March 28, 2017
Changes to This Policy
Personal Information Collected
How information is collected
Cirrus Identity provides authentication and user registration Services that assist our Customers in providing access to their services by end users. End users may make personal information available to Cirrus Identity via:
- Use of authentication Services. Cirrus Identity runs authentication Services on behalf of Customers. When end users log in to a Customer’s application via a Cirrus Identity Service, end user personal information may be exposed to Cirrus Identity via a social identity provider’s APIs. Cirrus Identity will consume only that data which is required to enable end user access to a Customer’s service (see below), and will broker that data on behalf of the customer. The data we consume from social identity providers and pass to Customers is not customer data (in the case of Universities, this data is not University Data).
- Registering a social identity. Some customers may require that end users register social identities via the Cirrus Identity Invitation Service. In some cases, customers may require personal information that is not made available by social identity providers, such as email address. Cirrus Identity may directly collect such personal information on behalf of Customers in order to provide the requested service to Customers (such as collecting email address on behalf of the Customer if customer requires email address in order to provide service to end user).
- Use of the Cirrus Identity website. Some end users may choose to provide personal information via the Cirrus Identity website to receive updates and information.
Types of personal information collected
Cirrus collects and stores only basic profile data for users, including but not limited to:
- First and last name
- Email address
- Unique identifiers (username, OpenID, other opaque identifiers)
- Specific questions or comments submitted by end users via our website
Cirrus Identity holds end user data on behalf of Customers, who may in turn access, collect, and store that data.
Other information collected
Cirrus Identity may also collect information from web browsers and/or aggregate statistics on how users interact with our service. Examples of data we may collect in this manner include: browser type, referring websites, access times, IP address, type of operating system, files and pages accessed, amount of time spent on different pages of the website, etc.
Cookies and Web Beacons
The table below gives some examples of the types of cookies Cirrus Identity sets and how they are used:
Cirrus Identity also employs the use of Google Analytics on its website, which uses a cookie to track user activity on the site. This cookie is set and maintained solely by Google, and can be disabled in most browsers by disallowing the use of “3rd-party cookies”.
Use of Personal Information
Cirrus Identity uses personal information to deliver the Services to customers and end users, to process requests or transactions, to deliver notices, to provide customers with information upon request, to improve our Services, to personalize content and experience, to analyze trends and demographic data, and in any other way appropriate to ensure Customers and end users are able to use the features of the Services. Cirrus Identity also may combine or aggregate any of the information we collect through the Services or elsewhere for any of these purposes.
Personal Information - Data Flow
The basic flow of personal information is from social identity providers to Cirrus Identity Customers, brokered by Cirrus Identity Services. The diagram below illustrates where data originates, how data flows, how data is accessed, and how and where data is exchanged.
Figure 1: Data Management - Cirrus Identity
Cirrus Identity as a broker
Cirrus Identity Services act as a broker between social identity providers (e.g., Google, Facebook, etc) and Customers (campuses, businesses, applications). Those social providers provide APIs for authenticating users and sharing data over standard protocols (OAuth, OpenID, OpenID Connect). Cirrus Identity has access to end user information exposed via social identity provider APIs, but consumes and stores only the minimum end user data necessary to broker the exchange with a Customer application or enterprise. In some cases, Customers may configure their use of Cirrus Identity Services to collect limited personal profile data directly from end users, to enable end users to access a customer application (for example, a customer may configure the Cirrus Invitation Service to prompt end users to supply an email address when the end user registers a social identity which would not otherwise release such end user’s email address).
End user consent
In all cases, Customers will be in control of end user data. By contracting with Cirrus Identity to run Services on their behalf, Customers are consenting to Cirrus Identity privacy and data management policies as described herein. Cirrus Identity will disclose, use, and release end user personal information only as described in this statement.
As a conduit, Cirrus Identity has no direct relationship with the end users that use the Services to access a customer’s applications and services. When end users register with third party providers (e.g., Google, Facebook, etc), they agree to terms and conditions for those providers, including third party terms for data release. Cirrus Identity Customers (campuses, applications, enterprises) are responsible for obtaining consent from end users related to the use of Cirrus Identity Services to which the Customer subscribes.
Direct Integration Between Service Provider and Social Identity Provider
In the course of using the Cirrus Console to configure an application to allow the use of OAuth-based social identities, an application administrator will be required to register directly with the social identity provider, creating an API key and secret exclusive to the integration between that application and the social identity provider. In so doing, the Customer must accept and agree to the terms and conditions set by the social identity provider regarding management of data that end users have supplied to the social identity providers and which, in turn, expose via their APIs. When end users authenticate via social login to third party services (such as applications managed by the Customer) the social identity providers present an "attribute release consent screen" where end users agree to release the personal data to the Customer. Data passed to the Customer from social identity providers via Cirrus Identity services is not Customer data, and in the case of universities, is not University Data.
Outside of their use of Cirrus Identity Services, application administrators can use API keys and secrets created at social identity providers to collect any information exposed via the social identity provider’s published APIs. Cirrus only consumes, on behalf of the Customer, a subset of the data exposed via social identity provider APIs. Customers of Cirrus Identity Services will only have access to that subset of data when using Cirrus Identity Services.
At all times, the Customer controls the use of end user personal information and is responsible for compliance with any local institutional data management policies and applicable law. Cirrus identity will maintain industry standard and commercially reasonable safeguards to ensure that confidentiality and integrity of that data.
Cirrus Identity does not knowingly accept any personal information from children under 13 year of age. If you become aware that your child or any child under your care has provided us with information without your consent, please contact us at the contact information listed below.
Cirrus Identity reserves the right to share aggregate data about the use of its Services, such as the number of users, social identity providers it registers, number of sales, website traffic and utilization, etc.
Cirrus Identity will host the Services in an environment that implements commercially reasonable administrative, physical, and technical safeguards for protection of the security, confidentiality, and integrity of data supplied by Customer and end users, including but not limited to private keys and email addresses. Those safeguards will include commercially reasonable measures to prevent unauthorized use, access, processing, destruction, loss, alteration, or disclosure of any Customer data and end user data.
Customers or other parties may supply Cirrus Identity with contact information to receive news and updates on our Services. Customers may opt-out of such notices by following unsubscribe instructions included in correspondence or on our website, or by contacting firstname.lastname@example.org.
Correcting or Updating information
Customers may correct or update information they have provided to Cirrus Identity via the Cirrus Console, or by email@example.com. Data supplied to Cirrus Identity via social identity provider APIs must be corrected by the end user through the social identity provider.