Data Processing Specifications
This is not a stand-alone document. These Data Processing Specifications supplement the relevant Data Processing Terms for HID software-as-a-service offerings set forth below (each a “Service”):
The Data Processing Specifications describe: (i) the subject matter of the data processing; (ii) the type of Personal Data processed; (ii) the name and location of the party hosting the Personal Data; (iii) where the Service is hosted; (iv) sub-processors involved in the processing of the Personal Data, if any; (iv) the purpose of the data processing; and (v) the period of time the Personal Data is retained.
Personal Data types processed are selected by End Customer. If End Customer defines a different Data Retention Period or otherwise requests that HID retain Customer Materials beyond the Data Retention Period (“Requested Data Retention Period”), subject to the payment of additional fees associated with such retention as may be reasonable requested by HID, HID will retain the data for the Requested Data Retention Period.
Outside of the data types listed below, there may be additional optional fields that Channel Partner or End Customer may populate at its discretion. If Channel Partner or End Customer elect to populate those fields with Personal Data, any such information will be treated as confidential data and will be deleted within 30 days of from last back up. This optional data entered by Channel Partner or End Customer is not required for the operation of the Services.
Authentication Service
HID Entity Providing the Service: ActivIdentity (Australia) Pty Ltd, HID India Private Ltd, HID Global Corporation, HID GLOBAL SAS, HID Corporation Ltd, and ASSA ABLOY
Location of Processing: United States, Ireland, Germany, United Kingdom, France, Australia, Canada, and India
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrator | First and last name Email address Telephone number Employer information Employer address |
Onboarding the End Customer Organization to the Service. Applies to the first Privileged Admin user only. | 30 days from termination of the Service |
| End user | First and last name User identifier |
Identification of end users who use the Service for authentication. | 30 days from termination of the Service |
| End user | Email address Mobile telephone number |
Authentication of end users’ login attempt. | 30 days from termination of the Service |
Delivery of the data by client: API or user interface over HTTPS
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: United States* and European Union
Frequency of data transfer: Continuous Basis
*End Customer designates the primary hosting location. Unless otherwise requested by End Customer, backup data will be stored in the United States.
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrator | First and last name Email address Telephone number Employer information Employer address |
To host the infrastructure where the Service resides | 30 days from termination of the Service |
| End User | First and last name User identifier |
To host the infrastructure where the Service resides | 30 days from termination of the Service |
| End User | Email address Mobile telephone number |
To host the infrastructure where the Service resides | 30 days from termination of the Service |
HID affiliates providing customer-initiated support
Entities: HID Global Corporation, Cerramex, SA de CV, ActivIdentity Pty. Ltd, HID India Private Limited, HID Corporation Ltd, HID Do Brasil Industria Comercio Importacao E Exportacao De Equipamentos Eletronicos Ltda, , HID Asia Pacific Limited, and HID China Ltd
Location of Processing: Australia, India, United States, France, United Kingdom, and Canada
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrator | First and last name Email address Telephone number Employer information Employer address |
To provide managed services and support | 30 days from termination of the Service |
| End User | First and last name ser identifier or other form of identification (ex: government issued ID) |
To provide managed services and support | 30 days from termination of the Service |
| End User | Email address Mobile telephone number |
To provide managed services and support | 30 days from termination of the Service |
HID affiliates providing professional services
Entities: HID India Private Ltd, HID Global Corporation, ASSA ABLOY of Canada Ltd, ActivIdentity (Australia) Pty Ltd, HID Global GmbH, HID Global SAS, and HID Global Teoranta
Location of Processing: India, United States, Canada, United Kingdom, Australia, Germany, South Africa, and Ireland
Frequency of data transfer: One-Off*
*transfer and access limited to the duration of the professional services engagement
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrator | First and last name Email address Telephone number Employer information Employer address |
To provide professional services as contracted by End Customer | 30 days from termination of the Service |
| End User | First and last name User identifier |
To provide professional services as contracted by End Customer | 30 days from termination of the Service |
| End User | Email address Mobile telephone number |
To provide professional services as contracted by End Customer | 30 days from termination of the Service |
Third Party Service Providers
Entity: HSL Mobile/Link Mobility
Location of Processing: United Kingdom
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrator | Mobile telephone number | Deliver one-time passwords via SMS to mobile phones for two-factor authentication. | 30 days from termination of the Service |
| End User | Mobile telephone number | Deliver one-time passwords via SMS to mobile phones for two-factor authentication. | 30 days from termination of the Service |
SAFE™ and WorkforceID™ Visitor Manager and Credential Manager
HID Entity Providing the Service: HID Global Corporation
Location of Processing: United States*
Frequency of data transfer: Continuous Basis
*Unless the End Customer elects for their service to be provided from the European Union, data is transferred to the Hosting Provider based in the United States
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period | Sensitive Data |
|---|---|---|---|---|
| Employees Contractors Vendors Suppliers Visitors |
First and last name Email address Residential address Business address Driver’s License or other State or Government Issued Identification Number or Card (including Passport) School-Issued Identification Native American tribal document School record or report Clinic, doctor, or hospital record Daycare or nursery school record Social Security number or Card Birth Certificate or Certificate of Birth Abroad issued by First and last name Email address Residential address Business address Driver’s License or other State or Government Issued Identification Number or Card (including Passport) School-Issued Identification Native American tribal document School record or report Clinic, doctor, or hospital record Daycare or nursery school record Social Security number or Card Birth Certificate or Certificate of Birth Abroad issued by the Department of State Unexpired employment authorization document issued by DHS Any other I-9 documentation Employer information Job title Biometric data Photograph of individual Place of birth Nation of origin Ethnicity Gender Height/Weight Eye color Hair color License Plate Number |
Identifying authorized end users Authenticating site visitor identity Badge and credential issuance Screening visitors |
30 days from termination of the Service | Biometric data Native American tribal document Nation of origin Ethnicity Birth Certificate or Certificate of Birth Abroad issued by the Department of State Passport other sensitive data on I-9 document The applied restrictions or safeguards related to sensitive data transferred outside of the EEA is set forth in Annex II to the applicable Standard Contractual clauses located at: https://www.hidglobal.com/legal |
| System Users | Email Address Account Name |
To give access to the system | 30 days from termination of the Service | |
| Employees Contractors Vendors Suppliers Visitors |
End user answers to End Customer defined questionnaire** | Authorizing end users and site visitors based on End Customer criteria Screening employees and visitors | 48 hours after screening event |
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: United States*
Frequency of data transfer: Continuous Basis
*unless the parties enter into a SAFE SaaS Platform Designation Agreement specifying a different platform location, in which event such agreement shall amend this Data Processing Specifications document
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period | Sensitive Data |
|---|---|---|---|---|
| Employees Contractors Vendors Suppliers Visitors |
First and last name Email address Residential address Business address Driver’s License or other State or Government Issued Identification Number or Card (including Passport) School-Issued Identification Native American tribal document School record or report Clinic, doctor, or hospital record Daycare or nursery school record Social Security number or Card Birth Certificate or Certificate of Birth Abroad issued by First and last name Email address Residential address Business address Driver’s License or other State or Government Issued Identification Number or Card (including Passport) School-Issued Identification Native American tribal document School record or report Clinic, doctor, or hospital record Daycare or nursery school record Social Security number or Card Birth Certificate or Certificate of Birth Abroad issued by the Department of State Unexpired employment authorization document issued by DHS Any other I-9 documentation Employer information Job title Biometric data Photograph of individual Place of birth Nation of origin Ethnicity Gender Height/Weight Eye color Hair color License Plate Number |
To host the infrastructure where the Service resides | 30 days from termination of the Service | Biometric data Native American tribal document Nation of origin Ethnicity Birth Certificate or Certificate of Birth Abroad issued by the Department of State Passport other sensitive data on I-9 document The applied restrictions or safeguards related to sensitive data transferred outside of the EEA is set forth in Annex II to the applicable Standard Contractual clauses located at: https://www.hidglobal.com/legal |
| System Users | Email Address Account Name |
To host the infrastructure where the Service resides | 30 days from termination of the Service | |
| Employees Contractors Vendors Suppliers Visitors |
End user answers to End Customer defined questionnaire** | To host the infrastructure where the Service resides | 48 hours after screening event |
HID affiliates providing customer-initiated support
Entities: ActivIdentity (Australia) Pty Ltd, HID India Private Ltd, HID Global Corporation, HID GLOBAL SAS, HID Corporation Ltd, and ASSA ABLOY
Location of Processing: Australia, India, United States, France, United Kingdom, and Canada
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period | Sensitive Data |
|---|---|---|---|---|
| Employees Contractors Vendors Suppliers Visitors |
First and last name Email address Residential address Business address Driver’s License or other State or Government Issued Identification Number or Card (including Passport) School-Issued Identification Native American tribal document School record or report Clinic, doctor, or hospital record Daycare or nursery school record Social Security number or Card Birth Certificate or Certificate of Birth Abroad issued by First and last name Email address Residential address Business address Driver’s License or other State or Government Issued Identification Number or Card (including Passport) School-Issued Identification Native American tribal document School record or report Clinic, doctor, or hospital record Daycare or nursery school record Social Security number or Card Birth Certificate or Certificate of Birth Abroad issued by the Department of State Unexpired employment authorization document issued by DHS Any other I-9 documentation Employer information Job title Biometric data Photograph of individual Place of birth Nation of origin Ethnicity Gender Height/Weight Eye color Hair color License Plate Number |
To provide managed services and support | 30 days from termination of the Service | Biometric data Native American tribal document Nation of origin Ethnicity Birth Certificate or Certificate of Birth Abroad issued by the Department of State Passport other sensitive data on I-9 document The applied restrictions or safeguards related to sensitive data transferred outside of the EEA is set forth in Annex II to the applicable Standard Contractual clauses located at: https://www.hidglobal.com/legal |
| System Users | Email Address Account Name |
To provide managed services and support | 30 days from termination of the Service | |
| Employees Contractors Vendors Suppliers Visitors |
End user answers to End Customer defined questionnaire** | To provide managed services and support | 48 hours after screening event |
HID affiliates providing professional services
Entities: HID India Private Ltd, HID Global Corporation, ASSA ABLOY of Canada Ltd, ActivIdentity (Australia) Pty Ltd, HID Global GmbH, HID Global SAS, and HID Global Teoranta
Location of Processing: India, United States, Canada, United Kingdom, Australia, Germany, South Africa, and Ireland
Frequency of data transfer: One-Off*
*transfer and access limited to the duration of the professional services engagement
To provide professional services as contracted by End Customer
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period | Sensitive Data |
|---|---|---|---|---|
| Employees Contractors Vendors Suppliers Visitors |
First and last name Email address Residential address Business address Driver’s License or other State or Government Issued Identification Number or Card (including Passport) School-Issued Identification Native American tribal document School record or report Clinic, doctor, or hospital record Daycare or nursery school record Social Security number or Card Birth Certificate or Certificate of Birth Abroad issued by First and last name Email address Residential address Business address Driver’s License or other State or Government Issued Identification Number or Card (including Passport) School-Issued Identification Native American tribal document School record or report Clinic, doctor, or hospital record Daycare or nursery school record Social Security number or Card Birth Certificate or Certificate of Birth Abroad issued by the Department of State Unexpired employment authorization document issued by DHS Any other I-9 documentation Employer information Job title Biometric data Photograph of individual Place of birth Nation of origin Ethnicity Gender Height/Weight Eye color Hair color License Plate Number |
30 days from termination of the Service | Biometric data Native American tribal document Nation of origin Ethnicity Birth Certificate or Certificate of Birth Abroad issued by the Department of State Passport other sensitive data on I-9 document The applied restrictions or safeguards related to sensitive data transferred outside of the EEA is set forth in Annex II to the applicable Standard Contractual clauses located at: https://www.hidglobal.com/legal |
|
| System Users | Email Address Account Name |
To provide professional services as contracted by End Customer | 30 days from termination of the Service | |
| Employees Contractors Vendors Suppliers Visitors |
End user answers to End Customer defined questionnaire** | To provide professional services as contracted by End Customer | 48 hours after screening event |
Delivery of the data by client: API or user interface over HTTPS
** ONLY APPLIES WHERE THERE IS A QUESTIONNAIRE PRESENTED. END CUSTOMER IS SOLELY RESPONSIBLE FOR DETERMINING WHETHER THE CONTENT OF ANY QUESTIONNAIRE IS APPROPRIATE, MEETS END CUSTOMER’S REQUIREMENTS, AND IS PERMITTED BY APPLICABLE LAWS AND REGULATIONS. THE RESPONDENT TO THE QUESTIONNAIRE IS SOLELY RESPONSIBLE FOR THE ACCURACY OF ITS ANSWERS TO ANY SUCH QUESTIONNAIRE.
HID Origo™ Platform and Related Services
HID Entity Providing the Service: HID Global Corporation
Location of Processing: United States
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrator Reader Technician |
First and last name Email address Job title (HID Reader Manager app) Telephone number Employer information Employer address |
Onboarding the End Customer Organization to the service or registering as a Reader Technician in the HID Reader Manager app. Applies to Administrators and Reader Technicians only. | 30 days from termination of the Service |
| End user | First and last name Email address Title Suffix User identifier (e.g. a username from another system) |
Identification of end users. | 30 days from termination of the Service |
| End user | Photo | Provide the Photo ID functionality, which can be used to link an image and titles to a Mobile ID. | 30 days from termination of the Service |
| Administrator End user |
Unique push notification identifier Unique application identifier Application state, events and usage statistics Location data (e.g. GPS positions) in conjunction with presenting a Mobile ID to a reader or inspecting reader configuration |
Delivery and management of Mobile IDs or reader keysets. Improving service performance and providing technical support. |
3 years in deidentified form |
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: United States
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrator Reader Technician |
First and last name Email address Job title (HID Reader Manager app) Telephone number Employer information Employer address |
To host the infrastructure where the Service resides | 30 days from termination of the Service |
| End user | First and last name Email address Title Suffix User identifier (e.g. a username from another system) |
To host the infrastructure where the Service resides | 30 days from termination of the Service |
| End user | Photo | To host the infrastructure where the Service resides | 30 days from termination of the Service |
| Administrator End user |
Unique push notification identifier Unique application identifier Application state, events and usage statistics Location data (e.g. GPS positions) in conjunction with presenting a Mobile ID to a reader or inspecting reader configuration |
To host the infrastructure where the Service resides | 30 days from termination of the Service** |
| End user | Application state, events and usage statistics Location data (e.g. GPS positions) in conjunction with presenting a Mobile ID to a reader or inspecting reader configuration | To host the infrastructure where the Service resides | 3 years in deidentified form |
HID affiliates providing customer-initiated support
Entities: HID Global Corporation and affiliated entities
Location of Processing: United States, India, Mexico, Brazil, United Kingdom, Hong Kong, China, and Australia
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrator Reader Technician |
First and last name Email address Job title (HID Reader Manager app) Telephone number Employer information Employer address |
To provide managed services and support | 30 days from termination of the Service |
| End user | First and last name Email address Title Suffix User identifier (e.g. a username from another system) |
To provide managed services and support | 30 days from termination of the Service |
| End user | Photo | To provide managed services and support | 30 days from termination of the Service |
| Administrator End user |
Unique push notification identifier Unique application identifier Application state, events and usage statistics Location data (e.g. GPS positions) in conjunction with presenting a Mobile ID to a reader or inspecting reader configuration |
To provide managed services and support | 30 days from termination of the Service** |
| End user | Application state, events and usage statistics Location data (e.g. GPS positions) in conjunction with presenting a Mobile ID to a reader or inspecting reader configuration | To provide managed services and support | 3 years in deidentified form |
Third Party service providers
Entity: Google LLC
Location of Processing: United States
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrator End User |
Cookies Email Address |
Usage analytics data from the HID Origo SDK | 14 months |
Entity: Mixpanel
Location of Processing: United States
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| End User | Usage Data | Usage analytics data from the HID Origo SDK | 5 years |
Entity: HSL Mobile/Link Mobility
Location of Processing: United Kingdom
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrator | Mobile telephone number | Deliver one-time passwords via SMS to mobile phones for two-factor authentication. | 30 days from termination of the Service |
| End User | Mobile telephone number | Deliver one-time passwords via SMS to mobile phones for two-factor authentication. | 30 days from termination of the Service |
Delivery of the data by client: API or user interface over HTTPS
Additional Terms Related to Apple Access Technology:
The following are additional terms related to personal data sharing and processing when End Customer uses the Service with Apple Pay Technology and/or Apple Access Technology (e.g., enable users to add access credentials to Apple Wallet) (“Apple Access Technology”). HID may share with Apple and Apple, solely in its own independent capacity, may use End Customer Data (including personal data) and Credential Manager Provisioning Data for the purpose of performing its obligations and exercising its rights set forth in the Participating Provider Agreement or Participating Provider Terms and Conditions by and between End Customer and Apple or an Apple affiliated entity (“PPTC”). In the event of a conflict between the Data Processing Terms and/or these Data Processing Specifications and the PPTC, the PPTC shall govern with respect to the sharing and processing of such data. “End Customer Data” means information related specifically to any account, credential or user that is obtained, generated, or created by or on behalf of End Customer in connection with account establishment, processing, and maintenance activities, End Customer service, and transaction data (including personal data), as associated with Apple Access Technology and “Credential Manager Provisioning Data” means data supplied by HID or an HID partner to Apple for the purpose of facilitating End Customer’s provisions path decision process. HID HEREBY DISCLAIMS ALL LIABILITY WITH RESPECT TO THE DATA SHARED WITH APPLE. THE DISCLOSURE AND USE OF SUCH DATA SHALL BE GOVERNED EXCLUSIVELY BY THE PPTC.
WorkforceID™ Digital Credential Manager
HID Entities Providing the Service: HID Global Corporation, Avalanche Cloud Corp (Private certificates), and IdenTrust, Inc. (Public certificates)
Location of Processing: United States
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrator | Employer information Employer address IT Manager email address and cell phone number |
Onboarding the End Customer Organization to the service. Identification and authentication of the IT Manager configuring the service | 30 days from termination of the Service* |
| End User | First and last name Domain username and User Principal Name (UPN) Email address |
Identification of end users accessing the service Attributes included in the digital certificates issued by the service | |
| End User | Authentication Device serial numbers Digital certificate serial numbers |
Identification of authentication devices and digital certificates issued and managed by the service |
*When using WorkforceID Digital Credential Manager with the Publicly Trusted Certificate Authority, archive records containing Personal Data are maintained for up to 10.5 years as required by certification authorities
Location of the platform: Hosted by the company Amazon Web Services (“Hosting Provider”) – platform currently located in the United States
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: United States
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrator | Employer information Employer address IT Manager email address and cell phone number |
To host the infrastructure where the Service resides | 30 days from termination of the Service* |
| End User | First and last name Domain username and User Principal Name (UPN) Email address |
To host the infrastructure where the Service resides | |
| End User | Authentication Device serial numbers Digital certificate serial numbers |
To host the infrastructure where the Service resides |
HID affiliates providing customer-initiated support
Entities: ActivIdentity (Australia) Pty Ltd, HID India Private Ltd, HID Global Corporation, HID GLOBAL SAS, HID Corporation Ltd, IdenTrust, Inc., and ASSA ABLOY
Location of Processing: Australia, India, United States, France, United Kingdom, and Canada
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrator | Employer information Employer address IT Manager email address and cell phone number |
To provide managed services and support | 30 days from termination of the Service* |
| End User | First and last name Domain username and User Principal Name (UPN) Email address |
To provide managed services and support | |
| End User | Authentication Device serial numbers Digital certificate serial numbers |
To provide managed services and support |
Delivery of the data by client: User interface over HTTPS
Additional Disclosure Information: When using WorkforceID Digital Credential Manager with the Publicly Trusted Certificate Authority, End users' Digital Certificates and any information contained therein, including end user's and Customer's identity, must be seen by others and is not private – that would defeat the purpose of the Digital Certificate, which is to allow third parties to establish end user and Customer's identity. Personal Data that may be disclosed hereunder includes, but is not limited to: (i) end user's UPN (user principal name), name and e-mail address, (ii) end user Public Key; (iii) Customer's name, address and telephone number; and (iv) end user Digital Certificate serial number and expiration date. However, end user's address and telephone number and other personally identifying information, other than user principal name, name and e-mail address, will not appear in their Digital Certificate and will not be disclosed to third parties except as provided for in the Data Processing Terms or in these Data Processing Specifications.
FARGO Connect™ Platform Services
HID Entity Providing the Service: HID Global Corporation
Location of Processing: United States
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrator | First and last name Email address Telephone number Employer address |
Identification of end users utilizing the HID FARGO Connect card personalization portal. | 30 days from termination of the Service |
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: United States
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrator | First and last name Email address Telephone number Employer address |
To host the infrastructure where the Service resides | 30 days from termination of the Service |
Third Party service providers
Entity: eXtensia Technologies, Inc.
Location of Processing: United States
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrator | First and last name Email address Telephone number Employer address |
For the provision of security and integration services | 30 days from termination of the Service |
HID affiliates providing customer-initiated support
Entities: HID Global Corporation and affiliated entities
Location(s) of support services: United States, United Kingdom, Hong Kong, Australia, Brazil, Japan and India
Frequency of data transfer for support: One-Off*
| Categories of Data Subjects | Personal Data Types | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrator | First and last name Email address Telephone number Employer address |
To provide managed services and support | 30 days from termination of the Service |
Delivery of the data by client: API or user interface over HTTPS
HydrantID Managed PKI and Trusted Digital Certificate Services
HID Entity Providing the Service: Avalanche Cloud Corp
Location of Processing: United States
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrators End User |
First Name Last Name Common Name E-mail address Title (e.g. Mr./Mrs.) Locality State/Province Country Government issued ID document number (e.g. passport, driving license) |
To provide digital certificates, signing services, and other products and services. Applies to the certificate holder.
Personal data provided as part of the Services, such as the certificate content and in some cases registration data, may be used to process the certificate. |
Information and audit logs for at least seven years. Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
| Administrators | First Name Last Name E-mail address Telephone number |
Onboarding the End Customer organization to the Service. To provide access to the Service platform. Applies to the account administrators | Information and audit logs for at least seven years. Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: United States* and the European Union
Frequency of data transfer: Continuous Basis
*Unless the End Customer elects for their data to be hosted in the European Union, data is transferred to the Hosting Provider based in the United States
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrators End User |
First Name Last Name Common Name E-mail address Title (e.g. Mr./Mrs.) Locality State/Province Country Government issued ID document number (e.g. passport, driving license) |
To host the infrastructure where the Service resides | Information and audit logs for at least seven years.
Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
| Administrators | First Name Last Name E-mail address Telephone number |
To host the infrastructure where the Service resides | Information and audit logs for at least seven years.
Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
HID affiliates providing customer-initiated support
Entity: IdenTrust, Inc.
Location of Processing: United States
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrators End User |
First Name Last Name Common Name E-mail address Title (e.g. Mr./Mrs.) Locality State/Province Country Government issued ID document number (e.g. passport, driving license) |
To provide managed services and support | Information and audit logs for at least seven years.
Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
| Administrators | First Name Last Name E-mail address Telephone number |
To provide managed services and support | Information and audit logs for at least seven years.
Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
Third-party service providers
Entity: Switch
Location of Processing: United States
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrators End User |
First Name Last Name Common Name E-mail address Title (e.g. Mr./Mrs.) Locality State/Province Country Government issued ID document number (e.g. passport, driving license) |
May host HID-dedicated infrastructure, including Personal Data types listed above either as primary or backup for the Service. | Information and audit logs for at least seven years.
Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
| Administrators | First Name Last Name E-mail address Telephone number |
May host HID-dedicated infrastructure, including Personal Data types listed above either as primary or backup for the Service. | Information and audit logs for at least seven years.
Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
Entity: Equinix
Location of Processing: United States* and European Union
Frequency of data transfer: Continuous Basis
*Unless the End Customer elects for their data to be hosted in the European Union, data is transferred to the Hosting Provider based in the United States.
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrators End User |
First Name Last Name Common Name E-mail address Title (e.g. Mr./Mrs.) Locality State/Province Country Government issued ID document number (e.g. passport, driving license) |
May host HID-dedicated infrastructure, including Personal Data types listed above either as primary or backup for the Service. | Information and audit logs for at least seven years.
Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
| Administrators | First Name Last Name E-mail address Telephone number |
May host HID-dedicated infrastructure, including Personal Data types listed above either as primary or backup for the Service. | Information and audit logs for at least seven years.
Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
Entity: DigiCert and QuoVadis entities
Location of Processing*: Netherlands, Switzerland, Belgium, Germany, United Kingdom, United States, or Bermuda
Frequency of data transfer: Continuous Basis
*Location of processing determined by sub-processor Entity based on the type of service
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrators End User |
First Name Last Name Common Name E-mail address Title (e.g. Mr./Mrs.) Locality State/Province Country Government issued ID document number (e.g. passport, driving license) |
May process data to be included in a digital certificate (which can include the Personal Data types listed above) when HID uses DigiCert/QuoVadis digital certificate systems to deliver the Services to End Customer. | Information and audit logs for at least seven years.
Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
| Administrators | First Name Last Name E-mail address Telephone number |
May process data to be included in a digital certificate (which can include the Personal Data types listed above) when HID uses DigiCert/QuoVadis digital certificate systems to deliver the Services to End Customer. | Information and audit logs for at least seven years.
Audit logs relating to the certificate lifecycle are retained as archive records for a period no less than eleven years for Swiss Qualified/Regulated Certificates, 30 years for certificates issued out of Belgian Issuing CAs and for seven years for all other digital certificates. Note that this period begins when the certificate expires. |
Entity: Auth0
Location of Processing: United States* and European Union
Frequency of data transfer: Continuous Basis
*Unless the End Customer elects for their data to be hosted in the European Union, data is transferred to the Hosting Provider based in the United States.
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrators End User |
First Name Last Name Common Name E-mail address Title (e.g. Mr./Mrs.) Locality State/Province Country Government issued ID document number (e.g. passport, driving license) |
Authenticating Administrators and End Users prior to accessing the Service | 30 days |
Entity: Mailgun
Location of Processing: United States* and European Union
Frequency of data transfer: Continuous Basis
*Unless the End Customer elects for their data to be hosted in the European Union, data is transferred to the Hosting Provider based in the United States.
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| Administrators End User |
First Name Last Name E-mail address |
Communicate with Administrators and End Users about the Service | 30 days |
Delivery of the data by client: API over HTTPS
HID Location Services Dashboard
Third Party service provider
Entity: Banyan Hills Technologies
Location of Processing: United States
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| End User | Location Data Latitude Longitude Altitude |
Determine the location of a specific device (for example a hardware or mobile beacon), over time. This information is presented in dashboards to provide location services. | 30 days from termination of the Service |
| End User | Device Properties Name Identifier MAC address |
Identify a specific device associated with Location Data. This information may be used to correlate the Location Data with a specific user. | 30 days from termination of the Service |
Hosting Provider
Entity: Amazon Web Services
Location of Processing: United States
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| End User | Location Data Latitude Longitude Altitude |
To host the infrastructure where the Service resides | 30 days from termination of the Service |
| End User | Device Properties Name Identifier MAC address |
To host the infrastructure where the Service resides | 30 days from termination of the Service |
HID affiliates providing customer-initiated support
Entities: HID Global Corporation
Location of Processing: United States
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
| End User | Location Data Latitude Longitude Altitude |
To provide managed services and support | 30 days from termination of the Service |
| End User | Device Properties Name Identifier MAC address |
To provide managed services and support | 30 days from termination of the Service |
Event Management Platform
Name (First & Last), Title (Mr, Mrs, Miss); Email Address; Phone Number; Seating information (Gate, Block, Row, Seat); Company; Country (Nationality); Ticket Number; Ticket Barcode; Accreditation; AccreditationID; Photo; Name (First & Last), Company; Country; Category of Accreditation (e.g. MEDIA), sub-category, Date of Birth
| Personal Data Type | Purpose of Processing | Data Retention Period** | |
|---|---|---|---|
| Accreditation Module & Organization Self administration module and Self Registration forms A configurable list of the following attributes. Name (First & Last), Title (Mr, Mrs, Miss); Email Address; Phone Number; Company (Organization); Country (Nationality); Nationality, ID document type, ID document number, ID document expiry date, Scan of the ID document, AccreditationID, Photo; Category of Accreditation (e.g. MEDIA), sub-category, Date of Birth Address |
To perform the enrollment process for individuals and security vetting (sending and extracting the subset of personal information to authorities to establish if the individual has sufficient security standing to attend the event) and then for the individual to be approved to have a credential (physical or virtual) issued to attend the event and for other systems or the below HID platform module to provide access control to the event. | Defined by the configuration for the specific event and in any case: The shorter of: (i) 60 days from termination of the Service; or (ii) 3 years after the applicable event period has finished | |
| Accredited Individuals and Ticket Holders: | To perform issuance of credentials and vouchers both physical (e.g. printing a smart card / paper credential and additionally encoding the data securely into a secure chip in the credential) or virtual (a mobile ticket inside an App or inside Apple Wallet / Google Pay)
To verify a credentials and perform access control To provide additional services related to access control (for example: the ability to use the credential at a kiosk to print out a Set Information Receipt with name, Last name Block Row Seat of the individual). |
The shorter of: (i) 60 days from termination of the Service; or (ii) 3 years after the applicable event period has finished | |
| Answers to End Customer defined questionnaire*** | Allows Accredited Individuals unlock its accreditation after providing the submission of the answers to End Customer’s questionnaire in compliance with End Customer criteria | 48 hours after the applicable event period has finished | |
| Web Portal Users: Email Address, first name, last name; Password | To perform login into the EMS web portal (email + PWD) | 60 days from termination of the Service |
For clarity, an “Accredited Individual” is an individual granted access to the premises by the End Customer in an official compacity and not as a ticket holder or other type of patron. Examples of an Accredited Individual include End Customer personnel, contractors, vendors, volunteers, and third-party media.
**If End Customer requests HID retain Customer Materials beyond the Data Retention Period (“Additional Data Retention Period”), HID will retain the data for 90 days from the expiry of the Additional Retention Period.
***ONLY APPLIES WHERE THERE IS A QUESTIONNAIRE PRESENTED. END CUSTOMER IS SOLELY RESPONSIBLE FOR DETERMINING WHETHER THE CONTENT OF ANY QUESTIONNAIRE IS APPROPRIATE, MEETS END CUSTOMER’S REQUIREMENTS, AND IS PERMITTED BY APPLICABLE LAWS AND REGULATIONS. THE RESPONDENT TO THE QUESTIONNAIRE IS SOLELY RESPONSIBLE FOR THE ACCURACY OF ITS ANSWERS TO ANY SUCH QUESTIONNAIRE.
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: Ireland
Frequency of data transfer: Continuous Basis
Third Party service providers
| Company | Location of Processing | Purpose |
|---|---|---|
| Auth0 (Optional) | EU | Portal Login Service for the Web Portal Users Personal Data types |
| MailGun | EU | Email sending service to send event invitation emails to the individual (if requested and configured in the platform) |
Delivery of the data by client: API, Azure Service Bus or user interface over HTTPS direct entering of data via web forms or CSV upload into the web admin portals of the event management platform
Location(s) of support services: United Kingdom, Italy, Poland, and India
Third Party Background Checks and Security Vetting: Upon request by End Customer, HID may share some, or all, of the personal data types described under “Accreditation Module & Organization Self administration module and Self Registration forms” section listed above to certain third-party background check and security vetting providers. Such providers may be private entities or local police or other law enforcement officials that perform these functions on behalf of End Customer.
HID Textile Services ACUITY Administration
HID Entity Providing the Service: HID Textile Service SARL
Location of Processing*: United Kingdom, Australia
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
|
End User |
First and last name Email address Telephone number |
Define Contact Information for the purpose Of Order Management by HID Customer |
30 days from termination of the Service
|
|
End User |
Username***
|
Authentication of End User’s login attempt to access WebOrder Customer Portal |
30 days from termination of the Service
|
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing*: UK and Australia
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
|
End User |
First and last name Email address Telephone number |
To host the infrastructure |
30 days from termination of the Service
|
|
End User |
Username***
|
To host the infrastructure |
30 days from termination of the Service
|
Third-Party Support Provider
Entity: Stefanini IT Solutions
Location of Processing: Romania
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
|
End User |
First and last name Email address Telephone number |
Update End User information |
30 days from termination of the Service
|
|
End User |
Username***
|
Update End User information |
30 days from termination of the Service
|
*If End Customer is in the European Union, all data is processed in the European Union or a country that has obtained an adequacy decision
**”End User” means individual users to which End Customer grants access to the Service
***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User
HID Textile Services ACUITY Users Management
HID Entity Providing the Service: HID Textile Services SARL
Location of Processing: Australia
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
|
End User Administrator |
First and last name Email address Telephone number Username*** |
Authentication of End User’s login attempt to access ACUITY User Management and able to add, update, remove End User for the administrated entity |
30 days from termination of the Service |
|
End User |
First and last name Email address Telephone number Username*** |
Authentication of End User’s login attempt to access ACUITY tools (WebOrder tools, Smart Readers, Mobile Applications) |
30 days from termination of the Service
|
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: Australia
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
|
End User Administrator |
First and last name Email address Telephone number Username*** |
To host the infrastructure |
30 days from termination of the Service |
|
End User |
First and last name Email address Telephone number Username*** |
To host the infrastructure |
30 days from termination of the Service
|
Third-Party Support Provider
Entity: Stefanini IT Solutions
Location of Processing: Romania
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
|
End User Administrator |
First and last name Email address Telephone number Username*** |
Update End User Administrator Information |
30 days from termination of the Service |
|
End User |
First and last name Email address Telephone number Username*** |
Update End User Information |
30 days from termination of the Service
|
**”End User” means individual users to which End Customer grants access to the Service
***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User
HID Textile Services WebOrder Admin, WebOrder Invoicing, WebOrder Dispatch tools
HID Entity Providing the Service: HID Textile Services SARL
Location of Processing*: United Kingdom, Australia
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
|
End User |
Username*** |
Authentication of End User’s login attempt to access the various WebOrder tools (WOA, WOD, WOI, WOR) |
30 days from termination of the Service
|
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: Australia
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
|
End User |
Username*** |
To host the infrastructure |
30 days from termination of the Service
|
**”End User” means individual users to which End Customer grants access to the Service
***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User
HID Textile Services WebOrder Customer Portal (Provided by HID Textile Services)
HID Entity Providing the Service: HID Textile Services SARL
Location of Processing*: United Kingdom, Australia
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
|
End User |
Username*** |
Authentication of End User’s login attempt to access WebOrder Customer |
30 days from termination of the Service
|
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing*: United Kingdom and Australia
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
|
End User |
Username*** |
To host the infrastructure |
30 days from termination of the Service
|
*If End Customer is in the European Union, all data is processed in the European Union or a country that has obtained an adequacy decision
**”End User” means individual users to which End Customer grants access to the Service
***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User
HID Textile Services ACUITY RFID Platform for Laundries
HID Entity Providing the Service: HID Textile Services SARL
Location of Processing*: France, United Kingdom, Germany, Singapore, Australia
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
|
End User |
Username*** |
Authentication of End User’s login attempt to access Smart Reader Business Processes when applicable |
30 days from termination of the Service
|
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: Australia
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
|
End User |
Username*** |
To host the infrastructure |
30 days from termination of the Service
|
**”End User” means individual users to which End Customer grants access to the Service
***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User
HID Textile Services ACUITY Mobile Applications
HID Entity Providing the Service: HID Textile Services SARL
Location of Processing*: France, United Kingdom, Germany, Singapore, Australia
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
|
End User |
Username*** |
Authentication of End User’s login attempt to access Mobile Application Business Processes |
30 days from termination of the Service
|
Sub-processors:
Hosting Provider
Entity: Amazon Web Services
Location of Processing: Australia
Frequency of data transfer: Continuous Basis
| Categories of Data Subjects | Personal Data Type | Purpose of Processing | Data Retention Period |
|---|---|---|---|
|
End User |
Username*** |
To host the infrastructure |
30 days from termination of the Service
|
**”End User” means individual users to which End Customer grants access to the Service
***Username will only contain Personal Data types (such as first and last name or some derivative thereof) if desired by administrators and/or End User
