Data Processing Specifications

(Version March 2024)

This is not a stand-alone document. These Data Processing Specifications supplement the relevant Data Processing Terms for HID® software-as-a-service offerings set forth below (each a “Service”):

The Data Processing Specifications describe: (i) the subject matter of the data processing; (ii) the type of Personal Data processed; (ii) the name and location of the party hosting the Personal Data; (iii) where the Service is hosted; (iv) sub-processors involved in the processing of the Personal Data, if any; (iv) the purpose of the data processing; and (v) the period of time the Personal Data is retained.

Personal Data types processed are selected by End Customer. If End Customer defines a different Data Retention Period or otherwise requests that HID retain Customer Materials beyond the Data Retention Period (“Requested Data Retention Period”), subject to the payment of additional fees associated with such retention as may be reasonably requested by HID, HID will retain the data for the Requested Data Retention Period.

Outside of the data types listed below, there may be additional optional fields that Channel Partner or End Customer may populate at its discretion. If Channel Partner or End Customer elect to populate those fields with Personal Data, any such information will be treated as confidential data and will be deleted within 30 days of from last back up. This optional data entered by Channel Partner or End Customer is not required for the operation of the Services.

 

Authentication Service

HID Entity Providing the Service: HID Global Corporation, HID Global Ireland Teoranta, HID Global GmbH, HID Corporation Ltd, HID GLOBAL SAS, ActivIdentity (Australia) Pty Ltd, ASSA ABLOY of Canada Ltd, and HID India Private Ltd
Location of Processing: United States, Ireland, Germany, United Kingdom, France, Australia, Canada, and India
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator First and last name
Email address
Telephone number
Employer information
Employer address
Onboarding the End Customer Organization to the Service. Applies to the first Privileged Admin user only. 30 days from termination of the Service
End user First and last name
User identifier
Identification of end users who use the Service for authentication. 30 days from termination of the Service
End user Email address
Mobile telephone number
Authentication of end users’ login attempt. 30 days from termination of the Service

Delivery of the data by client: API or user interface over HTTPS

Sub-processors:

Hosting Provider

Entity: Amazon Web Services
Location of Processing: United States* and European Union
Frequency of data transfer: Continuous Basis

*End Customer designates the primary hosting location. Unless otherwise requested by End Customer, backup data will be stored in the United States.

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator First and last name
Email address
Telephone number
Employer information
Employer address
To host the infrastructure where the Service resides 30 days from termination of the Service
End User First and last name
User identifier
To host the infrastructure where the Service resides 30 days from termination of the Service
End User Email address
Mobile telephone number
To host the infrastructure where the Service resides 30 days from termination of the Service

HID affiliates providing customer-initiated support

Entities: ActivIdentity (Australia) Pty Ltd, HID India Private Ltd, HID Global Corporation, HID GLOBAL SAS, HID Corporation Ltd, ASSA ABLOY of Canada Ltd, and HID Czech s.r.o.
Location of Processing: Australia, India, United States, France, United Kingdom, Canada and Czech Republic
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator First and last name
Email address
Telephone number
Employer information
Employer address
To provide managed services and support 30 days from termination of the Service
End User First and last name
User identifier or other form of identification (ex: government issued ID)
To provide managed services and support 30 days from termination of the Service
End User Email address
Mobile telephone number
To provide managed services and support 30 days from termination of the Service

Third-Party Contractors providing customer-initiated support

Entities: Flairstech Inc.
Location of Processing: Egypt

Categories of Data Subjects Personal Data types Purpose of Processing Frequency of Data Transfer
End Customer Contact First and last name
Email address
Telephone number
Employer information
Employer address
To provide managed services and support Continuous Basis
End Customer Environment:
End User
Employees
Contractors
Vendors
Suppliers
Visitors
As defined by the End Customer To provide managed services and support Sporadic (as controlled by the End Customer in requesting support)

HID affiliates providing professional services

Entities: HID Global Corporation, HID Corporation Ltd, HID Global GmbH, Assa Abloy (SA) (Pty) Ltd, HID Global Ireland Teoranta, HID Czech s.r.o., and HID do Brazil Indústria, Comércio, Importacão e Exportacão de Equipamentos Eletrõnicos Ltda.
Location of Processing: United States, United Kingdom, Germany, South Africa, Ireland, Czech Republic, and Brazil
Frequency of data transfer: One-Off*

*transfer and access limited to the duration of the professional services engagement

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator First and last name
Email address
Telephone number
Employer information
Employer address
To provide professional services as contracted by End Customer 30 days from termination of the Service
End User First and last name
User identifier
To provide professional services as contracted by End Customer 30 days from termination of the Service
End User Email address
Mobile telephone number
To provide professional services as contracted by End Customer 30 days from termination of the Service

Third-Party Service Providers

Entity: HSL Mobile/Link Mobility
Location of Processing: United Kingdom
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator Mobile telephone number Deliver one-time passwords via SMS to mobile phones for two-factor authentication. 30 days from termination of the Service
End User Mobile telephone number Deliver one-time passwords via SMS to mobile phones for two-factor authentication. 30 days from termination of the Service

 

Identity Verification Service (IAMS)

Entity: AuthenticID
Location of Processing: United States
Frequency of data transfer (Continuous or One-Time Basis): Continuous

Categories of Data Subjects Personal Data types Purpose of Processing Data Retention Period
Administrator First and last name
Email address
 
To provide managed services and support for threat and fraud detection As required for Administration purposes within contract period. Deleted upon contract termination.
End User Drivers License
Drivers License number
DOB
Drivers License details
2D Bar Code
Document facial Image
Personal Address
Passport numbers
Passport details
2D Barcode
Document facial image
Real time biometric facial image
To provide managed services and support for threat and fraud detection Set by End Customer. Service provider recommends 180 days for model tuning and product improvement.

 

Sub-processors: 

Hosting Provider

Entity: AWS Inc
Location of Processing: United States
Frequency of data transfer (Continuous or One-Time Basis): Continuous

Categories of Data Subjects Personal Data types Purpose of Processing Sensitive Data
Administrators and End Users Drivers License
Drivers License number
DOB
Drivers License details
2D Bar Code
Document facial Image
Personal Address
Passport numbers
Passport details
2D Barcode
Document facial image
Real time biometric facial image
First name
Last name
Email address
To provide
managed services
and support for
threat and fraud
detection
Set by End Customer. Service provider recommends 180 days for model tuning and product improvement.

Risk Management Solution

 

Entity: ThreatMark s.r.o.
Location of Processing: European Union 
Frequency of data transfer (Continuous or One-Time Basis): Continuous

Categories of Data Subjects Personal Data types Purpose of Processing Data Retention Period Sensitive Data
Administrator First and last name
Email address
Business address
Business phone
To provide managed services and support for threat and fraud detection 30 days from termination of the Service N/A 
End user Browser document data
User Interface Data
User Interface Data model
Session score
Port scan data
To provide managed services and support for threat and fraud detection solution
 
By default, 6 months for personal data and 3 months for biometry.
 
Fingerprint

Sub-processors:

Entity: AWS Inc
Location of Processing: European Union
Frequency of data transfer (Continuous or One-Time Basis): Continuous

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period Sensitive Data
Administrator First and last name
Email address
Business address
Business phone
Cloud Storage 30 days from termination of the Service N/A
End user Browser document data
UI data
UI data model
Session score
Port scan data
Cloud Storage By default, 6 months for personal data and 3 months for biometry. Fingerprint

Entity: Atlassian Inc. (JIRA)
Location of Processing: European Union
Frequency of data transfer (Continuous or One-Time Basis): Continuous

Categories of Data Subjects Personal Data types Purpose of Processing Data Retention Period Sensitive Data
Administrator  First and last name
Email address
Business phone
Cloud Storage 30 days from termination of the Service N/A

 

HID SAFE™ and HID Visitor Manager and HID Credential Manager

HID Entity Providing the Service: HID Global Corporation
Location of Processing: United States*
Frequency of data transfer: Continuous Basis

*Unless the End Customer elects for their service to be provided from the European Union, data is transferred to the Hosting Provider based in the United States

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period Sensitive Data
Employees
Contractors
Vendors
Suppliers
Visitors
First and last name
Email address
Residential address
Business address
Driver’s License or other State or Government Issued Identification Number or Card (including Passport)
School-Issued Identification
Native American tribal document
School record or report
Clinic, doctor, or hospital record
Daycare or nursery school record
Social Security number or Card
Birth Certificate or Certificate of Birth Abroad issued by the Department of State Unexpired employment authorization document issued by DHS
Any other I-9 documentation
Employer information
Job title
Biometric data
Photograph of individual
Place of birth
Nation of origin
Ethnicity
Gender
Height/Weight
Eye color
Hair color
License Plate Number
Identifying authorized end users
Authenticating site visitor identity
Badge and credential issuance
Screening visitors
30 days from termination of the Service Biometric data
Native American tribal document
Nation of origin
Ethnicity
Birth Certificate or Certificate of Birth Abroad issued by the Department of State
Passport
other sensitive data on I-9 document

The applied restrictions or safeguards related to sensitive data transferred outside of the EEA is set forth in Annex II to the applicable Standard Contractual clauses located at: https://www.hidglobal.com/legal
System Users Email Address
Account Name
To give access to the system 30 days from termination of the Service  
Employees
Contractors
Vendors
Suppliers
Visitors
End user answers to End Customer defined questionnaire** Authorizing end users and site visitors based on End Customer criteria Screening employees and visitors 48 hours after screening event  

Sub-processors:

Hosting Provider

Entity: Amazon Web Services
Location of Processing: United States*
Frequency of data transfer: Continuous Basis

*unless the parties enter into a SAFE SaaS Platform Designation Agreement specifying a different platform location, in which event such agreement shall amend this Data Processing Specifications document

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period Sensitive Data
Employees
Contractors
Vendors
Suppliers
Visitors
First and last name
Email address
Residential address
Business address
Driver’s License or other State or Government Issued Identification Number or Card (including Passport)
School-Issued Identification
Native American tribal document
School record or report
Clinic, doctor, or hospital record
Daycare or nursery school record
Social Security number or Card
Birth Certificate or Certificate of Birth Abroad issued by the Department of State Unexpired employment authorization document issued by DHS
Any other I-9 documentation
Employer information
Job title
Biometric data
Photograph of individual
Place of birth
Nation of origin
Ethnicity
Gender
Height/Weight
Eye color
Hair color
License Plate Number
To host the infrastructure where the Service resides 30 days from termination of the Service Biometric data
Native American tribal document
Nation of origin
Ethnicity
Birth Certificate or Certificate of Birth Abroad issued by the Department of State
Passport
other sensitive data on I-9 document

The applied restrictions or safeguards related to sensitive data transferred outside of the EEA is set forth in Annex II to the applicable Standard Contractual clauses located at: https://www.hidglobal.com/legal
System Users Email Address
Account Name
To host the infrastructure where the Service resides 30 days from termination of the Service  
Employees
Contractors
Vendors
Suppliers
Visitors
End user answers to End Customer defined questionnaire** To host the infrastructure where the Service resides 48 hours after screening event  

HID affiliates providing customer-initiated support

Entities: ActivIdentity (Australia) Pty Ltd, HID India Private Ltd, HID Global Corporation, HID GLOBAL SAS, HID Corporation Ltd, ASSA ABLOY of Canada Ltd, and HID Czech s.r.o.
Location of Processing: Australia, India, United States, France, United Kingdom, Canada and Czech Republic
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period Sensitive Data
Employees
Contractors
Vendors
Suppliers
Visitors
First and last name
Email address
Residential address
Business address
Driver’s License or other State or Government Issued Identification Number or Card (including Passport)
School-Issued Identification
Native American tribal document
School record or report
Clinic, doctor, or hospital record
Daycare or nursery school record
Social Security number or Card
Birth Certificate or Certificate of Birth Abroad issued by the Department of State Unexpired employment authorization document issued by DHS
Any other I-9 documentation
Employer information
Job title
Biometric data
Photograph of individual
Place of birth
Nation of origin
Ethnicity
Gender
Height/Weight
Eye color
Hair color
License Plate Number
To provide managed services and support 30 days from termination of the Service Biometric data
Native American tribal document
Nation of origin
Ethnicity
Birth Certificate or Certificate of Birth Abroad issued by the Department of State
Passport
other sensitive data on I-9 document

The applied restrictions or safeguards related to sensitive data transferred outside of the EEA is set forth in Annex II to the applicable Standard Contractual clauses located at: https://www.hidglobal.com/legal
System Users Email Address
Account Name
To provide managed services and support 30 days from termination of the Service  
Employees
Contractors
Vendors
Suppliers
Visitors
End user answers to End Customer defined questionnaire** To provide managed services and support 48 hours after screening event  

Third-Party Contractors providing customer-initiated support

Entities: Flairstech Inc.
Location of Processing: Egypt
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data types Purposes of Processing Data Retention Period Sensitive Data
Employees
Contractors
Vendors
Suppliers
Visitors
First and last name Email address
Residential address
Business address
Driver’s License or other State or Government Issued Identification Number or Card (including Passport)
School-Issued Identification
Native American tribal document
School record or report
Clinic, doctor, or hospital record
Daycare or nursery school record
Social Security number or Card
Birth Certificate or Certificate of Birth Abroad issued by the Department of State
Unexpired employment authorization document issued by DHS
Any other I-9 documentation
Employer information
Job title
Biometric data
Photograph of individual
Place of birth
Nation of origin
Ethnicity
Gender
Height/Weight
Eye color
Hair color
License Plate Number
To provide managed services and support 30 days from termination of the Service

Biometric data
Native American tribal document
Nation of origin
Ethnicity
Birth Certificate or Certificate of Birth Abroad issued by the Department of State
Passport
other sensitive data on I-9 document

The applied restrictions or safeguards related to sensitive data transferred outside of the EEA is set forth in Annex II to the applicable Standard Contractual clauses located at: https://www.hidglobal.com/legal.

System Users Email Address
Account Name
To provide managed services and support 30 days from termination of the Service  
Employees
Contractors
Vendors
Suppliers
Visitors
As defined by the End Customer To provide managed services and support 48 hours after screening event  

HID affiliates providing professional services

Entities: HID India Private Ltd, HID Global Corporation, ASSA ABLOY of Canada Ltd, HID Corporation Ltd., and ActivIdentity (Australia) Pty Ltd
Location of Processing: India, United States, Canada, United Kingdom, and Australia
Frequency of data transfer: One-Off*

*transfer and access limited to the duration of the professional services engagement

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period Sensitive Data
Employees
Contractors
Vendors
Suppliers
Visitors
First and last name
Email address
Residential address
Business address
Driver’s License or other State or Government Issued Identification Number or Card (including Passport)
School-Issued Identification
Native American tribal document
School record or report
Clinic, doctor, or hospital record
Daycare or nursery school record
Social Security number or Card
Birth Certificate or Certificate of Birth Abroad issued by the Department of State Unexpired employment authorization document issued by DHS
Any other I-9 documentation
Employer information
Job title
Biometric data
Photograph of individual
Place of birth
Nation of origin
Ethnicity
Gender
Height/Weight
Eye color
Hair color
License Plate Number
To provide professional services as contracted by End Customer 30 days from termination of the Service

Biometric data
Native American tribal document
Nation of origin
Ethnicity
Birth Certificate or Certificate of Birth Abroad issued by the Department of State Passport
other sensitive data on I-9 document

The applied restrictions or safeguards related to sensitive data transferred outside of the EEA is set forth in Annex II to the applicable Standard Contractual clauses located at: https://www.hidglobal.com/legal

System Users Email Address
Account Name
To provide professional services as contracted by End Customer 30 days from termination of the Service  
Employees
Contractors
Vendors
Suppliers
Visitors
End user answers to End Customer defined questionnaire** To provide professional services as contracted by End Customer 48 hours after screening event  

Delivery of the data by client: API or user interface over HTTPS

** ONLY APPLIES WHERE THERE IS A QUESTIONNAIRE PRESENTED. END CUSTOMER IS SOLELY RESPONSIBLE FOR DETERMINING WHETHER THE CONTENT OF ANY QUESTIONNAIRE IS APPROPRIATE, MEETS END CUSTOMER’S REQUIREMENTS, AND IS PERMITTED BY APPLICABLE LAWS AND REGULATIONS. THE RESPONDENT TO THE QUESTIONNAIRE IS SOLELY RESPONSIBLE FOR THE ACCURACY OF ITS ANSWERS TO ANY SUCH QUESTIONNAIRE.

 

HID Origo™ Platform and Related Services

 

HID Entity Providing the Service: HID Global Corporation
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator
Reader Technician
First and last name
Email address
Job title (in app)
Telephone number
Employer information
Employer address
Onboarding the End Customer Organization to the service or registering as a Reader Technician in the app. Applies to Administrators and Reader Technicians only. 30 days from termination of the Service
End user First and last name
Email address
Title
Suffix
User identifier (e.g. a username from another system)
Identification of end users. 30 days from termination of the Service
End user Photo Provide the Photo ID functionality, which can be used to link an image and titles to a Mobile ID. 30 days from termination of the Service
Administrator
End user
Unique push notification identifier
Unique application identifier
 
Delivery and management of Mobile IDs or reader keysets. 30 days from termination of the Service**
End user Application state, events and usage statistics Improving service performance and providing technical support. 3 years in deidentified form

Sub-processors:

Hosting Provider

Entity: Amazon Web Services
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator
Reader Technician
First and last name
Email address
Job title (in app)
Telephone number
Employer information
Employer address
To host the infrastructure where the Service resides 30 days from termination of the Service
End user First and last name
Email address
Title
Suffix
User identifier (e.g. a username from another system)
To host the infrastructure where the Service resides 30 days from termination of the Service
End user Photo To host the infrastructure where the Service resides 30 days from termination of the Service
Administrator
End user
Unique push notification identifier
Unique application identifier
To host the infrastructure where the Service resides 30 days from termination of the Service**
End user Application state, events and usage statistics  To host the infrastructure where the Service resides 3 years in deidentified form

HID affiliates providing customer-initiated support

Entities: HID Global Corporation, Cerramex, SA de CV, ActivIdentity Pty. Ltd, HID India Private Limited, 
HID Corporation Ltd, HID Do Brasil Industria Comercio Importacao E Exportacao De Equipamentos Eletronicos Ltda, , HID Asia Pacific Limited, and HID China Ltd
Location of Processing: United States, India, Mexico, Brazil, United Kingdom, Hong Kong, China, and Australia
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator
Reader Technician
First and last name
Email address
Job title (in app)
Telephone number
Employer information
Employer address
To provide managed services and support 30 days from termination of the Service
End user First and last name
Email address
Title
Suffix
User identifier (e.g. a username from another system)
To provide managed services and support 30 days from termination of the Service
End user Photo To provide managed services and support 30 days from termination of the Service
Administrator
End user
Unique push notification identifier
Unique application identifier
To provide managed services and support 30 days from termination of the Service**
End user Application state, events and usage statistics  To provide managed services and support 3 years in deidentified form

Third-Party service providers

Entity: Mixpanel
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
End User Usage Data Usage analytics data from the HID Origo SDK 5 years

Entity: HSL Mobile/Link Mobility
Location of Processing: United Kingdom
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator Mobile telephone number Deliver one-time passwords via SMS to mobile phones for two-factor authentication. 30 days from termination of the Service
End User Mobile telephone number Deliver one-time passwords via SMS to mobile phones for two-factor authentication. 30 days from termination of the Service

Entity: Pole Star USA, Inc.

Location of Processing: United States and Ireland*

*For End Customers located in the United Kingdom, European Union (EU) or European Economic Area (EEA), all data will be processed in the EU or European Economic Area (EEA).

Third Party PaaS Provider and Hosting Providers: Heroku & Amazon Web Services

Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data type Purpose of Processing Data Retention Period*
Administrator First name, last name, mail address (supposed to be a professional mail address, but no obligation on that), company name, type of job occupation, IP address Identify and authenticate users of HID Identity Positioning Portal and HID Site Planner to enforce data protection and subscription profiles Erasure on demand.

Field Service Operators**

**As used herein, “Field Service Operator” means an individual performing installation and other technical actions onsite on behalf of End Customer

Set of locations and corresponding timestamps, optional free identity character chain, phone type, unique phone ID allocated by HID Site Planner. The phone is supposed to be a professional phone dedicated to location setup, not specifically attributed to the operator as a personal phone. Location setup: collect radio frequency mapping of known radio frequency emitters and locations computed on the phone used by a field operator. Erasure on demand.
End User Phone ID as set by End Customer, set of locations and corresponding timestamps. Location tracking service. Purpose of tracking to be determined by End Customer

 

Period set by End Customer on a per-site basis.

 

Delivery of the data by client: API or user interface over HTTPS

Additional Terms Related to Apple Access Technology:

HID may share with Apple End Customer Data (including personal data) pursuant to the Additional Product-Specific Terms for Apple Access Technology within HID Origo™ Platform and Related Services incorporated in the Terms of Service.

 

FARGO Connect™ Platform Services

HID Entity Providing the Service: HID Global Corporation
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator First and last name
Email address
Telephone number
Employer address
Identification of end users utilizing the HID FARGO Connect card personalization portal. 30 days from termination of the Service

Sub-processors:

Hosting Provider

Entity: Amazon Web Services
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator First and last name
Email address
Telephone number
Employer address
To host the infrastructure where the Service resides 30 days from termination of the Service

Third-Party service providers

Entity: eXtensia Technologies, Inc.
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator First and last name
Email address
Telephone number
Employer address
For the provision of security and integration services 30 days from termination of the Service

HID affiliates providing customer-initiated support

Entities: HID Global Corporation and affiliated entities
Location(s) of support services: United States, United Kingdom, Hong Kong, Australia, Brazil, Japan and India
Frequency of data transfer for support: One-Off*

*Access provided only as needed to provide support in response to a specific customer request

Categories of Data Subjects Personal Data Types Purpose of Processing Data Retention Period
Administrator First and last name
Email address
Telephone number
Employer address
To provide managed services and support 30 days from termination of the Service

Delivery of the data by client: API or user interface over HTTPS

 

HydrantID Managed PKI and Trusted Digital Certificate Services

HID Entity Providing the Service: Avalanche Cloud Corp
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
Administrators
End User
First Name
Last Name
Common Name
E-mail address
Title (e.g. Mr./Mrs.)
Locality
State/Province
Country
Government issued ID document number (e.g. passport, driving license)
To provide digital certificates, signing services, and other products and services. Applies to the certificate holder.

Personal data provided as part of the Services, such as the certificate content and in some cases registration data, may be used to process the certificate.
Information and audit logs for at least seven years. Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.
Administrators First Name
Last Name
E-mail address
Telephone number
Onboarding the End Customer organization to the Service. To provide access to the Service platform. Applies to the account administrators Information and audit logs for at least seven years. Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.

Sub-processors:

Hosting Provider

Entity: Amazon Web Services
Location of Processing: United States* and the European Union
Frequency of data transfer: Continuous Basis

*Unless the End Customer elects for their data to be hosted in the European Union, data is transferred to the Hosting Provider based in the United States

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
Administrators
End User
First Name
Last Name
Common Name
E-mail address
Title (e.g. Mr./Mrs.)
Locality
State/Province
Country
Government issued ID document number (e.g. passport, driving license)
To host the infrastructure where the Service resides Information and audit logs for at least seven years.

Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.
Administrators First Name
Last Name
E-mail address
Telephone number
To host the infrastructure where the Service resides Information and audit logs for at least seven years.

Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.

HID affiliates providing customer-initiated support

Entity: IdenTrust, Inc.
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
Administrators
End User
First Name
Last Name
Common Name
E-mail address
Title (e.g. Mr./Mrs.)
Locality
State/Province
Country
Government issued ID document number (e.g. passport, driving license)
To provide managed services and support Information and audit logs for at least seven years.

Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.
Administrators First Name
Last Name
E-mail address
Telephone number
To provide managed services and support Information and audit logs for at least seven years.

Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.

Third-party service providers

Entity: Switch
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
Administrators
End User
First Name
Last Name
Common Name
E-mail address
Title (e.g. Mr./Mrs.)
Locality
State/Province
Country
Government issued ID document number (e.g. passport, driving license)
May host HID-dedicated infrastructure, including Personal Data types listed above either as primary or backup for the Service. Information and audit logs for at least seven years.

Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.
Administrators First Name
Last Name
E-mail address
Telephone number
May host HID-dedicated infrastructure, including Personal Data types listed above either as primary or backup for the Service. Information and audit logs for at least seven years.

Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.

Entity: Equinix
Location of Processing: United States* and European Union
Frequency of data transfer: Continuous Basis

*Unless the End Customer elects for their data to be hosted in the European Union, data is transferred to the Hosting Provider based in the United States.

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
Administrators
End User
First Name
Last Name
Common Name
E-mail address
Title (e.g. Mr./Mrs.)
Locality
State/Province
Country
Government issued ID document number (e.g. passport, driving license)
May host HID-dedicated infrastructure, including Personal Data types listed above either as primary or backup for the Service. Information and audit logs for at least seven years.

Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.
Administrators First Name
Last Name
E-mail address
Telephone number
May host HID-dedicated infrastructure, including Personal Data types listed above either as primary or backup for the Service. Information and audit logs for at least seven years.

Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.

Entity: DigiCert 
Location of Processing*: Netherlands, Switzerland, Belgium, Germany, United Kingdom, or United States
Frequency of data transfer: Continuous Basis

*Location of processing determined by sub-processor Entity based on the type of service

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
Administrators
End User
First Name
Last Name
Common Name
E-mail address
Title (e.g. Mr./Mrs.)
Locality
State/Province
Country
Government issued ID document number (e.g. passport, driving license)
May process data to be included in a digital certificate (which can include the Personal Data types listed above) when HID uses DigiCert/QuoVadis digital certificate systems to deliver the Services to End Customer. Information and audit logs for at least seven years.

Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.
Administrators First Name
Last Name
E-mail address
Telephone number
May process data to be included in a digital certificate (which can include the Personal Data types listed above) when HID uses DigiCert/QuoVadis digital certificate systems to deliver the Services to End Customer. Information and audit logs for at least seven years.

Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires.

Entity: Auth0
Location of Processing: United States* and European Union
Frequency of data transfer: Continuous Basis

*Unless the End Customer elects for their data to be hosted in the European Union, data is transferred to the Hosting Provider based in the United States.

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
Administrators
End User
First Name
Last Name
Common Name
E-mail address
Title (e.g. Mr./Mrs.)
Locality
State/Province
Country
Authenticating Administrators and End Users prior to accessing the Service 30 days

Entity: Mailgun
Location of Processing: United States* and European Union
Frequency of data transfer: Continuous Basis

*Unless the End Customer elects for their data to be hosted in the European Union, data is transferred to the Hosting Provider based in the United States.

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
Administrators
End User
First Name
Last Name
E-mail address
Communicate with Administrators and End Users about the Service 30 days

Delivery of the data by client: API over HTTPS

 

HID Location Services Dashboard

Third-Party service provider

Entity: Banyan Hills Technologies
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
End User Location Data
Latitude
Longitude
Altitude
Determine the location of a specific device (for example a hardware or mobile beacon), over time. This information is presented in dashboards to provide location services. 30 days from termination of the Service
End User Device Properties
Name
Identifier
MAC address
Identify a specific device associated with Location Data. This information may be used to correlate the Location Data with a specific user. 30 days from termination of the Service

Hosting Provider

Entity: Amazon Web Services
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
End User Location Data
Latitude
Longitude
Altitude
To host the infrastructure where the Service resides 30 days from termination of the Service
End User Device Properties
Name
Identifier
MAC address
To host the infrastructure where the Service resides 30 days from termination of the Service

HID affiliates providing customer-initiated support

Entities: HID Global Corporation
Location of Processing: United States
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
End User Location Data
Latitude
Longitude
Altitude
To provide managed services and support 30 days from termination of the Service
End User Device Properties
Name
Identifier
MAC address
To provide managed services and support 30 days from termination of the Service

Event Management Platform

Personal Data Type Purpose of Processing Data Retention Period**
Accreditation Module & Organization Self administration module and Self Registration forms
A configurable list of the following attributes. Name (First & Last), Title (Mr, Mrs, Miss); Email Address; Phone Number; Company (Organization); Country (Nationality); Nationality, ID document type, ID document number, ID document expiry date, Scan of the ID document, AccreditationID, Photo; Category of Accreditation (e.g. MEDIA), sub-category, Date of Birth Address
To perform the enrollment process for individuals and security vetting (sending and extracting the subset of personal information to authorities to establish if the individual has sufficient security standing to attend the event) and then for the individual to be approved to have a credential (physical or virtual) issued to attend the event and for other systems or the below HID platform module to provide access control to the event. Defined by the configuration for the specific event and in any case: The shorter of: (i) 60 days from termination of the Service; or (ii) 3 years after the applicable event period has finished
Accredited Individuals and Ticket Holders: Name (First & Last), Title (Mr, Mrs, Miss); Email Address; Phone Number; Seating information (Gate, Block, Row, Seat); Company; Country (Nationality); Ticket Number; Ticket Barcode; Accreditation; AccreditationID; Photo; Name (First & Last), Company; Country; Category of Accreditation (e.g. MEDIA), sub-category, Date of Birth

To perform issuance of credentials and vouchers both physical (e.g. printing a smart card / paper credential and additionally encoding the data securely into a secure chip in the credential) or virtual (a mobile ticket inside an App or inside Apple Wallet / Google Pay)

To verify a credentials and perform access control

To provide additional services related to access control (for example: the ability to use the credential at a kiosk to print out a Set Information Receipt with name, Last name Block Row Seat of the individual).

The shorter of: (i) 60 days from termination of the Service; or (ii) 3 years after the applicable event period has finished
Answers to End Customer defined questionnaire*** Allows Accredited Individuals unlock its accreditation after providing the submission of the answers to End Customer’s questionnaire in compliance with End Customer criteria 48 hours after the applicable event period has finished
Web Portal Users: Email Address, first name, last name; Password To perform login into the EMS web portal (email + PWD) 60 days from termination of the Service

For clarity, an “Accredited Individual” is an individual granted access to the premises by the End Customer in an official compacity and not as a ticket holder or other type of patron. Examples of an Accredited Individual include End Customer personnel, contractors, vendors, volunteers, and third-party media.

**If End Customer requests HID retain Customer Materials beyond the Data Retention Period (“Additional Data Retention Period”), HID will retain the data for 90 days from the expiry of the Additional Retention Period.

***ONLY APPLIES WHERE THERE IS A QUESTIONNAIRE PRESENTED. END CUSTOMER IS SOLELY RESPONSIBLE FOR DETERMINING WHETHER THE CONTENT OF ANY QUESTIONNAIRE IS APPROPRIATE, MEETS END CUSTOMER’S REQUIREMENTS, AND IS PERMITTED BY APPLICABLE LAWS AND REGULATIONS. THE RESPONDENT TO THE QUESTIONNAIRE IS SOLELY RESPONSIBLE FOR THE ACCURACY OF ITS ANSWERS TO ANY SUCH QUESTIONNAIRE.

Sub-processors:

Hosting Provider

Entity: Amazon Web Services
Location of Processing: Ireland
Frequency of data transfer: Continuous Basis

Third-Party service providers

Company Location of Processing Purpose
Auth0 (Optional) European Union Portal Login Service for the Web Portal Users Personal Data Types
MailGun European Union Email sending service to send event invitation emails to the individual (if requested and configured in the platform)

Delivery of the data by client: API, Azure Service Bus or user interface over HTTPS direct entering of data via web forms or CSV upload into the web admin portals of the event management platform

Location(s) of support services: United Kingdom, Italy, Poland, and India

Third-Party Background Checks and Security Vetting: Upon request by End Customer, HID may share some, or all, of the personal data types described under “Accreditation Module & Organization Self administration module and Self Registration forms” section listed above to certain third-party background check and security vetting providers. Such providers may be private entities or local police or other law enforcement officials that perform these functions on behalf of End Customer.

 

HID Textile Services ACUITY Administration

HID Entity Providing the Service: HID Textile Service SARL
Location of Processing*: United Kingdom, Australia
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
End User

First and last name

Email address

 Telephone number

Define Contact Information for the purpose Of Order Management by HID Customer

 30 days from termination of the Service

 

End User

Username***

 

 

Authentication of End User’s login attempt to access WebOrder Customer Portal

30 days from termination of the Service

 

Sub-processors:

Hosting Provider

Entity: Amazon Web Services
Location of Processing*: United Kingdom and Australia
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
End User

First and last name

Email address

 Telephone number

To host the infrastructure

 30 days from termination of the Service

 

End User

Username***

 

 

To host the infrastructure

30 days from termination of the Service

 

Third-Party Support Provider

Entity: Stefanini IT Solutions

Location of Processing: Romania

Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
End User

First and last name

Email address

 Telephone number

Update End User information

 30 days from termination of the Service

 

End User

Username***

 

 

Update End User information

30 days from termination of the Service

 

 

*If End Customer is in the European Union, all data is processed in the European Union or a country that has obtained an adequacy decision

**”End User” means individual users to which End Customer grants access to the Service

***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User

 

HID Textile Services ACUITY Users Management

HID Entity Providing the Service: HID Textile Services SARL
Location of Processing: Australia
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
End User Administrator

First and last name

Email address

Telephone number

Username***

Authentication of End User’s login attempt to access ACUITY User Management and able to add, update, remove End User for the administrated entity 30 days from termination of the Service
End User

First and last name

Email address

Telephone number

Username***

Authentication of End User’s login attempt to access ACUITY tools (WebOrder tools, Smart Readers, Mobile Applications)

 30 days from termination of the Service

 

Sub-processors:

Hosting Provider

Entity: Amazon Web Services
Location of Processing: Australia
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
End User Administrator

First and last name

Email address

Telephone number

Username***

To host the infrastructure 30 days from termination of the Service
End User

First and last name

Email address

Telephone number

Username***

To host the infrastructure

 30 days from termination of the Service

 

Third-Party Support Provider

Entity: Stefanini IT Solutions

Location of Processing: Romania

Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
End User Administrator

First and last name

Email address

Telephone number

Username***

Update End User Administrator Information 30 days from termination of the Service
End User

First and last name

Email address

Telephone number

Username***

Update End User Information

 30 days from termination of the Service

 

**”End User” means individual users to which End Customer grants access to the Service

***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User

 

HID Textile Services WebOrder Admin, WebOrder Invoicing, WebOrder Dispatch Tools

HID Entity Providing the Service: HID Textile Services SARL
Location of Processing*: United Kingdom, Australia
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
End User Username*** Authentication of End User’s login attempt to access the various WebOrder tools (WOA, WOD, WOI, WOR)

30 days from termination of the Service

 

Sub-processors:

Hosting Provider
Entity: Amazon Web Services
Location of Processing: Australia
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
End User Username*** To host the infrastructure

30 days from termination of the Service

 

**”End User” means individual users to which End Customer grants access to the Service

***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User

 

HID Textile Services WebOrder Customer Portal (Provided by HID Textile Services)

HID Entity Providing the Service: HID Textile Services SARL
Location of Processing*: United Kingdom, Australia
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
End User Username*** Authentication of End User’s login attempt to access WebOrder Customer

 30 days from termination of the Service

 

Sub-processors:

Hosting Provider

Entity: Amazon Web Services
Location of Processing*: United Kingdom and Australia<
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
End User Username*** To host the infrastructure

 30 days from termination of the Service

 

*If End Customer is in the European Union, all data is processed in the European Union or a country that has obtained an adequacy decision

**”End User” means individual users to which End Customer grants access to the Service

***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User

 

HID Textile Services ACUITY RFID Platform for Laundries

HID Entity Providing the Service: HID Textile Services SARL
Location of Processing*: France, United Kingdom, Germany, Singapore, Australia
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
End User Username*** Authentication of End User’s login attempt to access Smart Reader Business Processes when applicable

 30 days from termination of the   Service

 

Sub-processors:

Hosting Provider

Entity: Amazon Web Services
Location of Processing: Australia
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
End User Username*** To host the infrastructure

 30 days from termination of the   Service

 

**”End User” means individual users to which End Customer grants access to the Service

***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User

 

HID Textile Services ACUITY Mobile Applications

HID Entity Providing the Service: HID Textile Services SARL
Location of Processing*: France, United Kingdom, Germany, Singapore, Australia
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
End User Username*** Authentication of End User’s login attempt to access Mobile Application Business Processes

 30 days from termination of the Service

 

Sub-processors:

Hosting Provider

Entity: Amazon Web Services
Location of Processing: Australia
Frequency of data transfer: Continuous Basis

Categories of Data Subjects Personal Data Type Purpose of Processing Data Retention Period
End User Username*** To host the infrastructure

 30 days from termination of the Service

 

**”End User” means individual users to which End Customer grants access to the Service

***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User