TruU Inc. (“TruU”, “we” and its derivatives) provides cybersecurity services in the identity and access management industry. The purpose of our Services is to prevent breaches and unauthorized access to your employer’s network, software, data, applications and physical premises (the, “Cybersecurity Purposes”). We do not sell, lease or otherwise commercialize your personal information or biometrics in any way. We do not offer our services direct to consumers and all information collected from you is solely used for Cybersecurity Purposes. To be clear, we collect information solely in relation to the business, employee or contractor capacity and not in any individual or consumer capacity. The type of information we collect from you varies depending upon the services requested by your employer and the configuration requested for identity and access. All information collected is done so in compliance with the United States National Institute of Standards and Technology for Cybersecurity and in compliance with applicable law
We have designed our system to protect your privacy and anonymize your data to an extreme degree to provide as much protection to your information as reasonably possible. Examples of the type of information we collect include:
- Information provided by your employer such as an employee ID number that only your employer can trace back to you and not TruU;
- We also collect and process device data such as IP Address and proximity signals for device location including for determining whether there has been an unauthorized access to employer data such as if there would be a device log-in from Amsterdam The Netherlands and twenty minutes later the same device log-in from Dallas, Texas;
- An anonymized, digitized representation of the manner in which you interact with your keyboard and mouse but never what you type but rather how you type;
- Spectral voice analysis that is converted to a digitized sequence representing cadence, tone and timber of your voice but never what you say but rather how it is said; and,
- an alphanumeric that corresponds to a non-invertible representation of your face.
As defined by the United States National Institute of Standards and Technology: “The use of biometrics (something you are) in authentication includes both measurement of physical characteristics and behavioral characteristics.” We anonymize this data using the latest hashing and randomizing technologies.
The reason why we collect this information is to prevent hackers (including those for economic gain from ransomware and IP theft and international espionage) from using your business access credentials. You remain in control of your information at all times. You may at any time request that we delete your information. Upon the termination of your relationship with your employer, your information will be deleted in whole, but for any information we are required or advised to keep by law or regulation; and then, only to the extent and for the time period so advised or required.
Your Employer may require you to use our system as a condition of continued employment given the Employer’s legal obligations to secure sensitive data and its reasonable concern over the safety and security of its systems and property.
As best Explained by the United States National Institute of Standards and Technology, Cybersecurity Subdivision (NIST Special Publication 800-63B Digital Identity Guidelines):
“A digital identity is always unique in the context of a digital service, but does not necessarily need to be traceable back to a specific real-life subject. In other words, accessing a digital service may not mean that the underlying subject’s real-life representation is known. Identity proofing establishes that a subject is actually who they claim to be. Digital authentication is the process of determining the validity of one or more authenticators used to claim a digital identity. Authentication establishes that a subject attempting to access a digital service is in control of the technologies used to authenticate. For services in which return visits are applicable, successfully authenticating provides reasonable risk-based assurances that the subject accessing the service today is the same as the one who accessed the service previously.
Statement of Principles
- TruU, Inc. (“TruU”) will never sell your Personal Information and will only transfer your information to your employer under an agreement between your employer and TruU for the Cybersecurity Purposes.
- TruU will only use your Personal Information at the request of your employer and with your consent, for the Cybersecurity Purposes which are designed for the purpose of preventing and detecting unauthorized access of your employer’s network, data, applications, or physical access to your employer’s sites.
- TruU has architected by design numerous security and privacy controls into our systems. We are committed to supporting the following principles that put you in control of when and how your Personal Information is used:
- You are in control of your own Personal Information that you provide to TruU.
- You must provide explicit consent to specific information we will collect from you, analyze and forward to your employer
- You can revoke authorization of use of your Personal Information at any time by emailing email@example.com and this request will be communicated to your Employer as you may no longer have access to your software, data or work environment.
- You can request deletion of all your Personal Information at any time.
- Your Personal Information will be deleted upon termination of your relationship with your employer, but for that information required or advised to be kept by law or regulation and then only the information required or advised and only for the advised or required time.
Information We Collect from You
The type of information we collect from you varies depending upon the type and configuration of Services used by your employer in its identity and access management systems.
- Identifiers including name, business email address, business directory name, and, where applicable in additional services, government issued ID such as driver license.
- Electronic Device Information including type, IP address, device type, device identifier, Operating System, cookie ID, service provider, network settings, security protections, applications, tokens and device location.
- Biometric Information – At set-up of the identity and access services, we will create a biometric profile of you and then anonymize that profile through cryptography and create an alphanumeric; and, in most instances, we will use the TCM locked hardware in your existing device ensuring no data leaves your device. The biometric data may include:
- the way you interact with your keyboard and mouse together with typing patterns;
- a digital signature of your voice that does not record what is said but rather how it is said with timber, tone and cadence;
- a digital image of your face (blurring out background images) that is then translated into an anonymized non-recoverable representation alphanumeric based on measuring points of your face; and,
- mouse and keyboard interaction, video and audio sessions provided as part of liveness detection and in accordance with United States National Institute of Standards & Technology verification (“Biometric Information”).
- We acquire information from other trusted sources. These might include companies such as Wifi Access Points,mobile phone carriers and Internet Service Provider.
For additional information on our Biometric Use Policy please refer to this link
When using our Cybersecurity Services we may automatically collect or receive certain information associated with you or your network device(s), such as your computer or mobile devices, including geographical location, and radio signals visible from your devices. This includes information about your use of our Services and your interactions with your employer’s network, data and software applications. Such information may be automatically collected through your company authorized devices. The information we automatically collect may also include geolocation information, such as information that identifies the approximate location of your device and your IP address, which may be used to estimate your location. For example, if you are typically working from Columbus and you logged into the employer network from Columbus, USA at 9:00 a.m., and then at 10:00 a.m. the TruU system warns the IT administrator at your employer that an attempt was made to log in using your credentials from Amsterdam Netherlands, your information will be used to trigger deviations from the baseline personal information we collected from you and your Employer.
The Why: Purposes for Which the Information is Used
The purpose of our Services is to prevent breaches and unauthorized access to your employer’s network, software, data, applications and physical premises (the, “Cybersecurity Purposes”). Our Services to your employer include transferring your information to your employer for:
- Identity and Access Management Services which confirm you as an authorized user of employer’s property, software, data, application and systems;
- Authenticating the device you are using as an authorized device and requesting your device to verify through its secure cryptoprocessor Trusted Platform Module biometric verification that you have authorized your device to use to verify you (e.g., where you have authorized a smartphone to use your fingerprint or faceID to log into the smartphone, our Service asks your device to provide us a yes/no as to whether you authenticated on that device without requesting the biometric used by the device such as fingerprint or faceID);
- To create a baseline of your Biometrics for comparison to active sessions while accessing company property, networks, data and software applications;
- Transmission of results of authentication (and not the actual audio or video) to your employer;
- Usage information to assess log-in attempts and software access attempts;
- Provide, maintain and improve the Cybersecurity Services;
- Provide end-user and IT support; and,
- Compliance, fraud detection and enforcement, investigation of the criminal, unauthorized access to your employer property, networks, data or software applications.
How Your Information is Shared
Protecting Your Information
We are SOC-2 Compliant, meaning that a third party has tested and validated our systems and deemed them to be in accordance with industry standards. We have architected our system to ensure your privacy. We have adopted technical, administrative, and physical security procedures to help protect your information from loss, misuse, unauthorized access, and alteration, including ensuring data is encrypted at rest and in transit. Please note that no data transmission or storage can be guaranteed to be 100% secure.
To protect your information, we implement security measures such as encryption, firewalls, and intrusion detection and prevention systems.
Our Cybersecurity Services are limited to those over 18 years of age. Our video detection is designed to blur out all images not involving the face and only records a non-recoverable representation (exemplified by landmark points on the face) and not the actual face itself. If you have reason to believe that a child under 18 years of age has provided us with information, please contact us at support@TruU.ai and we will immediately delete such information, subject to and in compliance with applicable law.
Additional Information If You Are Located in US States including California and Illinois, European Union or European Economic Area
Residents of the United States including California. Pursuant to the California Consumer Privacy Act of 2018, as amended, residents of California are entitled to additional rights and disclosures regarding their Personal Information that can be found here. Additionally, any person located outside of California is encouraged to read the notification and contact us with any concerns or request a deletion of their personal information, i.e, Right to be Forgotten. If you are located withing the European or European Economic Area additional disclosures and rights may be found here.
Corporate Address and Contact Number
TruU, Inc. 2350 Mission College Blvd., Suite 780 Santa Clara, CA 95054
Toll Free: 1 877 214 2838
For Questions, Concerns or Legal Notices
To Request Deletion of Data or Exercise Rights in Relation Thereto:firstname.lastname@example.org
Copyright © 2023 TruU, Inc. All rights reserved.