Artifact – means any potentially Malicious file, URL, email content, or other material collected by the Avanan Platform for analysis.
Benign – Those Artifacts Avanan deems safe.
Cloud Platform–The Avanan Product is installed in a cloud-based environment where the Avanan deployment leverages a multi-tenant Hosted platform installed in a data center and connected via encrypted API to the customers’ SaaS Accounts.
IaaS Account – The Infrastructure as a Service Account subscribed by the customer, hosted by a third-party IaaS Provider that is monitored by the Avanan Platform.
Malicious – Those Artifacts Avanan deems as unsafe.
Metadata – Is data that describes the Artifact and results of the analysis of the Artifact.
Personal Data – means any information relating to an identified or identifiable natural person (“data subject”) who can be directly or indirectly identified in particular by reference to an identifier, such as name, location etc.
SaaS Account – The Software as a Service Account subscribed by the customer, hosted by a third-party SaaS Provider that is monitored by the Avanan Platform.
Services – Means the analysis of Artifacts provided by Avanan to Company.
Suspicious – Those Artifacts Avanan deems to be potentially unsafe.
European-Hosted Data Centers – By design, EU/EEA-based personal data is hosted, processed and replicated entirely within one of three EU data-centers based in Frankfurt, Paris, Ireland or other EU-located data centers.
IN THE EUROPEAN ECONOMIC AREA
Personal Data Protection
Avanan’s Responsibilities Related to Personal Data Processing
As defined by the basic EU General Data Protection Regulation (GDPR) is responsible for the processing of your personal data.
The contact information for Avanan is email@example.com.
Collection and Processing of Personal Data
Avanan will acquire and process your personal data in the following situations:
- when you contact us using our website and you request a demo or trial of our products and/or services or to report any concerns.
- when you deploy our Cloud Platform as a trial or purchased service to monitor your data and/or the data of your customers and/or partners.
We request your assistance in helping us to keep your personal data up to date by notifying us regarding any changes – in particular your contact information.
The following categories of personal data can be collected via the numerous services and contact channels described in this data protection information:
- Contact Information: Your name, telephone number, e-mail address.
- Other personal data: IP-address, employer, job title,
- Information related to the use of our websites: Such information may include how you use the website (to include data gathered via cookies and other tracking technologies).
- Cookies: As you visit or browse the Avanan website, we collect information about the device and browser you use, your network connection, your IP address, and information about the cookies installed on your device. See www.avanan.com/legal/cookies.
- Forms: We collect personal information submitted by you via any request or contact forms on our website.
- Telephone: From telephone support users, we collect your phone number, oranization, and other personal information you provide us during our call or used to verify your identity.
- Chat: From chat support users, we collect your name, email address, information about the device and browser you use, your network connection, your IP address, chat transcript, and other personal information you provide us during our chat.
We use this information to verify your account, to provide and enhance our Services (including supporting or servicing your account, if applicable), and answer any questions you may have.
Data processed by Avanan
The data involved in the execution of contracts or providing our services are processed for the purposes stated below.
We only process your data if it is permitted by an applicable law or regulation. We will process your data in particular on the basis of Article 6, Article 7 and Article 9 of the basic EU data protection regulations. Here, we will base the processing of your data on, among others, the following legal principles. Please bear in mind that this is not a complete or conclusive list of the legal principles, rather only examples intended to make the legal principles more transparent.
Consent (Article 6/7/9): We will process certain data only on the basis of the consent you have given expressly and voluntarily. You have the right to revoke your consent at any time with effect for the future.
Fulfillment of a contract / pre-contractual measures (Article 6): For initiation and/or execution of your contract with Avanan and/or Avanan partners, we require access to certain data.
Fulfillment of a legal obligation (Article 6): Avanan is subject to a number of legal specifications. We must process certain data to comply with these specifications.
Protection of legitimate interests (Article 6): Avanan will process certain data in order to protect their legitimate interests or the interests of third parties. However, this only applies if your interests do not outweigh ours in individual cases.
A. Customer Support (Article 6)
Avanan uses your personal data to handle any request you have submitted (for example queries and complaints to Avanan Customer Care). Regarding all aspects of dealing with a concern, we will contact you without separate consent, for example in writing, by telephone, per messenger service or per e-mail, depending on which contact data you have specified.
Avanan also processes your personal data on this basis to optimize your experience with Avanan Customer Support (e.g. to identify you correctly if you contact us).
B. Compliance with legal obligations to which Avanan is subject (Article 6)
Avanan will also process personal data if there is a legal obligation to do so.
Collected data are also processed within the framework of ensuring the operation of IT systems. Ensuring operation involves the following activities:
- Backup and restoring of data processed in IT systems
- Detection and defense against unauthorized access to personal data
- Incident and problem management to remedy malfunctions in IT systems.
Avanan is subject to a large number of other legal obligations. In order to fulfill these obligations, we process your data to the required extent and, if necessary, pass them on to the authorities responsible within the framework of legal obligations of notification.
We also process your data in the event of legal conflicts if the legal conflict makes processing the data necessary.
C. Data transfer to selected third parties
Data are forwarded to the following companies, among others, if and to the extent that the requirements in compliance with data protection legislation necessary for this are met:
- to carefully selected and verified service providers and business partners with whom we cooperate to be able to offer you products and services. We do this for Avanan only within the framework of the strict conditions of data processing on your behalf or on the basis of your express consent (for example transfer to third party malware analysis provider, if you have select this feature).
- to other third parties (for example public authorities) to the extent that we are legally obliged to do so.
Protection of Your Personal Data
We employ various technical and administrative measures such as encryption and authentication tools in line with the current state of the art technology to protect and maintain the security, integrity, and availability of your data.
Protection against ALL unauthorized access in the case of data transfers across the Internet or a website cannot be guaranteed, but we and our service providers and business partners commit to doing all our resources will allow to protect your personal data by means of physical, electronic, and process security controls commensurate with the current state of the art. In addition to other aspects, we use the following measures:
- Strict criteria for authorization to access your data according to a business “need-to-know” principle and for a specified purpose (strictly controlled and limited logical access)
- Transfer of data in encrypted format
- Storage of confidential data in encrypted format
- Firewall safeguarding of production systems
- Monitoring of access to production systems to detect the misuse of any personal data
Retention of Personal Data
In line with article 17 of the EU data protection regulations, we keep your data only as long as is necessary to satisfy the purpose in which the data is intended to be processed.
To ensure that your data is deleted in accordance with the data minimization requirements under Article 17 of GDPR, Avanan has established a process to identify systems where personal data exists. The fundamental principles employed toward the deletion of your personal data are described below.
Use for the assessment of IoCs
Avanan analyzes the files, emails and other content stored and processed in Security as a Service (SaaS) and Infrastructure as a Service (IaaS) accounts and is designed to detect threats posed by malware, as well as communication with Malicious hosts on the internet. Avanan will collect and analyze certain Artifacts (files, URLs, and email content that could pose a threat to the organizations) that are transmitted to, from and within the SaaS environment.
Avanan takes steps to avoid collecting information from our customer’s network that could personally identify their end users or collect or view any data that could be reasonably associated to such information. However, the data we collect through our Services to identify security risks may also contain some Personal Data (i.e. username, email address or IP address). This information is only used in protecting the IT infrastructure of the organization
Information Avanan Inspects
Content within the SaaS Account, including:
- The domain names of senders or recipients of information transmitted via the SaaS account including the host (IP Address) that resolved the domain.
- The content of files, emails other communications that could pose a risk to an organization.
- Emails to which Avanan has visibility.
- Executable programs, scripts, documents or other potential Artifacts that may contain executable code transmitted via the SaaS Account
- This includes email headers and any potentially malicious content in the email body.
- Refer to the Avanan Technical Support Knowledge Base for explicit details on files Avanan is able to analyze.
Email contents, including:
Header information from email messages inspected by the Avanan Platform
Potentially Suspicious or Malicious Email Attachments or URLs
Information Avanan Retains
- Alert information, as well as activity that could become an alert, is collected whenever a SaaS user performs Malicious activity for the purpose of providing organizations with meaningful reports regarding their security posture. This meta-data is stored in the Avanan Data Center.
- Avanan will retain Artifacts captured by the Avanan Platform for the period of time necessary to perform analysis to determine if the Artifact is malicious. It may be retained for as long as one month, until it is irretrievably deleted.
- Avanan will generate and retain metadata about any Artifact that is determined to be malicious. This includes metadata about the file and behaviors observed during analysis, process snapshots, screenshots of analyzed content.
- All data is retained for customers for 30 days after the term of the agreement.
Information Avanan Shares
- Avanan may exchange some Malicious Artifacts and Artifact metadata with other cyber security vendors, with whom we have a confidentiality agreement, to allow both vendors to improve and enhance their respective technologies to defend against new threats or attack vectors.
- Customers can opt-out of this level of sharing any Malicious Artifacts with Third Parties by their choice of security tools in their account configuration.
Use for customer support
In order for a customer to license our products and obtain technical support Services, we will collect certain Personal Data, such as the first and last names of our contacts, mailing address (including postal code), email address, cell phone or work phone. This information is used only in connection with the administration of a customer’s account with Avanan and for no other purpose.
For the purpose of marketing activities, we may collect the following Personal Data from you: name, title, location, company name, phone number and email address via our website, if you wish to request some types of product or company related content, a product demo or contact us for other reasons.
If you believe that we have inappropriately collected your Personal Data and you would like to request that it be removed from our databases, please contact our Data Protection Officer at firstname.lastname@example.org.
Who is granted ‘cross-border’ access to your data and how is protection ensured?
Avanan is an international company and personal data is processed by Avanan employees and service providers contracted to perform specific functions.
If data processed is sourced within countries of the EU/EEA, Avanan uses Data Processing Agreements and EU standard contractual clauses (including suitable technical and organizational measures) in order to ensure that your personal data are processed in accordance with GDPR.
Due to ongoing issues regarding transatlantic data transfers to the United States of America, Avanan has established dedicated processing facilities within the European Union to ensure adequate data protections are in place. This eliminates the need for any further permission or agreement such as the Privacy Shield.
To support the provision of the services and intended purposes listed above, Avanan uses a number of service providers that are commissioned by Avanan within the framework of the strict conditions of data processing in accordance with data protection legislation.
Data privacy and protection rights and your right to file complaints with data privacy protection authorities
To submit questions that you may have related to any personal data we may retain about you, please contact us at: email@example.com.
As the person affected by the processing of your data, the basic EU data protection regulations and other relevant data privacy protection regulations enable you to assert certain rights in relation to us. The following section contains explanations of your rights as defined by the basic EU data protection regulations. Depending on the type and scope of your inquiry, we ask you to put the inquiry in writing.
Rights of persons whose personal data is processed by Avanan
Data subjects in the EU/EEA related to personal data Avanan processes have the following rights:
Right to information:
You can ask us for information regarding any data of yours that we keep at any time (GDPR, Article 15). This information concerns, among other things, the data categories we process, for which purposes we process them, the origin of the data if we did not acquire them directly from you and, if applicable, the recipients to whom we have sent your data. You can obtain a copy of your data from us free of charge. If you are interested in additional copies, we reserve the right to charge for the additional copies.
Right to correction:
You can request that we correct your data (GDPR, Article 16). We will initiate appropriate measures to keep the data of yours that we continuously process correct, complete, and up to date, based the latest information available to us.
Right to deletion:
You can request that we delete your data provided the legal requirements have been met. In accordance with Article 17 of EU data protection regulations, this can be the case if:
- the data are no longer required for the purposes for which they were acquired or otherwise processed
- you revoke your consent, which is the basis of the data processing, and there is no other legal basis for the processing
- you object to the processing of your data and there are no legitimate reasons for the processing or you object to data processing for the purposes of direct advertising
- the data have been processed illegally
Wherever the processing is not necessary
- to ensure adherence to a legal obligation that requires us to process your data
- In particular with regard to legal retention periods
- to assert, exercise or defend against legal claims
Right to restriction of processing:
You can request that we restrict the processing of your data if (GDPR, Article 18):
- you dispute the correctness of the data - for the period of time we need to check the correctness of the data
- the processing is illegal but you do not wish to have your data deleted and request a restriction of use instead
- we no longer need your data, but you need them to assert, exercise or defend against legal claims
- you have filed an objection to the processing, though it has not yet been decided whether our legitimate grounds outweigh yours.
Right to data transferability:
At your request, we will transfer your data – where technically possible – to another responsible entity (GDPR, Article 20). However, this right only applies if the data processing is based on your consent or is required to fulfill a contract. Instead of receiving a copy of your data, you can ask us to send the data directly to another responsible entity that you specify.
Right to objection:
You can object to the processing of your data at any time for reasons that arise from your special situation provided the data processing is based on your consent or our legitimate interest or that of a third party (GDPR, Article 21). In this case, we will no longer process your data. The latter does not apply if we are able to prove there are compelling, defensible reasons for the processing that outweigh your interests or we require your data to assert, exercise or defend against legal claims.
Time limits for compliance with the rights the persons affected
As a general principle, we make every effort to comply with all requests within 30 days. This time limit, however, can be extended for reasons related to the specific rights of persons affected or the complexity of your request.
Restriction in the provision of information regarding the rights of persons affected
In certain situations, legal specifications might require us not to provide information regarding all of your data. If we have to refuse your request for information in such a case, we will inform you of the reasons for refusal at the same time.
Complaints to supervisory authorities
Avanan takes your privacy rights seriously. However, if you are of the opinion that we have not addressed your concerns adequately, you have the right to submit a complaint to the data privacy protection authorities responsible.
If you would like to inquire as to the use of your personal data, please send an email to firstname.lastname@example.org or use the following contact data:
242 W. 30th Street
New York, NY 10001
Legal basis for the processing of personal data
Avanan will only process your data if permitted by an applicable law. We will process your data on the basis of Article 6/7/9 of the GDPR. We will base the processing of your data on the following legal principles. Please bear in mind that this is not an exhaustive list of the legal principles, rather examples for transparency.
- Consent (Article 6/7/9): We will process certain data only on the basis of the consent you have given expressly and voluntarily. You have the right to revoke your consent at any time.
- Fulfillment of a contract (Article 6): For initiation and/or execution of your contract with Avanan, we require access to certain data.
- Fulfillment of a legal obligation (Article 6): Avanan is subject to a number of legal requirements.
Protection of legitimate interests (Article 6): Avanan will process certain data in order to protect Avanan’s legitimate interests or the interests of third parties. However, this only applies if your interests do not outweigh Avanan’s as applied on an individual basis.
Links to Third Party Websites
We have included links on this site for your use and reference. We are not responsible for the privacy policies on these websites. You should be aware that the privacy policies of these sites may differ from our own.
Changes to This Privacy Statement
The contents of this statement may be altered at any time, at our discretion.
We are committed to conducting our business in accordance with these principles in order to ensure that the confidentiality of personal information is protected and maintained.
To report any incident please contact email@example.com.