(Version October 2024)
This is not a stand-alone document. These Data Processing Specifications supplement the relevant Data Processing Terms for HID® software-as-a-service offerings set forth below (each a “Service”):
The Data Processing Specifications describe: (i) the subject matter of the data processing; (ii) the type of Personal Data processed; (ii) the name and location of the party hosting the Personal Data; (iii) where the Service is hosted; (iv) sub-processors involved in the processing of the Personal Data, if any; (iv) the purpose of the data processing; and (v) the period of time the Personal Data is retained.
Personal Data types processed are selected by End Customer. If End Customer defines a different Data Retention Period or otherwise requests that HID retain Customer Materials beyond the Data Retention Period (“Requested Data Retention Period”), subject to the payment of additional fees associated with such retention as may be reasonably requested by HID, HID will retain the data for the Requested Data Retention Period.
Outside of the data types listed below, there may be additional optional fields that Channel Partner or End Customer may populate at its discretion. If Channel Partner or End Customer elect to populate those fields with Personal Data, any such information will be treated as confidential data and will be deleted within 30 days of from last back up. This optional data entered by Channel Partner or End Customer is not required for the operation of the Services.
Authentication Service
HID Entity Providing the Service: HID Global Corporation, HID Global Ireland Teoranta, HID Global GmbH, HID Corporation Ltd, HID GLOBAL SAS, ActivIdentity (Australia) Pty Ltd, ASSA ABLOY of Canada Ltd, and HID India Private Ltd
Location of Processing: United States, Ireland, Germany, United Kingdom, France, Australia, Canada, and India
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrator | First and last name Email address Telephone number Employer information Employer address |
Onboarding the End Customer Organization to the Service. Applies to the first Privileged Admin user only. | 30 days from termination of the Service |
End user | First and last name User identifier |
Identification of end users who use the Service for authentication. | 30 days from termination of the Service |
End user | Email address Mobile telephone number |
Authentication of end users’ login attempt. | 30 days from termination of the Service |
Delivery of the data by client: API or user interface over HTTPS
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: United States* and European Union
Frequency of data transfer: Continuous Basis
*End Customer designates the primary hosting location. Unless otherwise requested by End Customer, backup data will be stored in the United States.
Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrator | First and last name Email address Telephone number Employer information Employer address |
To host the infrastructure where the Service resides | 30 days from termination of the Service |
End User | First and last name User identifier |
To host the infrastructure where the Service resides | 30 days from termination of the Service |
End User | Email address Mobile telephone number |
To host the infrastructure where the Service resides | 30 days from termination of the Service |
HID affiliates providing customer-initiated support
Entities: ActivIdentity (Australia) Pty Ltd, HID India Private Ltd, HID Global Corporation, HID GLOBAL SAS, HID Corporation Ltd, ASSA ABLOY of Canada Ltd, and HID Czech s.r.o.
Location of Processing: Australia, India, United States, France, United Kingdom, Canada and Czech Republic
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrator | First and last name Email address Telephone number Employer information Employer address |
To provide managed services and support | 30 days from termination of the Service |
End User | First and last name User identifier or other form of identification (ex: government issued ID) |
To provide managed services and support | 30 days from termination of the Service |
End User | Email address Mobile telephone number |
To provide managed services and support | 30 days from termination of the Service |
Third-Party Contractors providing customer-initiated support
Entities: Flairstech Inc.
Location of Processing: Egypt
Categories of Data Subjects | Personal Data types | Purpose of Processing | Frequency of Data Transfer |
---|---|---|---|
End Customer Contact | First and last name Email address Telephone number Employer information Employer address |
To provide managed services and support | Continuous Basis |
End Customer Environment: End User Employees Contractors Vendors Suppliers Visitors |
As defined by the End Customer | To provide managed services and support | Sporadic (as controlled by the End Customer in requesting support) |
HID affiliates providing professional services
Entities: HID Global Corporation, HID Corporation Ltd, HID Global GmbH, Assa Abloy (SA) (Pty) Ltd, HID Global Ireland Teoranta, HID Czech s.r.o., and HID do Brazil Indústria, Comércio, Importacão e Exportacão de Equipamentos Eletrõnicos Ltda.
Location of Processing: United States, United Kingdom, Germany, South Africa, Ireland, Czech Republic, and Brazil
Frequency of data transfer: One-Off*
*transfer and access limited to the duration of the professional services engagement
Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrator | First and last name Email address Telephone number Employer information Employer address |
To provide professional services as contracted by End Customer | 30 days from termination of the Service |
End User | First and last name User identifier |
To provide professional services as contracted by End Customer | 30 days from termination of the Service |
End User | Email address Mobile telephone number |
To provide professional services as contracted by End Customer | 30 days from termination of the Service |
Third-Party Service Providers
Entity: HSL Mobile/Link Mobility
Location of Processing: United Kingdom
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrator | Mobile telephone number | Deliver one-time passwords via SMS to mobile phones for two-factor authentication. | 30 days from termination of the Service |
End User | Mobile telephone number | Deliver one-time passwords via SMS to mobile phones for two-factor authentication. | 30 days from termination of the Service |
Identity Verification Service (IAMS)
Entity: AuthenticID
Location of Processing: United States
Frequency of data transfer (Continuous or One-Time Basis): Continuous
Categories of Data Subjects | Personal Data types | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrator | First and last name Email address |
To provide managed services and support for threat and fraud detection | As required for Administration purposes within contract period. Deleted upon contract termination. |
End User | Drivers License Drivers License number DOB Drivers License details 2D Bar Code Document facial Image Personal Address Passport numbers Passport details 2D Barcode Document facial image Real time biometric facial image |
To provide managed services and support for threat and fraud detection | Set by End Customer. Service provider recommends 180 days for model tuning and product improvement. |
Sub-processors:
Hosting Provider
Entity: AWS Inc
Location of Processing: United States, Ireland, Germany, Italy, France, Spain, Sweden, United Kingdom and Switzerland
Frequency of data transfer (Continuous or One-Time Basis): Continuous
Categories of Data Subjects | Personal Data types | Purpose of Processing | Sensitive Data |
---|---|---|---|
Administrators and End Users | Drivers License Drivers License number DOB Drivers License details 2D Bar Code Document facial Image Personal Address Passport numbers Passport details 2D Barcode Document facial image Real time biometric facial image First name Last name Email address |
To provide managed services and support for threat and fraud detection |
Set by End Customer. Service provider recommends 180 days for model tuning and product improvement. |
Risk Management Solution
Entity: ThreatMark s.r.o.
Location of Processing: European Union
Frequency of data transfer (Continuous or One-Time Basis): Continuous
Categories of Data Subjects | Personal Data types | Purpose of Processing | Data Retention Period | Sensitive Data |
---|---|---|---|---|
Administrator | First and last name Email address Business address Business phone |
To provide managed services and support for threat and fraud detection | 30 days from termination of the Service | N/A |
End user | Browser document data User Interface Data User Interface Data model Session score Port scan data |
To provide managed services and support for threat and fraud detection solution |
By default, 6 months for personal data and 3 months for biometry. |
Fingerprint |
Sub-processors:
Entity: AWS Inc
Location of Processing: European Union
Frequency of data transfer (Continuous or One-Time Basis): Continuous
Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period | Sensitive Data |
---|---|---|---|---|
Administrator | First and last name Email address Business address Business phone |
Cloud Storage | 30 days from termination of the Service | N/A |
End user | Browser document data UI data UI data model Session score Port scan data |
Cloud Storage | By default, 6 months for personal data and 3 months for biometry. | Fingerprint |
Entity: Atlassian Inc. (JIRA)
Location of Processing: European Union
Frequency of data transfer (Continuous or One-Time Basis): Continuous
Categories of Data Subjects | Personal Data types | Purpose of Processing | Data Retention Period | Sensitive Data |
---|---|---|---|---|
Administrator | First and last name Email address Business phone |
Cloud Storage | 30 days from termination of the Service | N/A |
HID SAFE™ and HID Visitor Manager and HID Credential Manager
HID Entity Providing the Service: HID Global Corporation
Location of Processing: United States*
Frequency of data transfer: Continuous Basis
*Unless the End Customer elects for their service to be provided from the European Union, data is transferred to the Hosting Provider based in the United States
Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period | Sensitive Data |
---|---|---|---|---|
Employees Contractors Vendors Suppliers Visitors |
First and last name Email address Residential address Business address Driver’s License or other State or Government Issued Identification Number or Card (including Passport) School-Issued Identification Native American tribal document School record or report Clinic, doctor, or hospital record Daycare or nursery school record Social Security number or Card Birth Certificate or Certificate of Birth Abroad issued by the Department of State Unexpired employment authorization document issued by DHS Any other I-9 documentation Employer information Job title Biometric data Photograph of individual Place of birth Nation of origin Ethnicity Gender Height/Weight Eye color Hair color License Plate Number |
Identifying authorized end users Authenticating site visitor identity Badge and credential issuance Screening visitors |
30 days from termination of the Service | Biometric data Native American tribal document Nation of origin Ethnicity Birth Certificate or Certificate of Birth Abroad issued by the Department of State Passport other sensitive data on I-9 document The applied restrictions or safeguards related to sensitive data transferred outside of the EEA is set forth in Annex II to the applicable Standard Contractual clauses located at: https://www.hidglobal.com/legal |
System Users | Email Address Account Name |
To give access to the system | 30 days from termination of the Service | |
Employees Contractors Vendors Suppliers Visitors |
End user answers to End Customer defined questionnaire** | Authorizing end users and site visitors based on End Customer criteria Screening employees and visitors | 48 hours after screening event |
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: United States*
Frequency of data transfer: Continuous Basis
*unless the parties enter into a SAFE SaaS Platform Designation Agreement specifying a different platform location, in which event such agreement shall amend this Data Processing Specifications document
Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period | Sensitive Data |
---|---|---|---|---|
Employees Contractors Vendors Suppliers Visitors |
First and last name Email address Residential address Business address Driver’s License or other State or Government Issued Identification Number or Card (including Passport) School-Issued Identification Native American tribal document School record or report Clinic, doctor, or hospital record Daycare or nursery school record Social Security number or Card Birth Certificate or Certificate of Birth Abroad issued by the Department of State Unexpired employment authorization document issued by DHS Any other I-9 documentation Employer information Job title Biometric data Photograph of individual Place of birth Nation of origin Ethnicity Gender Height/Weight Eye color Hair color License Plate Number |
To host the infrastructure where the Service resides | 30 days from termination of the Service | Biometric data Native American tribal document Nation of origin Ethnicity Birth Certificate or Certificate of Birth Abroad issued by the Department of State Passport other sensitive data on I-9 document The applied restrictions or safeguards related to sensitive data transferred outside of the EEA is set forth in Annex II to the applicable Standard Contractual clauses located at: https://www.hidglobal.com/legal |
System Users | Email Address Account Name |
To host the infrastructure where the Service resides | 30 days from termination of the Service | |
Employees Contractors Vendors Suppliers Visitors |
End user answers to End Customer defined questionnaire** | To host the infrastructure where the Service resides | 48 hours after screening event |
HID affiliates providing customer-initiated support
Entities: ActivIdentity (Australia) Pty Ltd, HID India Private Ltd, HID Global Corporation, HID GLOBAL SAS, HID Corporation Ltd, ASSA ABLOY of Canada Ltd, and HID Czech s.r.o.
Location of Processing: Australia, India, United States, France, United Kingdom, Canada and Czech Republic
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period | Sensitive Data |
---|---|---|---|---|
Employees Contractors Vendors Suppliers Visitors |
First and last name Email address Residential address Business address Driver’s License or other State or Government Issued Identification Number or Card (including Passport) School-Issued Identification Native American tribal document School record or report Clinic, doctor, or hospital record Daycare or nursery school record Social Security number or Card Birth Certificate or Certificate of Birth Abroad issued by the Department of State Unexpired employment authorization document issued by DHS Any other I-9 documentation Employer information Job title Biometric data Photograph of individual Place of birth Nation of origin Ethnicity Gender Height/Weight Eye color Hair color License Plate Number |
To provide managed services and support | 30 days from termination of the Service | Biometric data Native American tribal document Nation of origin Ethnicity Birth Certificate or Certificate of Birth Abroad issued by the Department of State Passport other sensitive data on I-9 document The applied restrictions or safeguards related to sensitive data transferred outside of the EEA is set forth in Annex II to the applicable Standard Contractual clauses located at: https://www.hidglobal.com/legal |
System Users | Email Address Account Name |
To provide managed services and support | 30 days from termination of the Service | |
Employees Contractors Vendors Suppliers Visitors |
End user answers to End Customer defined questionnaire** | To provide managed services and support | 48 hours after screening event |
Third-Party Contractors providing customer-initiated support
Entities: Flairstech Inc.
Location of Processing: Egypt
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data types | Purposes of Processing | Data Retention Period | Sensitive Data |
---|---|---|---|---|
Employees Contractors Vendors Suppliers Visitors |
First and last name Email address Residential address Business address Driver’s License or other State or Government Issued Identification Number or Card (including Passport) School-Issued Identification Native American tribal document School record or report Clinic, doctor, or hospital record Daycare or nursery school record Social Security number or Card Birth Certificate or Certificate of Birth Abroad issued by the Department of State Unexpired employment authorization document issued by DHS Any other I-9 documentation Employer information Job title Biometric data Photograph of individual Place of birth Nation of origin Ethnicity Gender Height/Weight Eye color Hair color License Plate Number |
To provide managed services and support | 30 days from termination of the Service |
Biometric data The applied restrictions or safeguards related to sensitive data transferred outside of the EEA is set forth in Annex II to the applicable Standard Contractual clauses located at: https://www.hidglobal.com/legal. |
System Users | Email Address Account Name |
To provide managed services and support | 30 days from termination of the Service | |
Employees Contractors Vendors Suppliers Visitors |
As defined by the End Customer | To provide managed services and support | 48 hours after screening event |
HID affiliates providing professional services
Entities: HID India Private Ltd, HID Global Corporation, ASSA ABLOY of Canada Ltd, HID Corporation Ltd., and ActivIdentity (Australia) Pty Ltd
Location of Processing: India, United States, Canada, United Kingdom, and Australia
Frequency of data transfer: One-Off*
*transfer and access limited to the duration of the professional services engagement
Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period | Sensitive Data |
---|---|---|---|---|
Employees Contractors Vendors Suppliers Visitors |
First and last name Email address Residential address Business address Driver’s License or other State or Government Issued Identification Number or Card (including Passport) School-Issued Identification Native American tribal document School record or report Clinic, doctor, or hospital record Daycare or nursery school record Social Security number or Card Birth Certificate or Certificate of Birth Abroad issued by the Department of State Unexpired employment authorization document issued by DHS Any other I-9 documentation Employer information Job title Biometric data Photograph of individual Place of birth Nation of origin Ethnicity Gender Height/Weight Eye color Hair color License Plate Number |
To provide professional services as contracted by End Customer | 30 days from termination of the Service |
Biometric data The applied restrictions or safeguards related to sensitive data transferred outside of the EEA is set forth in Annex II to the applicable Standard Contractual clauses located at: https://www.hidglobal.com/legal |
System Users | Email Address Account Name |
To provide professional services as contracted by End Customer | 30 days from termination of the Service | |
Employees Contractors Vendors Suppliers Visitors |
End user answers to End Customer defined questionnaire** | To provide professional services as contracted by End Customer | 48 hours after screening event |
Delivery of the data by client: API or user interface over HTTPS
** ONLY APPLIES WHERE THERE IS A QUESTIONNAIRE PRESENTED. END CUSTOMER IS SOLELY RESPONSIBLE FOR DETERMINING WHETHER THE CONTENT OF ANY QUESTIONNAIRE IS APPROPRIATE, MEETS END CUSTOMER’S REQUIREMENTS, AND IS PERMITTED BY APPLICABLE LAWS AND REGULATIONS. THE RESPONDENT TO THE QUESTIONNAIRE IS SOLELY RESPONSIBLE FOR THE ACCURACY OF ITS ANSWERS TO ANY SUCH QUESTIONNAIRE.
HID Origo™ Platform and Related Services
HID Entity Providing the Service: HID Global Corporation
Location of Processing: United States
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrator Reader Technician |
First and last name Email address Job title (in app) Telephone number Employer information Employer address |
Onboarding the End Customer Organization to the service or registering as a Reader Technician in the app. Applies to Administrators and Reader Technicians only. | 30 days from termination of the Service |
End user | First and last name Email address Title Suffix User identifier (e.g. a username from another system) |
Identification of end users. | 30 days from termination of the Service |
End user | Photo | Provide the Photo ID functionality, which can be used to link an image and titles to a Mobile ID. | 30 days from termination of the Service |
Administrator End user |
Unique push notification identifier Unique application identifier |
Delivery and management of Mobile IDs or reader keysets. | 30 days from termination of the Service** |
End user | Application state, events and usage statistics | Improving service performance and providing technical support. | 3 years in deidentified form |
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: United States
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrator Reader Technician |
First and last name Email address Job title (in app) Telephone number Employer information Employer address |
To host the infrastructure where the Service resides | 30 days from termination of the Service |
End user | First and last name Email address Title Suffix User identifier (e.g. a username from another system) |
To host the infrastructure where the Service resides | 30 days from termination of the Service |
End user | Photo | To host the infrastructure where the Service resides | 30 days from termination of the Service |
Administrator End user |
Unique push notification identifier Unique application identifier |
To host the infrastructure where the Service resides | 30 days from termination of the Service** |
End user | Application state, events and usage statistics | To host the infrastructure where the Service resides | 3 years in deidentified form |
APPLICABLE FOR CUSTOMERS IN CHINA
Entity: Amazon Web Services China
Location of Processing: China
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrator Reader Technician |
First and last name Email address Job title (in app) Telephone number Employer information Employer address |
To host the infrastructure where the Service resides | 30 days from termination of the Service |
End User |
First and last name Email address Title Suffix User identifier (e.g. a username from another system)
|
To host the infrastructure where the Service resides |
30 days from termination of the Service
|
End User |
Photo
|
To host the infrastructure where the Service resides |
30 days from termination of the Service
|
Administrator End User |
Unique push notification identifier Unique application identifier |
To host the infrastructure where the Service resides |
30 days from termination of the Service**
|
End User |
Application state, events and usage statistics
|
To host the infrastructure where the Service resides | 3 years in deidentified form |
HID affiliates providing customer-initiated support
Entities: HID Global Corporation, Cerramex, SA de CV, ActivIdentity Pty. Ltd, HID India Private Limited,
HID Corporation Ltd, HID Do Brasil Industria Comercio Importacao E Exportacao De Equipamentos Eletronicos Ltda, , HID Asia Pacific Limited, and HID China Ltd
Location of Processing: United States, India, Mexico, Brazil, United Kingdom, Hong Kong, China, and Australia
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrator Reader Technician |
First and last name Email address Job title (in app) Telephone number Employer information Employer address |
To provide managed services and support | 30 days from termination of the Service |
End user | First and last name Email address Title Suffix User identifier (e.g. a username from another system) |
To provide managed services and support | 30 days from termination of the Service |
End user | Photo | To provide managed services and support | 30 days from termination of the Service |
Administrator End user |
Unique push notification identifier Unique application identifier |
To provide managed services and support | 30 days from termination of the Service** |
End user | Application state, events and usage statistics | To provide managed services and support | 3 years in deidentified form |
Third-Party service providers
Entity: Mixpanel
Location of Processing: United States
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
---|---|---|---|
End User | Usage Data | Usage analytics data from the HID Origo SDK | 5 years |
Entity: HSL Mobile/Link Mobility
Location of Processing: United Kingdom
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrator | Mobile telephone number | Deliver one-time passwords via SMS to mobile phones for two-factor authentication. | 30 days from termination of the Service |
End User | Mobile telephone number | Deliver one-time passwords via SMS to mobile phones for two-factor authentication. | 30 days from termination of the Service |
Additional Terms Related to Apple Access Technology:
HID may share with Apple End Customer Data (including personal data) pursuant to the Additional Product-Specific Terms for Apple Access Technology within HID Origo™ Platform and Related Services incorporated in the Terms of Service.
Additional Terms Related to Google Payments Technology:
HID may share with Google End Customer Data (including personal data) pursuant to the Additional Product-Specific Terms for Google Payments Technology within HID Origo™ Platform and Related Services incorporated in the Terms of Service.
Additional Terms Related to HID Origo™ Bridge
To the extent End Customer acquires HID Origo™ Bridge or End Customer purchases the HID Offerings from a Channel Partner using HID Origo™ Bridge, HID may process the personal data types set forth above for the purpose of providing the functionality of that HID Offering. For purposes of clarity, the HID Origo™ Bridge solution may temporarily retain or store such personal data until the sync process is completed.
Additional Terms Related to Origo™ Technology Partners
To the extent End Customer works with an Origo™ Technology Partner, either directly or indirectly, such Origo™ Technology Partner may have access to personal data through integrations with HID’s APIs and SDKs.
FARGO Connect™ Platform Services
HID Entity Providing the Service: HID Global Corporation
Location of Processing: United States
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrator | First and last name Email address Telephone number Employer address |
Identification of end users utilizing the HID FARGO Connect card personalization portal. | 30 days from termination of the Service |
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: United States
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrator | First and last name Email address Telephone number Employer address |
To host the infrastructure where the Service resides | 30 days from termination of the Service |
Third-Party service providers
Entity: eXtensia Technologies, Inc.
Location of Processing: United States
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrator | First and last name Email address Telephone number Employer address |
For the provision of security and integration services | 30 days from termination of the Service |
HID affiliates providing customer-initiated support
Entities: HID Global Corporation and affiliated entities
Location(s) of support services: United States, United Kingdom, Hong Kong, Australia, Brazil, Japan and India
Frequency of data transfer for support: One-Off*
*Access provided only as needed to provide support in response to a specific customer request
Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrator | First and last name Email address Telephone number Employer address |
To provide managed services and support | 30 days from termination of the Service |
Delivery of the data by client: API or user interface over HTTPS
HydrantID Managed PKI and Trusted Digital Certificate Services
HID Entity Providing the Service: Avalanche Cloud Corp
Location of Processing: United States
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrators End User |
First Name Last Name Common Name E-mail address Title (e.g. Mr./Mrs.) Locality State/Province Country Government issued ID document number (e.g. passport, driving license) |
To provide digital certificates, signing services, and other products and services. Applies to the certificate holder. Personal data provided as part of the Services, such as the certificate content and in some cases registration data, may be used to process the certificate. |
Information and audit logs for at least seven years. Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
Administrators | First Name Last Name E-mail address Telephone number |
Onboarding the End Customer organization to the Service. To provide access to the Service platform. Applies to the account administrators | Information and audit logs for at least seven years. Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: United States* and the European Union
Frequency of data transfer: Continuous Basis
*Unless the End Customer elects for their data to be hosted in the European Union, data is transferred to the Hosting Provider based in the United States
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrators End User |
First Name Last Name Common Name E-mail address Title (e.g. Mr./Mrs.) Locality State/Province Country Government issued ID document number (e.g. passport, driving license) |
To host the infrastructure where the Service resides | Information and audit logs for at least seven years. Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
Administrators | First Name Last Name E-mail address Telephone number |
To host the infrastructure where the Service resides | Information and audit logs for at least seven years. Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
HID affiliates providing customer-initiated support
Entity: IdenTrust, Inc.
Location of Processing: United States
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrators End User |
First Name Last Name Common Name E-mail address Title (e.g. Mr./Mrs.) Locality State/Province Country Government issued ID document number (e.g. passport, driving license) |
To provide managed services and support | Information and audit logs for at least seven years. Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
Administrators | First Name Last Name E-mail address Telephone number |
To provide managed services and support | Information and audit logs for at least seven years. Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
Third-party service providers
Entity: Switch
Location of Processing: United States
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrators End User |
First Name Last Name Common Name E-mail address Title (e.g. Mr./Mrs.) Locality State/Province Country Government issued ID document number (e.g. passport, driving license) |
May host HID-dedicated infrastructure, including Personal Data types listed above either as primary or backup for the Service. | Information and audit logs for at least seven years. Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
Administrators | First Name Last Name E-mail address Telephone number |
May host HID-dedicated infrastructure, including Personal Data types listed above either as primary or backup for the Service. | Information and audit logs for at least seven years. Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
Entity: Equinix
Location of Processing: United States* and European Union
Frequency of data transfer: Continuous Basis
*Unless the End Customer elects for their data to be hosted in the European Union, data is transferred to the Hosting Provider based in the United States.
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrators End User |
First Name Last Name Common Name E-mail address Title (e.g. Mr./Mrs.) Locality State/Province Country Government issued ID document number (e.g. passport, driving license) |
May host HID-dedicated infrastructure, including Personal Data types listed above either as primary or backup for the Service. | Information and audit logs for at least seven years. Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
Administrators | First Name Last Name E-mail address Telephone number |
May host HID-dedicated infrastructure, including Personal Data types listed above either as primary or backup for the Service. | Information and audit logs for at least seven years. Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
Entity: DigiCert
Location of Processing*: Netherlands, Switzerland, Belgium, Germany, United Kingdom, or United States
Frequency of data transfer: Continuous Basis
*Location of processing determined by sub-processor Entity based on the type of service
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrators End User |
First Name Last Name Common Name E-mail address Title (e.g. Mr./Mrs.) Locality State/Province Country Government issued ID document number (e.g. passport, driving license) |
May process data to be included in a digital certificate (which can include the Personal Data types listed above) when HID uses DigiCert/QuoVadis digital certificate systems to deliver the Services to End Customer. | Information and audit logs for at least seven years. Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
Administrators | First Name Last Name E-mail address Telephone number |
May process data to be included in a digital certificate (which can include the Personal Data types listed above) when HID uses DigiCert/QuoVadis digital certificate systems to deliver the Services to End Customer. | Information and audit logs for at least seven years. Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
Entity: Auth0
Location of Processing: United States* and European Union
Frequency of data transfer: Continuous Basis
*Unless the End Customer elects for their data to be hosted in the European Union, data is transferred to the Hosting Provider based in the United States.
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrators End User |
First Name Last Name Common Name E-mail address Title (e.g. Mr./Mrs.) Locality State/Province Country |
Authenticating Administrators and End Users prior to accessing the Service | 30 days |
Entity: Mailgun
Location of Processing: United States* and European Union
Frequency of data transfer: Continuous Basis
*Unless the End Customer elects for their data to be hosted in the European Union, data is transferred to the Hosting Provider based in the United States.
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
Administrators End User |
First Name Last Name E-mail address |
Communicate with Administrators and End Users about the Service | 30 days |
Delivery of the data by client: API over HTTPS
Event Management Platform
Personal Data Type | Purpose of Processing | Data Retention Period** |
---|---|---|
Accreditation Module & Organization Self Administration Module and Self Registration Forms: A configurable list of the following attributes. Name (First & Last), Title (Mr, Mrs, Miss); Email Address; Phone Number; Company (Organization); Country (Nationality); Nationality, ID document type, ID document number, ID document expiry date, Scan of the ID document, AccreditationID, Photo; Category of Accreditation (e.g. MEDIA), sub-category, Date of Birth Address |
To perform the enrollment process for individuals and security vetting (sending and extracting the subset of personal information to authorities to establish if the individual has sufficient security standing to attend the event) and then for the individual to be approved to have a credential (physical or virtual) issued to attend the event and for other systems or the below HID platform module to provide access control to the event. | Defined by the configuration for the specific event and in any case: The shorter of: (i) 60 days from termination of the Service; or (ii) 3 years after the applicable event period has finished |
Accredited Individuals and Ticket Holders: Name (First & Last), Title (Mr, Mrs, Miss); Email Address; Phone Number; Seating information (Gate, Block, Row, Seat); Company; Country (Nationality); Ticket Number; Ticket Barcode; Accreditation; AccreditationID; Photo; Name (First & Last), Company; Country; Category of Accreditation (e.g. MEDIA), sub-category, Date of Birth |
To perform issuance of credentials and vouchers both physical (e.g. printing a smart card / paper credential and additionally encoding the data securely into a secure chip in the credential) or virtual (a mobile ticket inside an App or inside Apple Wallet / Google Pay) To verify a credentials and perform access control To provide additional services related to access control (for example: the ability to use the credential at a kiosk to print out a Set Information Receipt with name, Last name Block Row Seat of the individual). |
The shorter of: (i) 60 days from termination of the Service; or (ii) 3 years after the applicable event period has finished |
Answers to End Customer defined questionnaire*** | Allows Accredited Individuals unlock its accreditation after providing the submission of the answers to End Customer’s questionnaire in compliance with End Customer criteria | 48 hours after the applicable event period has finished |
Web Portal Users: Email Address, first name, last name; Password | To perform login into the EMS web portal (email + PWD) | 60 days from termination of the Service |
For clarity, an “Accredited Individual” is an individual granted access to the premises by the End Customer in an official compacity and not as a ticket holder or other type of patron. Examples of an Accredited Individual include End Customer personnel, contractors, vendors, volunteers, and third-party media.
**If End Customer requests HID retain Customer Materials beyond the Data Retention Period (“Additional Data Retention Period”), HID will retain the data for 90 days from the expiry of the Additional Retention Period.
***ONLY APPLIES WHERE THERE IS A QUESTIONNAIRE PRESENTED. END CUSTOMER IS SOLELY RESPONSIBLE FOR DETERMINING WHETHER THE CONTENT OF ANY QUESTIONNAIRE IS APPROPRIATE, MEETS END CUSTOMER’S REQUIREMENTS, AND IS PERMITTED BY APPLICABLE LAWS AND REGULATIONS. THE RESPONDENT TO THE QUESTIONNAIRE IS SOLELY RESPONSIBLE FOR THE ACCURACY OF ITS ANSWERS TO ANY SUCH QUESTIONNAIRE.
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: Ireland
Frequency of data transfer: Continuous Basis
Third-Party service providers
Company | Location of Processing | Purpose |
---|---|---|
Auth0 (Optional) | European Union | Portal Login Service for the Web Portal Users Personal Data Types |
MailGun | European Union | Email sending service to send event invitation emails to the individual (if requested and configured in the platform) |
Delivery of the data by client: API, Azure Service Bus or user interface over HTTPS direct entering of data via web forms or CSV upload into the web admin portals of the event management platform
Location(s) of support services: United Kingdom, Italy, Poland, and India
Third-Party Background Checks and Security Vetting: Upon request by End Customer, HID may share some, or all, of the personal data types described under “Accreditation Module & Organization Self administration module and Self Registration forms” section listed above to certain third-party background check and security vetting providers. Such providers may be private entities or local police or other law enforcement officials that perform these functions on behalf of End Customer.
HID Textile Services Invotech Cloud
HID Entity Providing the Service: HID Textile Services SARL
Location of Processing: United Kingdom, Germany
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data types | Purpose of Processing | Data Retention Period |
---|---|---|---|
End User Administrator | First and last name Email Address Username*** |
Authentication of End User's login attempt to access InvoTech Cloud and manage the add, update, delete the End User | 30 days from termination of the Service |
End User | First and last name Email Address Username*** |
Authentication of End User's login attempt to access InvoTech Cloud (WebAdmin tool, Mobile Application) | 30 days from termination of the Service |
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: United Kingdom, Germany
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data types | Purpose of Processing | Data Retention Period |
---|---|---|---|
End User Administrator | First and last name Email Address Username*** |
To host the infrastructure | 30 days from termination of the Service |
End User | First and last name Email Address Username*** |
To host the infrastructure | 30 days from termination of the Service |
***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User
HID Textile Services ACUITY Administration
HID Entity Providing the Service: HID Textile Service SARL
Location of Processing*: United Kingdom, Australia
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
End User |
First and last name Email address Telephone number |
Define Contact Information for the purpose Of Order Management by HID Customer |
30 days from termination of the Service
|
End User |
Username***
|
Authentication of End User’s login attempt to access WebOrder Customer Portal |
30 days from termination of the Service
|
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing*: United Kingdom and Australia
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
End User |
First and last name Email address Telephone number |
To host the infrastructure |
30 days from termination of the Service
|
End User |
Username***
|
To host the infrastructure |
30 days from termination of the Service
|
Third-Party Support Provider
Entity: Stefanini IT Solutions
Location of Processing: Romania
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
End User |
First and last name Email address Telephone number |
Update End User information |
30 days from termination of the Service
|
End User |
Username***
|
Update End User information |
30 days from termination of the Service
|
*If End Customer is in the European Union, all data is processed in the European Union or a country that has obtained an adequacy decision
**”End User” means individual users to which End Customer grants access to the Service
***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User
HID Textile Services ACUITY Users Management
HID Entity Providing the Service: HID Textile Services SARL
Location of Processing: Australia
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
End User Administrator |
First and last name Email address Telephone number Username*** |
Authentication of End User’s login attempt to access ACUITY User Management and able to add, update, remove End User for the administrated entity | 30 days from termination of the Service |
End User |
First and last name Email address Telephone number Username*** |
Authentication of End User’s login attempt to access ACUITY tools (WebOrder tools, Smart Readers, Mobile Applications) |
30 days from termination of the Service
|
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: Australia
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
End User Administrator |
First and last name Email address Telephone number Username*** |
To host the infrastructure | 30 days from termination of the Service |
End User |
First and last name Email address Telephone number Username*** |
To host the infrastructure |
30 days from termination of the Service
|
Third-Party Support Provider
Entity: Stefanini IT Solutions
Location of Processing: Romania
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
End User Administrator |
First and last name Email address Telephone number Username*** |
Update End User Administrator Information | 30 days from termination of the Service |
End User |
First and last name Email address Telephone number Username*** |
Update End User Information |
30 days from termination of the Service
|
**”End User” means individual users to which End Customer grants access to the Service
***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User
HID Textile Services WebOrder Admin, WebOrder Invoicing, WebOrder Dispatch Tools
HID Entity Providing the Service: HID Textile Services SARL
Location of Processing*: United Kingdom, Australia
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
End User | Username*** | Authentication of End User’s login attempt to access the various WebOrder tools (WOA, WOD, WOI, WOR) |
30 days from termination of the Service
|
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: Australia
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
End User | Username*** | To host the infrastructure |
30 days from termination of the Service
|
**”End User” means individual users to which End Customer grants access to the Service
***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User
HID Textile Services WebOrder Customer Portal (Provided by HID Textile Services)
HID Entity Providing the Service: HID Textile Services SARL
Location of Processing*: United Kingdom, Australia
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
End User | Username*** | Authentication of End User’s login attempt to access WebOrder Customer |
30 days from termination of the Service
|
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing*: United Kingdom and Australia<
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
End User | Username*** | To host the infrastructure |
30 days from termination of the Service
|
*If End Customer is in the European Union, all data is processed in the European Union or a country that has obtained an adequacy decision
**”End User” means individual users to which End Customer grants access to the Service
***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User
HID Textile Services ACUITY RFID Platform for Laundries
HID Entity Providing the Service: HID Textile Services SARL
Location of Processing*: France, United Kingdom, Germany, Singapore, Australia
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
End User | Username*** | Authentication of End User’s login attempt to access Smart Reader Business Processes when applicable |
30 days from termination of the Service
|
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: Australia
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
End User | Username*** | To host the infrastructure |
30 days from termination of the Service
|
**”End User” means individual users to which End Customer grants access to the Service
***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User
HID Textile Services ACUITY Mobile Applications
HID Entity Providing the Service: HID Textile Services SARL
Location of Processing*: France, United Kingdom, Germany, Singapore, Australia
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
End User | Username*** | Authentication of End User’s login attempt to access Mobile Application Business Processes |
30 days from termination of the Service
|
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: Australia
Frequency of data transfer: Continuous Basis
Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
---|---|---|---|
End User | Username*** | To host the infrastructure |
30 days from termination of the Service
|
**”End User” means individual users to which End Customer grants access to the Service
***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User