September 20, 2023
1. INTRODUCTION AND PURPOSE OF INFORMATION COLLECTION
IdenTrust is a Certification Authority (a CA) that is recognized and relied upon by the major browser manufacturers to issue Digital Certificates (also known as PKI certificates and X.509 certificates). These certificates are used by individuals to authenticate their identity to others, and/or to encrypt sensitive data including financial transactions so they can be transferred over the Internet. Digital Certificates are also used by computers to encrypt data exchanged between web hosts and Internet users.
As a CA, when IdenTrust issues a Digital Certificate, others are assured that the certificate holder is who he or she claims to be, and that information encrypted by the certificate is safe from outside viewing or intrusion.
Whenever an individual provides information about himself or herself to apply for a Digital Certificate, this information is called “Personal Information” and the person is called a “Data Subject.”
Please note: In addition to issuing Digital Certificates directly to individuals under certain US government programs, IdenTrust processes certificate data for other institutions such as banks. If you obtain a Digital Certificate through a bank or other organization, that organization’s policies for handling Personal Information are in force, and you should contact that organization with any questions.
Terms defined here are capitalized in the rest of this document.
“IdenTrust” means IdenTrust, Inc., and its wholly owned and controlled subsidiary, IdenTrust Services, LLC. In this document, “we” means IdenTrust.
“Digital Certificate” means a piece of code that resides on your computer or in a piece of hardware (often called a token), that uniquely identifies you in emails and on websites, and may also handle encrypted messages between you and others. It is sometimes called an identity certificate, or an “X.509” or “PKI” certificate.
“Data Privacy Framework” or DPF, is the EU-U.S., Swiss-U.S., and UK-U.S. framework as set forth by the U.S. Department of Commerce. See the section titled “About the Data Privacy Framework,” for more information.
“GDPR” means the European Union General Data Protection Regulation (EU 2016/679) of 2018. GDPR rights, provisions, and regulations apply only to those natural persons who reside within the EU, although they align in many cases with the Data Privacy Framework, US federal privacy laws and regulations, and the privacy laws and regulations of many countries and US states.
“EU” means the European Union, including its Member States.
“Natural Person” means a human being. An “Identifiable Natural Person” is one who can be identified, directly or indirectly, using a name, an identification number, location data, an online identifier such as a user name, or other information.
“Personal Information,” “Personal Data,” and “Subject Data” all mean any information relating to an identified or identifiable Natural Person. The terms are used in various agreements and regulations that IdenTrust is subject to.
“Data Subject” is a Natural Person who is identified by Personal Information. In this document, “you” means yourself as a Data Subject.
“Data Controller” or “Controller” means an entity that collects Personal Information from a Natural Person and determines the purposes and means of Processing Personal Information. A Controller may also be a Data Processor.
“Data Processor” or “Processor” means an entity that Processes Personal Information on behalf, and under the instructions, of a Data Controller. In many cases, IdenTrust acts as a Processor for other organizations.
“Process,” “Processing,” and “Data Processing” all refer to any operation or set of operations which is performed on Personal Information, such as recording, organizing, structuring, storing, retrieving, using, transmitting, combining, restricting, erasing, destroying, or making it available to others.
“Relying Party” means an individual or organization that makes a request to IdenTrust to confirm the existence and validity of a Digital Certificate, for purposes such as validating digitally signed documents, confirming email senders, using notary services, or completing financial transactions.
“Governing Documents” means a Certificate Policy, Certification Practice Statement, or other documentation that describes what a product and/or service can and cannot provide. Certificate Policies and Certification Practice Statements are the basic documents that all Certificate Authorities such as IdenTrust must have in order to operate.
ABOUT THE DATA PRIVACY FRAMEWORK
The Data Privacy Framework (DPF) is a set of agreements between the US and the European Union countries, the UK, and Switzerland that helps to ensure the privacy of your personal data if it is transferred between the US and these other countries. The following statements are part of the IdenTrust commitment to comply with the provisions of the DPF.
· IdenTrust complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. The abbreviations shown above will be used in the following statements.
· IdenTrust has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.
· To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/
2. GENERAL PROVISIONS
2A. TYPES OF INFORMATION WE COLLECT
Where your Personal Information comes from
We collect and process Personal Information as necessary for performance of a contract or for our legitimate interests. If you apply for a Digital Certificate directly on the IdenTrust website, we collect Personal Information directly from you. We then confirm the accuracy of the information you provide with trusted third-party validators. We do not collect additional information about you from these validators; we simply confirm that the information you provide is correct. We also do not collect information from commercial data providers or data brokers; we use only data that you have provided.
Validation of the Personal Data we collect is done by trusted IdenTrust employees in a restricted area within the IdenTrust offices, using highly secure methods to encrypt the information in transit and at rest.
Please note that if you apply for a Digital Certificate on our website and do not complete the application for any reason, your Personal Information will not be saved by us.
We also Process Personal Information we receive from third-party organizations who have collected it from individual applicants. A third party may be your employer, your bank, or an organization that uses your services. These third parties are known as Registration Authorities. Registration Authorities are required to have obtained your consent to Process your Personal Information to apply for a Digital Certificate. We rely upon Registration Authorities and Registration Agents to confirm that your consent has been given and that your information is correct.
What Personal Information we collect
The type of Personal Information collected depends on the type of certificate product or service that you select, and is governed under the applicable Certificate Policy, Certification Practices Statement, or other Governing Document. These documents are available on our website, and you should consult them for the specific information required for the type of Digital Certificate you need.
For example, if you apply for a Digital Certificate directly on the IdenTrust website, you may be asked to provide items such as these:
- Full name
- Name of employer
- Business or personal email-address
- Business or personal telephone number
- Social security or other national identity number
- Credit card number
Your social security or national identity number, if required, may be used to confirm identification, and your credit card number may be used both for identity validation and fee payment, but neither will be disclosed or used for any purpose not consistent with obtaining and using a Digital Certificate.
If you apply for a Digital Certificate through a Registration Authority, you may be asked to provide similar items of information. The Registration Authority will inform you of the exact items required. We do not obtain information about you other than the information collected by the Registration Authority and provided to us.
If you use our products and/or services through the IdenTrust Trust Network, the collection and use of your Personal Information may be subject to additional privacy policies or statements of one of the participating financial institutions who may serve as your Registration Authority. If you use products or services provided directly by IdenTrust, the collection and use of your Personal Information may be subject to additional provisions set forth in the applicable Governing Documents, including your subscriber agreement. These documents are available on our website pages. You should refer to such documents, as applicable, for further details.
Whenever you send us correspondence such as email and letters or sign up to receive newsletters or announcements, or when other users or third parties send us correspondence about your activities or postings on our websites, we may also collect and store such information for communication and customer assistance purposes.
2B. HOW WE USE YOUR PERSONAL INFORMATION
IdenTrust uses your Personal Information only for the purpose that such information is collected, as otherwise specifically authorized by you, and/or as described below.
Personal Information purposes
IdenTrust uses Personal Information for purposes related to Digital Certificates, including activities such as:
- Issuing or Processing Digital Certificates, including authenticating your identity, confirming your employment or organizational affiliation, responding to your inquiries, completing Digital Certificate-related transactions, and Processing payments.
- Revoking or suspending Digital Certificates, and publishing Certificate Revocation Lists to Relying Parties.
- Validating to Relying Parties that a Digital Certificate is current and accurate.
We also use your contact information to email you from time to time with information about our products and events, and with announcements about changes to our websites or our policies. You may opt out of such communications by contacting us at [email protected]. This will not affect the validity or status of your Digital Certificate.
If you obtained your Digital Certificate through a Registration Authority, we will not use your data to contact you directly for the purposes described in the paragraph above unless authorized by the Registration Authority to do so.
We do not sell or otherwise provide your data to any third party for their marketing purposes.
2C. HOW YOUR PERSONAL INFORMATION IS DISCLOSED
We may be required to disclose your personal information by law, by order of a court with suitable jurisdiction, by subpoena, or by request from other government or law enforcement authorities. We may also disclose it if, in our judgment, we have a good-faith belief that such disclosure is necessary or advisable. This includes the protection of your rights and property and the rights and property of others with whom we do business, or the resolution of a dispute related to your Personal Information.
If you obtained your Digital Certificate through a third-party Registration Authority as defined above, you should look to that organization’s privacy policies for information relating to the collection, use, and distribution of your Personal Information. We may disclose your Personal Information in accordance with the instructions of the organization that provided the applicable Subject Data to IdenTrust and which organization, with respect to given Subject Data, is the “controller” of the data and responsible for providing any notices, obtaining any authorizations, and affording any choices to individuals identified in Subject Data transferred according to such instructions.
Some Personal Information that we maintain may be shared on occasion with service providers such as validators, credit card processors, outside auditors, attorneys, consultants, and others we hire to assist in performing functions necessary to operate our business. If we make a disclosure of this type, the information recipient must agree to:
- View the Personal Information only on our premises and not remove it, except as necessary to provide the services to us;
- Use it only for the purposes that we have specified; and
- Return it to our designated employees, or destroy it as soon as the need for the Personal Information expires.
If IdenTrust transfers Subject Data to a subprocessor, IdenTrust contracts with the subprocessor so that the Subject Data receives adequate protection and so that use is limited to the necessary subprocessing function. We remain potentially liable if an agent that we engage to assist us does so in a manner inconsistent with the Data Privacy Framework.
2D. DATA PRIVACY FRAMEWORK
IdenTrust is committed to following robust privacy principles, including those underlying the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S.DPF, and to the rights of EU, UK, and Swiss individuals.
The list maintained by the Department of Commerce of the United States of America and which identifies participants in the DPF program can be found at the following Internet address:
IdenTrust receives information exported by customers of IdenTrust from the UK, from European Union member countries, and from Switzerland. Some of the information so exported is Personal Data of IdenTrust employees and/or of end users of IdenTrust services.
At its facilities in the United States of America, IdenTrust receives Personal Data exported from the UK, European Union member countries, and Switzerland by financial institutions that are customers of IdenTrust, but such receipt occurs only as part of the following services of IdenTrust:
· Infrastructure services of IdenTrust provided to certain financial institutions that are customers of IdenTrust and that issue IdenTrust Trust Network-compliant Digital Certificates to end users that assert affiliation of the given end user with a business entity named in the Digital Certificate and which the Digital Certificate is issued for use in connection with the business of such business entity; and
· Electronic bank account management infrastructure operations of IdenTrust provided to certain financial institutions that are customers of IdenTrust, which customers utilize such infrastructure operations to support their business banking services.
IdenTrust uses Subject Data only for purposes of Processing it for the institution that exported the Subject Data to IdenTrust. With respect to such use by IdenTrust, specifications for the use are determined in advance by contract with the institution exporting the Subject Data to IdenTrust. As between IdenTrust and institutions that export Subject Data to IdenTrust for Processing as described above in this Policy, the institution is the owner of the information and IdenTrust disclaims all ownership of such data.
2E. WHERE YOUR PERSONAL INFORMATION IS PROCESSED AND STORED
Your Personal Information held by IdenTrust is Processed and stored in the United States, in secure Data Processing sites and repositories in Utah and Colorado. The IdenTrust Data Processing facilities are available only to previously authorized IdenTrust employees, at least two of whom must be present when the Processing area is occupied. Sensitive information is encrypted both in transit and at rest in our databases. Backup and archived information is encrypted and kept in a highly secure storage site, in locked containers that do not reveal their specific contents or the IdenTrust name.
2F. HOW LONG YOUR PERSONAL INFORMATION IS KEPT
Your Personal Information is used for fulfillment of our contracts, for adherence to government regulations, and for the establishment, exercise, or defense of legal claims. It is retained only for as long as necessary for these purposes, as determined in the applicable Governing Documents, to perform the contracted services on behalf of our clients and end users, and to complete the purposes for which the Information has been acquired. It is available for Processing only for the length of time your Digital Certificate is valid. After that, it is archived in an encrypted state and stored in a secure site where it cannot be accessed except to fulfill the purposes listed in this policy, and only by authorized IdenTrust employees.
2G. USING YOUR DIGITAL CERTIFICATE
The purpose of issuing Digital Certificates requires disclosing certain information about the Digital Certificate holder to any person or organization that relies upon the Digital Certificate (a Relying Party). The information to be disclosed is contained within the Digital Certificate itself. Disclosure of the information is made at the Relying Party’s request using special online protocols that are part of email, browsers, and other computer applications. IdenTrust maintains lists, or repositories, of certificates and their statuses, and only the information contained in a Digital Certificate is available in a repository for disclosure, as described in the following paragraphs.
All information contained in a Digital Certificate, or in a revocation or suspension instruction, validation request, validation response, or certificate revocation list (collectively, "Credential Documents") is not considered confidential and can be viewed by others. A Relying Party may access, review, and rely on such Credential Documents; these activities are essential to the purpose and function of a Digital Certificate.
The information that may be included in the Credential Documents is defined by the applicable Governing Documents and may include such items as your name, Digital Certificate public key, email address, your organization's name, the Digital Certificate serial number, and/or the Digital Certificate expiration date. No information is provided to Relying Parties other than what is permitted to be included in the Digital Certificate, and no other Personal Information can be obtained by them through the Digital Certificate.
2H. HOW TO OBTAIN, CORRECT, OR UPDATE YOUR PERSONAL INFORMATION
We endeavor to ensure that your Personal Information is accurate and reliable for its intended or authorized use; and that it is complete and current. If the Personal Information you supplied should change, or if you should discover an error in that information, you can correct and update it.
If you obtained your Digital Certificate directly from IdenTrust through our websites, contact [email protected]. If you obtained your Digital Certificate through a Registration Authority or Registration Agent, you must contact that organization to have the changes made. IdenTrust cannot change Personal Information supplied to us by these organizations. If you are unsure who collected your Personal Information, you can email a copy of your Digital Certificate to [email protected] and we will direct you to the proper entity. Subject to the applicable requirements of the DPF and the GDPR relating to fees, IdenTrust reserves the right to charge a fee to the inquirer in connection with the inquiry, regardless of the results of the inquiry.
Regardless of who you contact, because of the nature of Digital Certificates, in some cases updating or correcting information will require the revocation and replacement of your Digital Certificate.
3. YOUR RIGHTS UNDER GDPR:
If the GDPR or other law applies with respect to your Personal Information, and if you obtained a Digital Certificate directly through the IdenTrust websites, we are happy to provide you with a copy of your Personal Information in our possession.
Your request for this information should be emailed to [email protected] and will be acted upon within 30 days of receipt. The following information is necessary for us to process your request:
- Your full name
- The email address you used for your Digital Certificate
- The physical address you used for your Digital Certificate
- The year in which you obtained your Digital Certificate (this is critical if your Digital Certificate has expired and we are retaining your Personal Information in our archives)
In addition, any of the following information may serve to speed up our response:
- Application ID number
- Account number
- Digital Certificate serial number
- Digital Certificate “fingerprint” or “thumbprint”
If you obtained your Digital Certificate through a Registration Authority or Registration Agent, you must contact them to obtain a copy of your Personal Information.
We can correct inaccurate data using the processes described above. We can also restrict further Processing of your Personal Information, in some cases by suspending your Digital Certificate. However, because of the nature of Digital Certificates, we are unable to erase Digital Certificate-related data, and we cannot transmit it to another Certificate Authority, since it is not technically feasible to do so and still enable the receiving organization to validate the integrity of the information.
4. DISPUTE RESOLUTION; BINDING ARBITRATION
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, IdenTrust commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States, Canada, and the UK. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/eu-us-data-privacy-framework to get more information or to file a complaint. The services of JAMS are provided at no cost to you.
In accordance with the DPF and subject to any applicable statutes and case law, it may be possible, under certain conditions, for an individual who is identified within Subject Data to invoke binding arbitration with respect to what the DPF identifies as “residual” claims; provided, however, IdenTrust only agrees to such arbitration where (a) such arbitration is required under the DPF, (b) such arbitration subject to all conditions set forth in the DPF relating to such arbitration, and (c) the individual initiating such arbitration notices IdenTrust of the arbitration and follows the procedures specified in the DPF.
For purposes of communications relating to this Section, IdenTrust can be contacted at the following address:
With respect to IdenTrust’s Data Privacy Framework certification, IdenTrust reserves the right to assert all legal rights, privileges, defenses, and the like available to it under applicable law or regulation.
IdenTrust is subject to the investigatory and enforcement powers of the Federal Trade Commission of the United States of America, as well as any other agency of the federal government of the United States of America having such powers where such powers are applicable to IdenTrust under the federal laws of the United States of America.
6. HOW TO CONTACT US:
For Digital Certificate help and support:
Please email us at [email protected], or telephone us at the numbers listed on our websites.
For privacy-related questions:
Please email us at [email protected], and we will respond as soon as reasonably possible and within 30 days. Use this email address if:
- You believe your information is being processed or stored in violation of this policy or applicable laws and regulations; or
- You desire to obtain a copy of the Personal Information we possess, and you are covered by the GDPR or other applicable laws.
For questions related specifically to the Data Privacy Framework:
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S.DPF, IdenTrust commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact IdenTrust at [email protected].