Effective: May 23, 2018
• “Authorized Administrative User” or “Sponsor” - Any individual authorized by The Customer to configure, support, utilize, or otherwise use Cirrus Identity Services to provide access to Customer applications
• “End User”, “You” or “Your” - Any individual with personal data shared with Cirrus Identity
• “Personal Data” - Personally identifiable information (PII) provided by You to Cirrus Identity or to a Customer and processed by Cirrus Identity under a contract.
CHANGES TO THIS POLICY
PERSONAL INFORMATION COLLECTED
Cirrus Identity aims to collect and store the least amount of Your Personal Data necessary to deliver Services. The reasons for Cirrus Identity processing Your Personal Data are both to fulfill the legal requirements to deliver the Services as defined by Cirrus Identity’s Terms of Service, and to meet Cirrus Identity’s legitimate interests as defined in the section Use of Personal Information. We may also process Your Personal Data when delivering Services once you have provided Your consent, should that be appropriate.
TYPES OF DATA COLLECTED
Many of the Cirrus Identity Services require Your basic user profile data such as name or email address. This profile data may include additional pieces of data called identifiers which are generally not visible to You but can be used to uniquely identify You. An everyday example of an identifier that is visible to You would be a mobile phone number. Each Cirrus Identity Service has different data requirements and those will be outlined in the “How Data is Collected” section.
All Cirrus Identity Services have a transaction logging component. The logs may record Personal Data collected for the Cirrus Identity Service along with Your IP address, the time of the transaction, and which Customer application You were attempting to use. Logs are retained as outlined in the “Data Retention” section.
To deliver Cirrus Identity Services, We make use of both persistent cookies (which are retained until some future end date) and session cookies (which disappear when you log out). The individual cookies are unique to the web browser You are using. This uniqueness is important to the operation of Cirrus Identity Services and is the reason why we use them.
The session and persistent cookies associated with Cirrus Identity Services will either be stored as “cirrusidentity.com”, “apps.cirrusidentity.com”, “www.cirrusidentity.com”, “info.cirrusidentity.com”, or “blog.cirrusidentity.com”, another subdomain under “cirrusidentity.com” that is associated with one of Our Customers, or another subdomain under “cirrusidentity.com”.
HOW DATA IS COLLECTED
Cirrus Identity provides authentication and user registration solutions that assist Our Customers in providing You access to applications They operate. Each Customer may use one or more of our Services in combination to accomplish this. The driving principle in all our Services is to collect the minimum personal data required to connect You to our Customer’s applications. The type and amount of Personal Data that is collected depends on Your specific relationship with one of Our Customers. We encourage You to ask The Customer that is administering the application you are trying to access for the specifics on how Your Personal Data is being used. If You still have questions or if Customers have questions, they may contact Us as outlined in the “Contacting Us” section.
The following is a list of each Cirrus Identity Services and the Personal Data collected:
CIRRUS IDENTITY SOCIAL GATEWAY
Via an integration controlled and managed by individual Cirrus Identity Customers, Cirrus identity processes Personal Data provided by one or more of the following Social Identity Providers for Them. The Social Identity Providers are as follows:
The Personal Data provided by the Social Identity Providers varies but does not exceed the following information:
• Name (given name, family name, and/or display name)
• Email address
• A unique ID issued by the Social Identity Provider
This information may be included in the transaction log (see Logging) for the Cirrus Identity Social Gateway but is not stored unless needed for other Cirrus Identity Services. To enable access, the gateway will utilize session cookies while You are logged in (see Cookies) and a persistent cookie to support load balancing.
CIRRUS IDENTITY INVITATION SERVICE
The Cirrus Identity Invitation Service establishes a relationship between You and an Authorized Administrative User or Sponsor. This relationship is used by The Customer to delivery services to You.
The Customer will provide an email address for You. Cirrus Identity will send You a request at Your address on behalf of the Customer to claim the invitation using a method of login. Regardless of the method of login, the following Personal Data may be processed and stored by Cirrus Identity on behalf of the Customer depending on settings They configure:
• Name (given name, family name, and/or display name)
• Email address
• A unique ID based on the method of login
• Data provided by the Customer
To enable the claim process, session cookies are used for the duration of the claim process and a persistent cookie is used to support load balancing (see Cookies). Transactions using the Cirrus Identity Invitation Service are also logged (see Logging).
CIRRUS IDENTITY ACCOUNT LINKING SERVICE
The Cirrus Identity Account Linking Service establishes a relationship between You and Personal Data about You provided by a Customer. This relationship is used by The Customer to delivery service to You.
Data provided to the Cirrus Identity Social Gateway when You log in is processed and stored by Cirrus Identity on behalf of The Customer as a record of this relationship (see Cirrus Identity Social Gateway).
Data provided by The Customer about You is also processed and stored as a record of this relationship. This data typically consists of one or more identifiers The Customer maintains about You and is provided in accordance with the contract Cirrus Identity has with The Customer.
To enable account linking, session cookies are used until the relationship is established and a persistent cookie is used to support load balancing (see Cookies). Transactions using the Cirrus Identity Account Linking Service are also logged (see Logging).
CIRRUS IDENTITY EXTERNAL IDENTITY PROVIDER SERVICE
The Cirrus Identity External Identity Provider Service allows The Customer to offer You the option to create an account if You do not have or want to use one of the Cirrus Identity Social Gateway social identity providers (see Cirrus Identity Social Gateway). To use this service, You must provide the following personal data:
• Name (given name and family name)
• Email address
• Mobile phone number
• A password
Depending on the requirements of the Customer, You may also be required to provide answers to selected security questions. When complete, Your account will also have a machine generated identifier for use with other Cirrus Identity Services and/or by the Customer.
To enable account creation, session cookies are used until the process is complete and a persistent cookie is used to support load balancing (see Cookies). Transactions using the Cirrus Identity External Identity Provider Service are also logged (see Logging).
CIRRUS IDENTITY DISCOVERY SERVICE
The Cirrus Identity Discovery Service, if configured by The Customer, is used by You to select login methods. The service does not ask for Personal Data, but will remember login choice for thirty (30) days using a persistent cookie. A persistent cookie is also used to support load balancing (see Cookies).
CIRRUS IDENTITY PROXY, AND CIRRUS IDENTITY BRIDGE
The Cirrus Identity Proxy and Cirrus Identity Bridge are technology solutions the Customer may use to allow You to access “Their” services. The solutions process Your information while enabling access, but do not collect or store information. To enable access, the solutions will utilize session cookies while You are logged in and a persistent cookie is used to support load balancing (see Cookies).
Transactions processed by the Cirrus Identity Proxy and the Cirrus Identity Bridge are logged. This can include any Personal Data needed to enable access (see Logging).
CIRRUS IDENTITY CONSOLE
The Cirrus Identity Console is a solution used by Authorized Administrative Users of the Customer to configure other Cirrus Identity services and provide other administrative operations. The Cirrus Identity Console requires the Customer to assert the Authorized Administrative User’s organizational email address and identifier called eduPersonPrincipalName to the console.
Transactions conducted in the Cirrus Identity Console are logged (see Logging) and may be reviewed to maintain security. Configuration and other data entered into the Cirrus Identity Console would be covered by the contract with the Customer and is not considered Personal Data.
To enable access, the solutions will utilize session cookies while Authorized Administrative Users are logged in and a persistent cookie is used to support load balancing (see Cookies).
CIRRUS IDENTITY SUPPORT CENTER
The Cirrus Identity Support Center is a solution used by Authorized Administrative Users of the Customer to obtain customer service from Cirrus Identity. The solution is based on a third party solution (FreshDesk -- https://freshdesk.com/) in conjunction with the Cirrus Identity Proxy. The Cirrus Identity Support Center requires the Customer to assert the Authorized Administrative User’s organizational email address and identifier called eduPersonPrincipalName to the console.
Transactions conducted in the Cirrus Identity Support Center are logged (see Logging) and may be reviewed to maintain security. Both the Cirrus Identity Proxy and the FreshDesk solutions set cookies to support the operation of the application (see Cookies). Support information and other data entered into the Cirrus Identity Support Center would be covered by the contract with the Customer and is not considered Personal Data.
CIRRUS IDENTITY WEBSITE, SOCIAL MEDIA, AND MARKETING
For Cirrus Identity to serve its customers, it must participate in the marketplace. To accomplish this, Cirrus Identity maintains a website, presence on multiple social media platforms, and tools to deliver content to individuals interested in our solutions. Cirrus Identity may request Your email address to receive updates and information from Us. Cirrus Identity may include in Its communication people who have subscribed to mailing lists and people who have been identified as having a legitimate interest in Our solutions. In all cases Cirrus Identity will provide an option to opt-out of communications(see “Your Choices” section).
USE OF PERSONAL DATA
Cirrus Identity uses Personal Data to deliver Services to Customers and ultimately to You. To accomplish this, We process requests, complete transactions, deliver notices, fulfill requests, monitor access, aggregate metrics, report on activity, or perform other information processing in any other way appropriate to ensure You are able to use Cirrus Identity Services to access Customer applications and to meet the contractual agreements with Our Customers.
Cirrus Identity may use or aggregate any of the data we collect through the Services to understand how Cirrus Identity Services are used. We do this to improve the Services we provide to You and Our Customers, as well as to develop new solutions for future release. If Cirrus Identity needs to consider Personal Data for this purpose the data is either first anonymized or is only used in aggregate form.
DISCLOSURE OF DATA
CIRRUS IDENTITY AS A BROKER
Some Cirrus Identity Services (Cirrus Identity Social Gateway, Cirrus Identity Proxy, Cirrus Identity Bridge) act as a broker or data processor between identity providers (for example Google, Facebook, Microsoft, enterprise providers, and others) and Customers. You the end user log in with one of those identity providers and personal data is shared with Customers using Cirrus Identity Services. Customers configure the connections to the identity providers in Cirrus Identity Services and are responsible for maintaining developer accounts or other integration agreements with each identity provider. Cirrus Identity has access to personal data provided by identity providers, but processes it on behalf of the Customer according to an established contract.
Other Cirrus Identity Services (Invitation, Account Linking, External Identity Provider) may be configured by Customers to collect limited personal profile data directly from You. For example, The Customer may configure the Cirrus Identity Account Linking Service to prompt You to supply Your email address when linking a social identity to an identifier provided by The Customer. During this process, The Customer can configure the service to request the End User to accept some terms and conditions as part of using the service. In cases like this example, Cirrus Identity has both a data processing function and a data controlling function in collaboration with The Customer.
END USER CONSENT
In those cases where Cirrus Identity acts as a broker for the Customer, We have no direct relationship with You when You use Our Services to access a Customer’s application. When You register with a social identity provider (for example Google, Facebook, Microsoft, or others), You agree to terms and conditions for those providers, including release to a third party. In this case, the third party is the Customer that is operating the application you are accessing.
In those cases where Cirrus Identity is directly collecting personal data from You for the Customer, We jointly control Your Personal Data with the Customer. We rely on the Customer to be Your point-of-contact for providing consent. Again, this is because Our Services are used to enable You to access a Customer’s application.
In all cases, Customers are data controllers of Your personal data. Cirrus Identity Customers are responsible for obtaining consent from You to use Your Personal Data with Cirrus Identity Services to which The Customer subscribes.
INTEGRATION BETWEEN CUSTOMER AND SOCIAL IDENTITY PROVIDER
In the course of using the Cirrus Identity Social Gateway to configure the use of OAuth-based social identities, an Authorized Administrative User for the Customer will be required to register directly with one or more social identity providers and create an API key-secret pair for each integration between the Cirrus Identity Social Gateway and the social identity provider. In so doing, the Customer must accept and agree to the terms and conditions set by each social identity provider regarding management of Your Personal Data that may be supplied by a given social identity provider and which, in turn, is exposed via the integration.
When You authenticate via social login to third party services (such as applications managed by The Customer) many social identity providers present an "attribute release consent screen" where You agree to release Personal Data to the Customer. Personal Data passed to the Customer from social identity providers using the Cirrus Identity Social Gateway is not Customer data, but has been released to the Customer as a third party.
At all times, the Customer controls the processing of Your Personal Data (see Cirrus Identity Social Gateway section). The Customer is responsible for handling your Personal Data in compliance with all applicable local, state, and federal laws.
INTEGRATION BETWEEN CUSTOMER AND FEDERATED IDENTITY PROVIDER
Cirrus Identity helps Customers to enable federated identity. In the most basic form, federation allows You to leverage a login at one organization (University A) to access an application at another organization (University B). To enable this method of login, legal entities called federations are established to manage agreements between organizations. Federations exist across the world (https://refeds.org/federations/federations-map) and Cirrus Identity belongs to the InCommon Federation (https://www.incommon.org/) based in the United States (US).
When You authenticate via a federated identity provider to applications managed by The Customer, the federated identity provider may release Your Personal Data to The Customer’s application. Cirrus Identity Services may be used to enable this access to the Customer’s application. The control of this data passing through Cirrus Identity Services depends on the relationship between the federated identity provider and The Customer.
For organizations that participate in a common federation, this exchange of data may be governed by federation agreements. In other cases, there may be bilateral agreements. At all times, the Customer controls the processing of Your Personal Data (see “How Data is Collected” section). The Customer is responsible for handling your Personal Data in compliance with all applicable local, state, and federal laws.
DATA CONTROLLER AND DATA PROCESSOR
As outlined in the “Use of Personal Data” section, Cirrus Identity aggregates data for the purposes of monitoring and measuring how Our Services are being used. Cirrus Identity reserves the right to share aggregate data about the use of Our Services as long as the aggregate data cannot be used to identify an individual or a Customer. This can include but is not limited to the number of users, social identity providers it registers, number of sales, website traffic, and utilization.
CHANGE OF OWNERSHIP
Cirrus Identity follows generally accepted industry standards to protect Your Personal Data and the data of Our Customers. We will deploy the Services in an environment that implements commercially reasonable administrative, physical, and technical safeguards for protection of the security, confidentiality, and integrity of this data. including but not limited to private keys, profile data, and email addresses.
Those safeguards will include commercially reasonable measures to prevent unauthorized use, access, processing, destruction, loss, alteration, or disclosure of both Your Personal Data and any Customer data. Examples but not a full list of those safeguards include virtual private networks, encryption of data, and multiple layers of access control.
While we take security very seriously, we recognize any technology or process will contain flaws. We practice a defense in depth strategy in an effort to manage this reality. However, if You believe Your Personal Data has been compromised, or you have questions about Our security practices, please contact Us as indicated in the “Contacting Us” section.
Our processing and storage of Your personal data is guided by the contracts we have with Our “Customers” to use Cirrus Identity Services (See Disclosure of Data). In general, personal data is retained as follows:
1. Services that require the storage of Your personal data (Cirrus Identity Account Linking Service, Cirrus Identity Invitation Service, and Cirrus Identity External Identity Service), retain data for the duration of the contract with the Customer. Cirrus Identity will erase Your personal data and/or the data of the Customer upon the request of the Customer, or thirty (30) calendar days after the contract with the Customer terminates. The Customer has thirty (30) calendar days from the effective termination date of the Customer’s Service contract with Cirrus Identity to request Cirrus Identity to make data controlled by the Customer (including Your personal data) available for download by the Customer as provided in the Service’s documentation. After the 30-day availability period, Cirrus Identity will have no obligation to maintain or provide access to Customer data or Your personal data. Thereafter, Cirrus Identity will delete the operational data from Cirrus Identity systems or otherwise in Cirrus Identity’s possession or control as provided in the documentation, unless legally prohibited from doing so. Data contained in transaction logs and system backups will be deleted according to those respective data retention schedules.
2. Transaction logs and system backups that may contain Your personal data or the data of the Customer are retained for one (1) year and then deleted.
MINORS AND CHILDREN’S PRIVACY
Cirrus Identity does not knowingly accept any Personal Data from children under 13 year of age. If you become aware that your child or any child under your care has provided us with data without your consent, please contact us as indicated in the “Contacting Us” section.
You or other parties may supply Cirrus Identity with contact information to receive news and updates on Our Services. In some cases, You have subscribed to mailing lists. In other cases You were identified as having a legitimate interest in Our solutions. You may opt-out of such notices by following unsubscribe instructions included in correspondence, included on Our website, or by contacting firstname.lastname@example.org.
SHARING, UPDATING, OR CORRECTING DATA
You may choose to not share certain personal data with Cirrus Identity, in which case We may not be able to provide Services that allow you access to Customer applications.
You and Our “Customers” may update or correct information They have provided to Cirrus Identity using Cirrus Identity Services, or by contacting email@example.com.
Data supplied to the Cirrus Identity Social Gateway by any of the social identity providers listed in the “Cirrus Identity Social Gateway Section” must be corrected by You at each social identity provider. After making corrections, You may still have to contact The Customer to also have the change reflected. An example of this would be if You used LinkedIn for the Cirrus Identity Account Linking Service and The Customer uses the email address You have listed in LinkedIn. If you change this email address in LinkedIn, You may also have to notify The Customer of the change.