Overview

Cirrus Identity, Inc. (“Cirrus Identity”) values your privacy. This Privacy Policy describes Cirrus Identity’s privacy practices in relation to personal information collected, on behalf of Cirrus Identity customers (the “Customer”) via our website and/or our services (the “Services”). This statement describes the types of personal information Cirrus Identity collects, and how we use, disclose, and protect that information. By providing information to Cirrus Identity via our Services or our website, you consent to its use in accordance with this Privacy Policy. Cirrus Identity hosts its Services and stores all personal information in the United States of America, unless a Customer negotiates other arrangements directly with Cirrus Identity.

Changes to This Policy

Cirrus Identity may change this Privacy Policy from time to time, and will update the "Last Updated" date at the top of this Privacy Policy accordingly. We will provide additional notification, such as a notice on the home page prior to the change becoming effective, in the case of material changes to this Policy. We encourage you to review our Privacy Policy whenever you access Cirrus Identity Services to stay informed about our privacy practices and the ways you can help protect your privacy. Your use of any of the Cirrus Identity Services after the posting of such changes shall constitute your consent to such changes.

Personal Information Collected

Cirrus Identity aims to collect and store the least amount of personal information necessary to deliver Service to its Customers. Personal information may be collected via APIs that expose end user data to Cirrus Identity, and when end users provide personal information directly to Cirrus Identity via our website or the use of our Services. As used in this Privacy Policy, “Customers” refers to the universities and other institutions that subscribe to the Services, and “end users” refers to individuals who use the Services to enable access to applications and other services made available by our Customers.

How information is collected

Cirrus Identity provides authentication and user registration Services that assist our Customers in providing access to their services by end users. End users may make personal information available to Cirrus Identity via:

  • Use of authentication Services. Cirrus Identity runs authentication Services on behalf of Customers. When end users log in to a Customer’s application via a Cirrus Identity Service, end user personal information may be exposed to Cirrus Identity via a social identity provider’s APIs. Cirrus Identity will consume only that data which is required to enable end user access to a Customer’s service (see below), and will broker that data on behalf of the customer.
  • Registering a social identity. Some customers may require that end users register social identities via the Cirrus Identity Invitation Service. In some cases, customers may require personal information that is not made available by social identity providers, such as email address. Cirrus Identity may directly collect such personal information on behalf of Customers in order to provide the requested service to Customers (such as collecting email address on behalf of the Customer if customer requires email address in order to provide service to end user).
  • Use of the Cirrus Identity website. Some end users may choose to provide personal information via the Cirrus Identity website to receive updates and information.

Types of personal information collected

Cirrus collects and stores only basic profile data for users, including but not limited to:

  • First and last name
  • Email address
  • Unique identifiers (username, OpenID, other opaque identifiers)
  • Specific questions or comments submitted by end users via our website

Cirrus Identity holds end user data on behalf of Customers, who may in turn access, collect, and store that data.

Other information collected

Cirrus Identity may also collect information from web browsers and/or aggregate statistics on how users interact with our service. Examples of data we may collect in this manner include: browser type, referring websites, access times, IP address, type of operating system, files and pages accessed, amount of time spent on different pages of the website, etc.

Cookies and Web Beacons

A cookie is a small amount of data which is sent to your browser and stored on your computer. Cookies do not personally identify you; they merely recognize your web browser. Cirrus Identity uses cookies and/or web beacons to collect information as users interact with our website and Services. Cookies are used primarily to prevent users from having to re-enter data, and to record user preferences to make use of the website and Services more streamlined and efficient, and personalized for users. By using the Cirrus Identity website or Services, users consent to Cirrus Identity’s use of cookies in accordance with the terms of this Policy.

Cookies can be session based (they disappear when you close your browser) or persistent (they function until some future end date). Users may elect to disable the use of cookies in the browser, but this will have a negative impact on a user’s ability to interact with our Services, and in some cases will prevent the user from using a Service at all.

The table below gives some examples of the types of cookies Cirrus Identity sets and how they are used:

Cirrus Identity also employs the use of Google Analytics on its website, which uses a cookie to track user activity on the site. This cookie is set and maintained solely by Google, and can be disabled in most browsers by disallowing the use of “3rd-party cookies”.

Use of Personal Information

Cirrus Identity uses personal information to deliver the Services to customers and end users, to process requests or transactions, to deliver notices, to provide customers with information upon request, to improve our Services, to personalize content and experience, to analyze trends and demographic data, and in any other way appropriate to ensure Customers and end users are able to use the features of the Services. Cirrus Identity also may combine or aggregate any of the information we collect through the Services or elsewhere for any of these purposes.

Personal Information - Data Flow

The basic flow of personal information is from social identity providers to Cirrus Identity Customers, brokered by Cirrus Identity Services. The diagram below illustrates where data originates, how data flows, how data is accessed, and how and where data is exchanged.

Figure 1: Data Flow

Management of personal information collected by Cirrus Identity is described in the Data Management section below.

Figure 1 Description

Social Identity Provider

  • End users provide personal information to third party social identity providers and consent to data release policies of these providers
  • Social identity providers make some end user data available via APIs

Cirrus Gateway/Bridge

  • Cirrus Identity consumes a subset of end user data via social provider APIs (see data we collect above)
  • Cirrus stores/manages that data on behalf of Customers (see data management section below), and exposes end user data only to Customers
  • Cirrus Identity may collect, on behalf of the Customer, additional personal profile data supplied directly by end users via the invitation service
  • Cirrus Identity does not share any data with social identity providers or have any role in managing end user data supplied to social identity providers and exposed via their APIs
  • Cirrus Identity releases end user personal information to Customer via Security Assertion Markup Language (SAML) assertions

Customer (App, DB, IDMS)

  • Customers use the Cirrus Console to integrate applications with the gateway service, registering the API Key and Secret they have set with social providers and configuring the personal information they will consume from Cirrus Services
  • Note: Customers could use the API key and secret they set with a social identity provider to consume end user data outside the terms of their agreement with Cirrus and Cirrus has no associated rights or responsibilities related to such exchange
  • Customer maintains control of end user data at all times, whether stored on Cirrus hosts or consumed and stored locally, and Customer is responsible for ensuring compliance with all local data management policies and regulations

Data Management

Cirrus Identity as a broker

Cirrus Identity Services act as a broker between social identity providers (e.g., Google, Facebook, etc) and Customers (campuses, businesses, applications). Those social providers provide APIs for authenticating users and sharing data over standard protocols (OAuth, OpenID, OpenID Connect). Cirrus Identity has access to end user information exposed via social identity provider APIs, but consumes and stores only the minimum end user data necessary to broker the exchange with a Customer application or enterprise. In some cases, Customers may configure their use of Cirrus Identity Services to collect limited personal profile data directly from end users, to enable end users to access a customer application (for example, a customer may configure the Cirrus Invitation Service to prompt end users to supply an email address when the end user registers a social identity which would not otherwise release such end user’s email address).

End user consent

In all cases, Customers will be in control of end user data. By contracting with Cirrus Identity to run Services on their behalf, Customers are consenting to Cirrus Identity privacy and data management policies as described herein. Cirrus Identity will disclose, use, and release end user personal information only as described in this statement.

As a conduit, Cirrus Identity has no direct relationship with the end users that use the Services to access a customer’s applications and services. When end users register with third party providers (e.g., Google, Facebook, etc), they agree to terms and conditions for those providers, including third party terms for data release. Cirrus Identity Customers (campuses, applications, enterprises) are responsible for obtaining consent from end users related to the use of Cirrus Identity Services to which the Customer subscribes.

Direct Integration Between Service Provider and Social Identity Provider

In the course of using the Cirrus Console to configure an application to allow the use of OAuth-based social identities, an application administrator will be required to register directly with the social identity provider, creating an API key and secret exclusive to the integration between that application and the social identity provider. In so doing, the Customer must accept and agree to the terms and conditions set by the social identity provider regarding management of end user data supplied to the social identity providers and exposed via their APIs. Outside of their use of Cirrus Identity Services, the application administrator can use that API key and secret to collect any information exposed via the social identity provider’s published APIs. Cirrus only consumes, on behalf of the Customer, a subset of the data exposed via social identity provider APIs. Customers of Cirrus Identity Services will only have access to that subset of data when using Cirrus Identity Services.

At all times, the Customer controls the use of end user personal information and is responsible for compliance with any local institutional data management policies and applicable law.

Cirrus Identity does not knowingly accept any personal information from children under 13 year of age. If you become aware that your child or any child under your care has provided us with information without your consent, please contact us at the contact information listed below.

Data Sharing

Cirrus Identity will not disclose or release data to anyone other than the Customer (via published APIs and Customer-facing applications such as the Cirrus Console) and in situations where release of data is required or appropriate, including but not limited to (i) outside service providers who are bound by confidentiality in connection with the provision of the Services, (ii) when Cirrus Identity has a good faith belief in the need to protect its rights or the rights of others, (iii) to protect the integrity of the Services, (iv) to protect the safety of others, (v) in connection with violations of the Service terms of use or applicable law, or (vi) to detect, prevent or respond to fraud or intellectual property infringement.

Cirrus Identity reserves the right to share aggregate data about the use of its Services, such as the number of users, social identity providers it registers, number of sales, website traffic and utilization, etc.

We may share personal information in connection with an acquisition, merger or sale of all or a substantial portion of our business, with or to another company. In such event, Customers will receive notice if data is transferred and becomes subject to a substantially different privacy policy.

Data Disposal

Cirrus Identity will erase Customer and end user data upon the request of the Customer, or after a contract with the customer terminates. Upon request by Customer made within 30 days after the effective date of termination of its Service contract with Cirrus Identity, Cirrus Identity will make the Customer’s and its end users’ data available to Customer for export or download as provided in the Service’s documentation. After a 30-day availability period in which Customer has the ability to access and download the data in question, Cirrus Identity will have no obligation to maintain or provide Customer data or end user data, and will thereafter erase all copies of such data in the Cirrus Identity systems or otherwise in Cirrus Identity’s possession or control as provided in the documentation, unless legally prohibited from doing so. Data retained by Cirrus Identity will be handled in accordance with this Privacy Policy until it is erased.

Security

Cirrus Identity will host the Services in an environment that implements commercially reasonable administrative, physical, and technical safeguards for protection of the security, confidentiality, and integrity of data supplied by Customer and end users, including but not limited to private keys and email addresses. Those safeguards will include commercially reasonable measures to prevent unauthorized use, access, processing, destruction, loss, alteration, or disclosure of any Customer data and end user data.

Communications Preferences

Customers or other parties may supply Cirrus Identity with contact information to receive news and updates on our Services. Customers may opt-out of such notices by following unsubscribe instructions included in correspondence or on our website, or by contacting info@cirrusidentity.com.

Correcting or Updating information

Customers may correct or update information they have provided to Cirrus Identity via the Cirrus Console, or by contactingsupport@cirrusidentity.com. Data supplied to Cirrus Identity via social identity provider APIs must be corrected by the end user through the social identity provider.

Contacting Us

Questions regarding this Privacy Policy, the Cirrus Identity website, or any Cirrus Identity Services should be directed to info@cirrusidentity.com.