Data Processing Specifications

This is not a stand-alone document. These Data Processing Specifications supplement the relevant Data Processing Terms for HID software-as-a-service offerings set forth below (each a “Service”):

The Data Processing Specifications describe: (i) the subject matter of the data processing; (ii) the type of Personal Data processed; (ii) the name and location of the party hosting the Personal Data; (iii) where the Service is hosted; (iv) sub-processors involved in the processing of the Personal Data, if any; (iv) the purpose of the data processing; and (v) the period of time the Personal Data is retained.

Personal Data types processed are selected by End Customer. If End Customer defines a different Data Retention Period or otherwise requests that HID retain Customer Materials beyond the Data Retention Period (“Requested Data Retention Period”), subject to the payment of additional fees associated with such retention as may be reasonable requested by HID, HID will retain the data for the Requested Data Retention Period.

Outside of the data types listed below, there may be additional optional fields that Channel Partner or End Customer may populate at its discretion. If Channel Partner or End Customer elect to populate those fields with Personal Data, any such information will be treated as confidential data and will be deleted within 30 days of from last back up. This optional data entered by Channel Partner or End Customer is not required for the operation of the Services.

Authentication Service

HID Entity Providing the Service: ActivIdentity (Australia) Pty Ltd, HID India Private Ltd, HID Global Corporation, HID GLOBAL SAS, HID Corporation Ltd, and ASSA ABLOY

Location of Processing: United States, Ireland, Germany, United Kingdom, France, Australia, Canada, and India

Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator First and last name
Email address
Telephone number
Employer information
Employer address
Onboarding the End Customer Organization to the Service. Applies to the first Privileged Admin user only. 30 days from termination of the Service
End user First and last name
User identifier
Identification of end users who use the Service for authentication. 30 days from termination of the Service
End user Email address
Mobile telephone number
Authentication of end users’ login attempt. 30 days from termination of the Service

Delivery of the data by client: API or user interface over HTTPS

Sub-processors:

Hosting Provider

Entity: Amazon Web Services
Location of Processing: United States* and European Union
Frequency of data transfer: Continuous Basis

*End Customer designates the primary hosting location. Unless otherwise requested by End Customer, backup data will be stored in the United States.

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator First and last name
Email address
Telephone number
Employer information
Employer address
To host the infrastructure where the Service resides 30 days from termination of the Service
End User First and last name
User identifier
To host the infrastructure where the Service resides 30 days from termination of the Service
End User Email address
Mobile telephone number
To host the infrastructure where the Service resides 30 days from termination of the Service

HID affiliates providing customer-initiated support

Entities: HID Global Corporation, Cerramex, SA de CV, ActivIdentity Pty. Ltd, HID India Private Limited, HID Corporation Ltd, HID Do Brasil Industria Comercio Importacao E Exportacao De Equipamentos Eletronicos Ltda, , HID Asia Pacific Limited, and HID China Ltd
Location of Processing: Australia, India, United States, France, United Kingdom, and Canada
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator First and last name
Email address
Telephone number
Employer information
Employer address
To provide managed services and support 30 days from termination of the Service
End User First and last name
ser identifier or other form of identification (ex: government issued ID)
To provide managed services and support 30 days from termination of the Service
End User Email address
Mobile telephone number
To provide managed services and support 30 days from termination of the Service

HID affiliates providing professional services

Entities: HID India Private Ltd, HID Global Corporation, ASSA ABLOY of Canada Ltd, ActivIdentity (Australia) Pty Ltd, HID Global GmbH, HID Global SAS, and HID Global Teoranta
Location of Processing: India, United States, Canada, United Kingdom, Australia, Germany, South Africa, and Ireland
Frequency of data transfer: One-Off*

*transfer and access limited to the duration of the professional services engagement

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator First and last name
Email address
Telephone number
Employer information
Employer address
To provide professional services as contracted by End Customer 30 days from termination of the Service
End User First and last name
User identifier
To provide professional services as contracted by End Customer 30 days from termination of the Service
End User Email address
Mobile telephone number
To provide professional services as contracted by End Customer 30 days from termination of the Service

Third Party Service Providers

Entity: HSL Mobile/Link Mobility
Location of Processing: United Kingdom
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator Mobile telephone number Deliver one-time passwords via SMS to mobile phones for two-factor authentication. 30 days from termination of the Service
End User Mobile telephone number Deliver one-time passwords via SMS to mobile phones for two-factor authentication. 30 days from termination of the Service

SAFE™ and WorkforceID™ Visitor Manager and Credential Manager

HID Entity Providing the Service: HID Global Corporation
Location of Processing: United States*
Frequency of data transfer: Continuous Basis

*Unless the End Customer elects for their service to be provided from the European Union, data is transferred to the Hosting Provider based in the United States

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period Sensitive Data
Employees
Contractors
Vendors
Suppliers
Visitors
First and last name
Email address
Residential address
Business address
Driver’s License or other State or Government Issued Identification Number or Card (including Passport)
School-Issued Identification
Native American tribal document
School record or report
Clinic, doctor, or hospital record
Daycare or nursery school record
Social Security number or Card
Birth Certificate or Certificate of Birth Abroad issued by First and last name
Email address
Residential address
Business address
Driver’s License or other State or Government Issued Identification Number or Card (including Passport)
School-Issued Identification
Native American tribal document
School record or report
Clinic, doctor, or hospital record
Daycare or nursery school record
Social Security number or Card
Birth Certificate or Certificate of Birth Abroad issued by the Department of State Unexpired employment authorization document issued by DHS
Any other I-9 documentation
Employer information
Job title
Biometric data
Photograph of individual
Place of birth
Nation of origin
Ethnicity
Gender
Height/Weight
Eye color
Hair color
License Plate Number
Identifying authorized end users
Authenticating site visitor identity
Badge and credential issuance
Screening visitors
30 days from termination of the Service Biometric data
Native American tribal document
Nation of origin
Ethnicity
Birth Certificate or Certificate of Birth Abroad issued by the Department of State
Passport
other sensitive data on I-9 document

The applied restrictions or safeguards related to sensitive data transferred outside of the EEA is set forth in Annex II to the applicable Standard Contractual clauses located at: https://www.hidglobal.com/legal

System Users Email Address
Account Name
To give access to the system 30 days from termination of the Service  
Employees
Contractors
Vendors
Suppliers
Visitors
End user answers to End Customer defined questionnaire** Authorizing end users and site visitors based on End Customer criteria Screening employees and visitors 48 hours after screening event  

Sub-processors:

Hosting Provider

Entity: Amazon Web Services
Location of Processing: United States*
Frequency of data transfer: Continuous Basis

*unless the parties enter into a SAFE SaaS Platform Designation Agreement specifying a different platform location, in which event such agreement shall amend this Data Processing Specifications document

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period Sensitive Data
Employees
Contractors
Vendors
Suppliers
Visitors
First and last name
Email address
Residential address
Business address
Driver’s License or other State or Government Issued Identification Number or Card (including Passport)
School-Issued Identification
Native American tribal document
School record or report
Clinic, doctor, or hospital record
Daycare or nursery school record
Social Security number or Card
Birth Certificate or Certificate of Birth Abroad issued by First and last name
Email address
Residential address
Business address
Driver’s License or other State or Government Issued Identification Number or Card (including Passport)
School-Issued Identification
Native American tribal document
School record or report
Clinic, doctor, or hospital record
Daycare or nursery school record
Social Security number or Card
Birth Certificate or Certificate of Birth Abroad issued by the Department of State Unexpired employment authorization document issued by DHS
Any other I-9 documentation
Employer information
Job title
Biometric data
Photograph of individual
Place of birth
Nation of origin
Ethnicity
Gender
Height/Weight
Eye color
Hair color
License Plate Number
To host the infrastructure where the Service resides 30 days from termination of the Service Biometric data
Native American tribal document
Nation of origin
Ethnicity
Birth Certificate or Certificate of Birth Abroad issued by the Department of State
Passport
other sensitive data on I-9 document

The applied restrictions or safeguards related to sensitive data transferred outside of the EEA is set forth in Annex II to the applicable Standard Contractual clauses located at: https://www.hidglobal.com/legal

System Users Email Address
Account Name
To host the infrastructure where the Service resides 30 days from termination of the Service  
Employees
Contractors
Vendors
Suppliers
Visitors
End user answers to End Customer defined questionnaire** To host the infrastructure where the Service resides 48 hours after screening event  

HID affiliates providing customer-initiated support

Entities: ActivIdentity (Australia) Pty Ltd, HID India Private Ltd, HID Global Corporation, HID GLOBAL SAS, HID Corporation Ltd, and ASSA ABLOY
Location of Processing: Australia, India, United States, France, United Kingdom, and Canada
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period Sensitive Data
Employees
Contractors
Vendors
Suppliers
Visitors
First and last name
Email address
Residential address
Business address
Driver’s License or other State or Government Issued Identification Number or Card (including Passport)
School-Issued Identification
Native American tribal document
School record or report
Clinic, doctor, or hospital record
Daycare or nursery school record
Social Security number or Card
Birth Certificate or Certificate of Birth Abroad issued by First and last name
Email address
Residential address
Business address
Driver’s License or other State or Government Issued Identification Number or Card (including Passport)
School-Issued Identification
Native American tribal document
School record or report
Clinic, doctor, or hospital record
Daycare or nursery school record
Social Security number or Card
Birth Certificate or Certificate of Birth Abroad issued by the Department of State Unexpired employment authorization document issued by DHS
Any other I-9 documentation
Employer information
Job title
Biometric data
Photograph of individual
Place of birth
Nation of origin
Ethnicity
Gender
Height/Weight
Eye color
Hair color
License Plate Number
To provide managed services and support 30 days from termination of the Service Biometric data
Native American tribal document
Nation of origin
Ethnicity
Birth Certificate or Certificate of Birth Abroad issued by the Department of State
Passport
other sensitive data on I-9 document

The applied restrictions or safeguards related to sensitive data transferred outside of the EEA is set forth in Annex II to the applicable Standard Contractual clauses located at: https://www.hidglobal.com/legal

System Users Email Address
Account Name
To provide managed services and support 30 days from termination of the Service  
Employees
Contractors
Vendors
Suppliers
Visitors
End user answers to End Customer defined questionnaire** To provide managed services and support 48 hours after screening event  

HID affiliates providing professional services

Entities: HID India Private Ltd, HID Global Corporation, ASSA ABLOY of Canada Ltd, ActivIdentity (Australia) Pty Ltd, HID Global GmbH, HID Global SAS, and HID Global Teoranta
Location of Processing: India, United States, Canada, United Kingdom, Australia, Germany, South Africa, and Ireland
Frequency of data transfer: One-Off*

*transfer and access limited to the duration of the professional services engagement

To provide professional services as contracted by End Customer

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period Sensitive Data
Employees
Contractors
Vendors
Suppliers
Visitors
First and last name
Email address
Residential address
Business address
Driver’s License or other State or Government Issued Identification Number or Card (including Passport)
School-Issued Identification
Native American tribal document
School record or report
Clinic, doctor, or hospital record
Daycare or nursery school record
Social Security number or Card
Birth Certificate or Certificate of Birth Abroad issued by First and last name
Email address
Residential address
Business address
Driver’s License or other State or Government Issued Identification Number or Card (including Passport)
School-Issued Identification
Native American tribal document
School record or report
Clinic, doctor, or hospital record
Daycare or nursery school record
Social Security number or Card
Birth Certificate or Certificate of Birth Abroad issued by the Department of State Unexpired employment authorization document issued by DHS
Any other I-9 documentation
Employer information
Job title
Biometric data
Photograph of individual
Place of birth
Nation of origin
Ethnicity
Gender
Height/Weight
Eye color
Hair color
License Plate Number
30 days from termination of the Service Biometric data
Native American tribal document
Nation of origin
Ethnicity
Birth Certificate or Certificate of Birth Abroad issued by the Department of State
Passport
other sensitive data on I-9 document

The applied restrictions or safeguards related to sensitive data transferred outside of the EEA is set forth in Annex II to the applicable Standard Contractual clauses located at: https://www.hidglobal.com/legal

System Users Email Address
Account Name
To provide professional services as contracted by End Customer 30 days from termination of the Service  
Employees
Contractors
Vendors
Suppliers
Visitors
End user answers to End Customer defined questionnaire** To provide professional services as contracted by End Customer 48 hours after screening event  

Delivery of the data by client: API or user interface over HTTPS

** ONLY APPLIES WHERE THERE IS A QUESTIONNAIRE PRESENTED. END CUSTOMER IS SOLELY RESPONSIBLE FOR DETERMINING WHETHER THE CONTENT OF ANY QUESTIONNAIRE IS APPROPRIATE, MEETS END CUSTOMER’S REQUIREMENTS, AND IS PERMITTED BY APPLICABLE LAWS AND REGULATIONS. THE RESPONDENT TO THE QUESTIONNAIRE IS SOLELY RESPONSIBLE FOR THE ACCURACY OF ITS ANSWERS TO ANY SUCH QUESTIONNAIRE.

HID Origo™ Platform and Related Services

HID Entity Providing the Service: HID Global Corporation
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator
Reader Technician
First and last name
Email address
Job title (HID Reader Manager app)
Telephone number
Employer information
Employer address
Onboarding the End Customer Organization to the service or registering as a Reader Technician in the HID Reader Manager app. Applies to Administrators and Reader Technicians only. 30 days from termination of the Service
End user First and last name
Email address
Title
Suffix
User identifier (e.g. a username from another system)
Identification of end users. 30 days from termination of the Service
End user Photo Provide the Photo ID functionality, which can be used to link an image and titles to a Mobile ID. 30 days from termination of the Service
Administrator
End user
Unique push notification identifier
Unique application identifier
Application state, events and usage statistics
Location data (e.g. GPS positions) in conjunction with presenting a Mobile ID to a reader or inspecting reader configuration
Delivery and management of Mobile IDs or reader keysets.
Improving service performance and providing technical support.
3 years in deidentified form

Sub-processors:

Hosting Provider

Entity: Amazon Web Services
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator
Reader Technician
First and last name
Email address
Job title (HID Reader Manager app)
Telephone number
Employer information
Employer address
To host the infrastructure where the Service resides 30 days from termination of the Service
End user First and last name
Email address
Title
Suffix
User identifier (e.g. a username from another system)
To host the infrastructure where the Service resides 30 days from termination of the Service
End user Photo To host the infrastructure where the Service resides 30 days from termination of the Service
Administrator
End user
Unique push notification identifier
Unique application identifier
Application state, events and usage statistics
Location data (e.g. GPS positions) in conjunction with presenting a Mobile ID to a reader or inspecting reader configuration
To host the infrastructure where the Service resides 30 days from termination of the Service**
End user Application state, events and usage statistics Location data (e.g. GPS positions) in conjunction with presenting a Mobile ID to a reader or inspecting reader configuration To host the infrastructure where the Service resides 3 years in deidentified form

HID affiliates providing customer-initiated support

Entities: HID Global Corporation and affiliated entities
Location of Processing: United States, India, Mexico, Brazil, United Kingdom, Hong Kong, China, and Australia
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator
Reader Technician
First and last name
Email address
Job title (HID Reader Manager app)
Telephone number
Employer information
Employer address
To provide managed services and support 30 days from termination of the Service
End user First and last name
Email address
Title
Suffix
User identifier (e.g. a username from another system)
To provide managed services and support 30 days from termination of the Service
End user Photo To provide managed services and support 30 days from termination of the Service
Administrator
End user
Unique push notification identifier
Unique application identifier
Application state, events and usage statistics
Location data (e.g. GPS positions) in conjunction with presenting a Mobile ID to a reader or inspecting reader configuration
To provide managed services and support 30 days from termination of the Service**
End user Application state, events and usage statistics Location data (e.g. GPS positions) in conjunction with presenting a Mobile ID to a reader or inspecting reader configuration To provide managed services and support 3 years in deidentified form

Third Party service providers

Entity: Google LLC
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator
End User
Cookies
Email Address
Usage analytics data from the HID Origo SDK 14 months

Entity: Mixpanel
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
End User Usage Data Usage analytics data from the HID Origo SDK 5 years

Entity: HSL Mobile/Link Mobility
Location of Processing: United Kingdom
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator Mobile telephone number Deliver one-time passwords via SMS to mobile phones for two-factor authentication. 30 days from termination of the Service
End User Mobile telephone number Deliver one-time passwords via SMS to mobile phones for two-factor authentication. 30 days from termination of the Service

Delivery of the data by client: API or user interface over HTTPS

WorkforceID™ Digital Credential Manager

HID Entities Providing the Service: HID Global Corporation, Avalanche Cloud Corp (Private certificates), and IdenTrust, Inc. (Public certificates)
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator Employer information
Employer address
IT Manager email address and cell phone number
Onboarding the End Customer Organization to the service. Identification and authentication of the IT Manager configuring the service 30 days from termination of the Service*
End User First and last name
Domain username and User Principal Name (UPN)
Email address
Identification of end users accessing the service Attributes included in the digital certificates issued by the service
End User Authentication Device serial numbers
Digital certificate serial numbers
Identification of authentication devices and digital certificates issued and managed by the service

*When using WorkforceID Digital Credential Manager with the Publicly Trusted Certificate Authority, archive records containing Personal Data are maintained for up to 10.5 years as required by certification authorities

Location of the platform: Hosted by the company Amazon Web Services (“Hosting Provider”) – platform currently located in the United States

Sub-processors:

Hosting Provider

Entity: Amazon Web Services
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator Employer information
Employer address
IT Manager email address and cell phone number
To host the infrastructure where the Service resides 30 days from termination of the Service*
End User First and last name
Domain username and User Principal Name (UPN)
Email address
To host the infrastructure where the Service resides
End User Authentication Device serial numbers
Digital certificate serial numbers
To host the infrastructure where the Service resides

HID affiliates providing customer-initiated support

Entities: ActivIdentity (Australia) Pty Ltd, HID India Private Ltd, HID Global Corporation, HID GLOBAL SAS, HID Corporation Ltd, IdenTrust, Inc., and ASSA ABLOY
Location of Processing: Australia, India, United States, France, United Kingdom, and Canada
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator Employer information
Employer address
IT Manager email address and cell phone number
To provide managed services and support 30 days from termination of the Service*
End User First and last name
Domain username and User Principal Name (UPN)
Email address
To provide managed services and support
End User Authentication Device serial numbers
Digital certificate serial numbers
To provide managed services and support

Delivery of the data by client: User interface over HTTPS

Additional Disclosure Information: When using WorkforceID Digital Credential Manager with the Publicly Trusted Certificate Authority, End users' Digital Certificates and any information contained therein, including end user's and Customer's identity, must be seen by others and is not private – that would defeat the purpose of the Digital Certificate, which is to allow third parties to establish end user and Customer's identity. Personal Data that may be disclosed hereunder includes, but is not limited to: (i) end user's UPN (user principal name), name and e-mail address, (ii) end user Public Key; (iii) Customer's name, address and telephone number; and (iv) end user Digital Certificate serial number and expiration date. However, end user's address and telephone number and other personally identifying information, other than user principal name, name and e-mail address, will not appear in their Digital Certificate and will not be disclosed to third parties except as provided for in the Data Processing Terms or in these Data Processing Specifications.

FARGO Connect™ Platform Services

HID Entity Providing the Service: HID Global Corporation
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator First and last name
Email address
Telephone number
Employer address
Identification of end users utilizing the HID FARGO Connect card personalization portal. 30 days from termination of the Service

Sub-processors:

Hosting Provider

Entity: Amazon Web Services
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator First and last name
Email address
Telephone number
Employer address
To host the infrastructure where the Service resides 30 days from termination of the Service

Third Party service providers

Entity: eXtensia Technologies, Inc.
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator First and last name
Email address
Telephone number
Employer address
For the provision of security and integration services 30 days from termination of the Service

HID affiliates providing customer-initiated support

Entities: HID Global Corporation and affiliated entities
Location(s) of support services: United States, United Kingdom, Hong Kong, Australia, Brazil, Japan and India
Frequency of data transfer for support: One-Off*

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator First and last name
Email address
Telephone number
Employer address
To provide managed services and support 30 days from termination of the Service

Delivery of the data by client: API or user interface over HTTPS

HydrantID Managed PKI and Trusted Digital Certificate Services

HID Entity Providing the Service: Avalanche Cloud Corp
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
Administrators
End User
First Name
Last Name
Common Name
E-mail address
Title (e.g. Mr./Mrs.)
Locality
State/Province
Country
Government issued ID document number (e.g. passport, driving license)
To provide digital certificates, signing services, and other products and services. Applies to the certificate holder.

Personal data provided as part of the Services, such as the certificate content and in some cases registration data, may be used to process the certificate.

Information and audit logs for at least seven years. Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.
Administrators First Name
Last Name
E-mail address
Telephone number
Onboarding the End Customer organization to the Service. To provide access to the Service platform. Applies to the account administrators Information and audit logs for at least seven years. Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.

Sub-processors:

Hosting Provider

Entity: Amazon Web Services
Location of Processing: United States* and the European Union
Frequency of data transfer: Continuous Basis

*Unless the End Customer elects for their data to be hosted in the European Union, data is transferred to the Hosting Provider based in the United States

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
Administrators
End User
First Name
Last Name
Common Name
E-mail address
Title (e.g. Mr./Mrs.)
Locality
State/Province
Country
Government issued ID document number (e.g. passport, driving license)
To host the infrastructure where the Service resides Information and audit logs for at least seven years.

Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.

Administrators First Name
Last Name
E-mail address
Telephone number
To host the infrastructure where the Service resides Information and audit logs for at least seven years.

Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.

HID affiliates providing customer-initiated support

Entity: IdenTrust, Inc.
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
Administrators
End User
First Name
Last Name
Common Name
E-mail address
Title (e.g. Mr./Mrs.)
Locality
State/Province
Country
Government issued ID document number (e.g. passport, driving license)
To provide managed services and support Information and audit logs for at least seven years.

Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.

Administrators First Name
Last Name
E-mail address
Telephone number
To provide managed services and support Information and audit logs for at least seven years.

Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.

Third-party service providers

Entity: Switch
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
Administrators
End User
First Name
Last Name
Common Name
E-mail address
Title (e.g. Mr./Mrs.)
Locality
State/Province
Country
Government issued ID document number (e.g. passport, driving license)
May host HID-dedicated infrastructure, including Personal Data types listed above either as primary or backup for the Service. Information and audit logs for at least seven years.

Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.

Administrators First Name
Last Name
E-mail address
Telephone number
May host HID-dedicated infrastructure, including Personal Data types listed above either as primary or backup for the Service. Information and audit logs for at least seven years.

Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.

Entity: Equinix
Location of Processing: United States* and European Union
Frequency of data transfer: Continuous Basis

*Unless the End Customer elects for their data to be hosted in the European Union, data is transferred to the Hosting Provider based in the United States.

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
Administrators
End User
First Name
Last Name
Common Name
E-mail address
Title (e.g. Mr./Mrs.)
Locality
State/Province
Country
Government issued ID document number (e.g. passport, driving license)
May host HID-dedicated infrastructure, including Personal Data types listed above either as primary or backup for the Service. Information and audit logs for at least seven years.

Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.

Administrators First Name
Last Name
E-mail address
Telephone number
May host HID-dedicated infrastructure, including Personal Data types listed above either as primary or backup for the Service. Information and audit logs for at least seven years.

Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.

Entity: DigiCert and QuoVadis entities
Location of Processing*: Netherlands, Switzerland, Belgium, Germany, United Kingdom, United States, or Bermuda
Frequency of data transfer: Continuous Basis

*Location of processing determined by sub-processor Entity based on the type of service

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
Administrators
End User
First Name
Last Name
Common Name
E-mail address
Title (e.g. Mr./Mrs.)
Locality
State/Province
Country
Government issued ID document number (e.g. passport, driving license)
May process data to be included in a digital certificate (which can include the Personal Data types listed above) when HID uses DigiCert/QuoVadis digital certificate systems to deliver the Services to End Customer. Information and audit logs for at least seven years.

Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.

Administrators First Name
Last Name
E-mail address
Telephone number
May process data to be included in a digital certificate (which can include the Personal Data types listed above) when HID uses DigiCert/QuoVadis digital certificate systems to deliver the Services to End Customer. Information and audit logs for at least seven years.

Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.

Entity: Auth0
Location of Processing: United States* and European Union
Frequency of data transfer: Continuous Basis

*Unless the End Customer elects for their data to be hosted in the European Union, data is transferred to the Hosting Provider based in the United States.

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
Administrators
End User
First Name
Last Name
Common Name
E-mail address
Title (e.g. Mr./Mrs.)
Locality
State/Province
Country
Government issued ID document number (e.g. passport, driving license)
Authenticating Administrators and End Users prior to accessing the Service 30 days

Entity: Mailgun
Location of Processing: United States* and European Union
Frequency of data transfer: Continuous Basis

*Unless the End Customer elects for their data to be hosted in the European Union, data is transferred to the Hosting Provider based in the United States.

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
Administrators
End User
First Name
Last Name
E-mail address
Communicate with Administrators and End Users about the Service 30 days

Delivery of the data by client: API over HTTPS

HID Location Services Dashboard

Third Party service provider

Entity: Banyan Hills Technologies
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
End User Location Data
Latitude
Longitude
Altitude
Determine the location of a specific device (for example a hardware or mobile beacon), over time. This information is presented in dashboards to provide location services. 30 days from termination of the Service
End User Device Properties
Name
Identifier
MAC address
Identify a specific device associated with Location Data. This information may be used to correlate the Location Data with a specific user. 30 days from termination of the Service

Hosting Provider

Entity: Amazon Web Services
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
End User Location Data
Latitude
Longitude
Altitude
To host the infrastructure where the Service resides 30 days from termination of the Service
End User Device Properties
Name
Identifier
MAC address
To host the infrastructure where the Service resides 30 days from termination of the Service

HID affiliates providing customer-initiated support

Entities: HID Global Corporation
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
End User Location Data
Latitude
Longitude
Altitude
To provide managed services and support 30 days from termination of the Service
End User Device Properties
Name
Identifier
MAC address
To provide managed services and support 30 days from termination of the Service

Event Management Platform

Name (First & Last), Title (Mr, Mrs, Miss); Email Address; Phone Number; Seating information (Gate, Block, Row, Seat); Company; Country (Nationality); Ticket Number; Ticket Barcode; Accreditation; AccreditationID; Photo; Name (First & Last), Company; Country; Category of Accreditation (e.g. MEDIA), sub-category, Date of Birth

Personal Data Type Purpose of Processing Data Retention Period**
Accreditation Module & Organization Self administration module and Self Registration forms
A configurable list of the following attributes. Name (First & Last), Title (Mr, Mrs, Miss); Email Address; Phone Number; Company (Organization); Country (Nationality); Nationality, ID document type, ID document number, ID document expiry date, Scan of the ID document, AccreditationID, Photo; Category of Accreditation (e.g. MEDIA), sub-category, Date of Birth Address
To perform the enrollment process for individuals and security vetting (sending and extracting the subset of personal information to authorities to establish if the individual has sufficient security standing to attend the event) and then for the individual to be approved to have a credential (physical or virtual) issued to attend the event and for other systems or the below HID platform module to provide access control to the event. Defined by the configuration for the specific event and in any case: The shorter of: (i) 60 days from termination of the Service; or (ii) 3 years after the applicable event period has finished
  Accredited Individuals and Ticket Holders: To perform issuance of credentials and vouchers both physical (e.g. printing a smart card / paper credential and additionally encoding the data securely into a secure chip in the credential) or virtual (a mobile ticket inside an App or inside Apple Wallet / Google Pay)

To verify a credentials and perform access control

To provide additional services related to access control (for example: the ability to use the credential at a kiosk to print out a Set Information Receipt with name, Last name Block Row Seat of the individual).

The shorter of: (i) 60 days from termination of the Service; or (ii) 3 years after the applicable event period has finished
Answers to End Customer defined questionnaire*** Allows Accredited Individuals unlock its accreditation after providing the submission of the answers to End Customer’s questionnaire in compliance with End Customer criteria 48 hours after the applicable event period has finished
Web Portal Users: Email Address, first name, last name; Password To perform login into the EMS web portal (email + PWD) 60 days from termination of the Service

For clarity, an “Accredited Individual” is an individual granted access to the premises by the End Customer in an official compacity and not as a ticket holder or other type of patron. Examples of an Accredited Individual include End Customer personnel, contractors, vendors, volunteers, and third-party media.

**If End Customer requests HID retain Customer Materials beyond the Data Retention Period (“Additional Data Retention Period”), HID will retain the data for 90 days from the expiry of the Additional Retention Period.

***ONLY APPLIES WHERE THERE IS A QUESTIONNAIRE PRESENTED. END CUSTOMER IS SOLELY RESPONSIBLE FOR DETERMINING WHETHER THE CONTENT OF ANY QUESTIONNAIRE IS APPROPRIATE, MEETS END CUSTOMER’S REQUIREMENTS, AND IS PERMITTED BY APPLICABLE LAWS AND REGULATIONS. THE RESPONDENT TO THE QUESTIONNAIRE IS SOLELY RESPONSIBLE FOR THE ACCURACY OF ITS ANSWERS TO ANY SUCH QUESTIONNAIRE.

Sub-processors:

Hosting Provider

Entity: Amazon Web Services
Location of Processing: Ireland
Frequency of data transfer: Continuous Basis

Third Party service providers

Company Location of Processing Purpose
Auth0 (Optional) EU Portal Login Service for the Web Portal Users Personal Data types
MailGun EU Email sending service to send event invitation emails to the individual (if requested and configured in the platform)

Delivery of the data by client: API, Azure Service Bus or user interface over HTTPS direct entering of data via web forms or CSV upload into the web admin portals of the event management platform

Location(s) of support services: United Kingdom, Italy, Poland, and India

Third Party Background Checks and Security Vetting: Upon request by End Customer, HID may share some, or all, of the personal data types described under “Accreditation Module & Organization Self administration module and Self Registration forms” section listed above to certain third-party background check and security vetting providers. Such providers may be private entities or local police or other law enforcement officials that perform these functions on behalf of End Customer.

HID Textile Services ACUITY Administration

HID Entity Providing the Service: HID Textile Service SARL

Location of Processing*: United Kingdom, Australia

Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period

End User

First and last name

Email address

 Telephone number

Define Contact Information for the purpose Of Order Management by HID Customer

 30 days from termination of the Service

 

End User

Username***

 

 

Authentication of End User’s login attempt to access WebOrder Customer Portal

30 days from termination of the Service

 

Sub-processors:

Hosting Provider

Entity: Amazon Web Services
Location of Processing*: UK and Australia
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period

End User

First and last name

Email address

 Telephone number

To host the infrastructure

 30 days from termination of the Service

 

End User

Username***

 

 

To host the infrastructure

30 days from termination of the Service

 

Third-Party Support Provider

Entity: Stefanini IT Solutions

Location of Processing: Romania

Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period

End User

First and last name

Email address

 Telephone number

Update End User information

 30 days from termination of the Service

 

End User

Username***

 

 

Update End User information

30 days from termination of the Service

 

*If End Customer is in the European Union, all data is processed in the European Union or a country that has obtained an adequacy decision

**”End User” means individual users to which End Customer grants access to the Service

***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User

HID Textile Services ACUITY Users Management

HID Entity Providing the Service: HID Textile Services SARL

Location of Processing: Australia

Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period

End User Administrator

First and last name

Email address

Telephone number

Username***

Authentication of End User’s login attempt to access ACUITY User Management and able to add, update, remove End User for the administrated entity

30 days from termination of the Service

End User

First and last name

Email address

Telephone number

Username***

Authentication of End User’s login attempt to access ACUITY tools (WebOrder tools, Smart Readers, Mobile Applications)

 30 days from termination of the Service

 

Sub-processors:

Hosting Provider

Entity: Amazon Web Services
Location of Processing: Australia
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period

End User Administrator

First and last name

Email address

Telephone number

Username***

To host the infrastructure

30 days from termination of the Service

End User

First and last name

Email address

Telephone number

Username***

To host the infrastructure

 30 days from termination of the Service

 

Third-Party Support Provider

Entity: Stefanini IT Solutions

Location of Processing: Romania

Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period

End User Administrator

First and last name

Email address

Telephone number

Username***

Update End User Administrator Information

30 days from termination of the Service

End User

First and last name

Email address

Telephone number

Username***

Update End User Information

 30 days from termination of the Service

 

**”End User” means individual users to which End Customer grants access to the Service

***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User

HID Textile Services WebOrder Admin, WebOrder Invoicing, WebOrder Dispatch tools

HID Entity Providing the Service: HID Textile Services SARL

Location of Processing*: United Kingdom, Australia

Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period

End User

Username***

Authentication of End User’s login attempt to access the various WebOrder tools (WOA, WOD, WOI, WOR)

30 days from termination of the Service

 

Sub-processors:

Hosting Provider

Entity: Amazon Web Services

Location of Processing: Australia

Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period

End User

Username***

To host the infrastructure

30 days from termination of the Service

 

**”End User” means individual users to which End Customer grants access to the Service

***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User

HID Textile Services WebOrder Customer Portal (Provided by HID Textile Services)

HID Entity Providing the Service: HID Textile Services SARL

Location of Processing*: United Kingdom, Australia

Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period

End User

Username***

Authentication of End User’s login attempt to access WebOrder Customer

 30 days from termination of the Service

 

Sub-processors:

Hosting Provider

Entity: Amazon Web Services

Location of Processing*: United Kingdom and Australia

Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period

End User

Username***

To host the infrastructure

 30 days from termination of the Service

 

*If End Customer is in the European Union, all data is processed in the European Union or a country that has obtained an adequacy decision

**”End User” means individual users to which End Customer grants access to the Service

***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User

HID Textile Services ACUITY RFID Platform for Laundries

HID Entity Providing the Service: HID Textile Services SARL

Location of Processing*: France, United Kingdom, Germany, Singapore, Australia

Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period

End User

Username***

Authentication of End User’s login attempt to access Smart Reader Business Processes when applicable

 30 days from termination of the   Service

 

Sub-processors:

Hosting Provider

Entity: Amazon Web Services

Location of Processing: Australia

Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period

End User

Username***

To host the infrastructure

 30 days from termination of the   Service

 

**”End User” means individual users to which End Customer grants access to the Service

***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User

HID Textile Services ACUITY Mobile Applications

HID Entity Providing the Service: HID Textile Services SARL

Location of Processing*: France, United Kingdom, Germany, Singapore, Australia

Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period

End User

Username***

Authentication of End User’s login attempt to access Mobile Application Business Processes

 30 days from termination of the Service

 

Sub-processors:

Hosting Provider

Entity: Amazon Web Services

Location of Processing: Australia

Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period

End User

Username***

To host the infrastructure

 30 days from termination of the Service

 

**”End User” means individual users to which End Customer grants access to the Service

***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User