accordance with applicable law and regulations. We may share your information with third parties who perform services on our behalf and in compliance with the policies set forth herein.
Protecting Your Information
We are SOC-2 Compliant, meaning that a third party has tested and validated our systems and deemed them to be in accordance with industry standards. We have architected our system to ensure your privacy. We have adopted technical, administrative, and physical security procedures to help protect your information from loss, misuse, unauthorized access, and alteration, including ensuring data is encrypted at rest and in transit. Please note that no data transmission or storage can be guaranteed to be 100% secure.To protect your information, we implement security measures such as encryption, firewalls, and intrusion detection and prevention systems.
Children’s Privacy
Our Cybersecurity Services are limited to those over 18 years of age. Our video detection is designed to blur out all images not involving the face and only records a non-recoverable representation (exemplified by landmark points on the face) and not the actual face itself. If you have reason to believe that a child under 18 years of age has provided us with information, please contact us at support@truu.ai and we will immediately delete such information, subject to and in compliance with applicable law.
Consent
We may process personal data if the individual has given their consent for the specific purpose.
Contractual obligations
We may process personal data to fulfill our contractual obligations to the individual.
Legitimate interests
We may process personal data for our legitimate interests, such as improving our products and services, preventing fraud and security risks, and complying with legal obligations.
Data Subject Rights
Individuals have the following rights regarding their personal data:
- Right to access: Individuals have the right to request access to their personal data.
- Right to rectification: Individuals have the right to request that their personal data be corrected or updated.
- Right to erasure: Individuals have the right to request that their personal data be deleted, subject to certain exceptions.
- Right to object: Individuals have the right to object to the processing of their personal data for certain purposes.
Right to data portability: Individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit their personal data to another controller.
Data Security and Retention
We take appropriate technical and organizational measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. We retain personal data only as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law or regulation.
Disclosure of Personal Data
We may disclose personal data to the following parties, subject to appropriate safeguards:
- Service providers: We may disclose personal data to service providers who perform services on our behalf, such as payment processing, customer service, and website hosting.
- Legal authorities: We may disclose personal data to legal authorities if required by law or in response to a legal request.
- Business transfers: We may disclose personal data as part of a business transfer, such as a merger, acquisition, or asset sale.
International Data Transfers
We may transfer personal data to countries outside of the European Economic Area (EEA), subject to appropriate safeguards, such as Standard Contractual Clauses or Binding Corporate Rules.
Changes to this GDPR Data Privacy Policy
We may update this GDPR Data Privacy Policy from time to time, and will notify individuals of any material changes.
Corporate Address and Contact Number
TruU, Inc. 2350 Mission College Blvd., Suite 780 Santa Clara, CA 95054
Toll Free: 1 877 214 2838
For Questions, Concerns or Legal Notices
To Request Deletion of Data or Exercise Rights in Relation Thereto:
biometricdeletionrequest@truu.ai
Copyright © 2024 TruU, Inc. All rights reserved.