MetaAccess Privacy Policy

Last Update: 25 May 2018

Version: 2.0

Summary

This privacy policy explains what information OPSWAT, Inc. and all of its subsidiaries worldwide (referred to as “OPSWAT,” “we,” “us,” and “our”) gather about individuals who provide us with personal information. It outlines what we use that information for and who we give that information to. It also sets out your privacy rights in relation to your own personal information, and it tells you who to contact for more information about this policy.

In this privacy policy, your personal information is sometimes called “personal data.” We collectively refer to collecting, handling, using, protecting, or storing your personal information as “processing.”

Although you do not have to provide any of your personal information to us, if we ask you to do so and you refuse, we may be unable to provide you with the information, goods, or services you want from us.

IMPORTANT

Please do not provide us with your personal information unless we ask you for it.

Scope

We take data protection very seriously, and we are fully committed to protecting your personal information. This privacy policy describes how we handle the personal information we collect and process through MetaAccess.

It is our policy to collect only the minimum information required from you. If you believe that we have gone beyond that, please contact us to raise any concerns you may have. A list of contact methods is provided at the bottom of this privacy policy.

OPSWAT complies with the EU-U.S and Swiss-U.S. Privacy Shield Frameworks which were designed by the US Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce and with REGULATION (EU) 2016/679 of the European parliament and of the council (GDPR).

OPSWAT has certified that it adheres to the Privacy Shield. To learn more about Privacy Shield please visit www.privacyshield.gov and to view our certification, please visit https://www.privacyshield.gov/.

Personal information (personal data) is anything that enables you to be identified or identifiable including but not limited to:

  • First and last name

  • Email address, postal and IP addresses

  • Telephone numbers

  • National identification/social security and national insurance numbers

  • Job titles and occupation

  • Bank accounts

  • Any contact information

IMPORTANT

We only collect personal information through MetaAccess that we believe to be relevant and required to provide you with requested information and services and to conduct our business.

As you use MetaAccess, you may link to third-party sites not controlled by us and which do not operate under our privacy practices. When you link to third-party sites, our privacy practices no longer apply. We encourage you to review each third-party site's privacy policy before disclosing any personally identifiable information.

We do not intend to collect special category (also known as sensitive) personal information through our website(s) (unless we are legally required to do so). Examples of special category information are: race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; genetic data; biometric data; sexual life or sexual orientation; and criminal records.

We ask that you do not provide us with special category personal information when using MetaAccess.

Cookies and similar technologies

With respect to your use of an Internet browser to interact with MetaAccess you should be aware that like many businesses with websites and cloud services, we may also use “cookies” to collect information. A cookie is a small data file that we transfer to your computer’s hard disk for record-keeping purposes. You can control our use of cookies with respect to your device by changing options in the Internet browser you use. We will display notices to you about cookies and prompt you to accept or reject a cookie from us. If you do not accept cookies, however, you may not be able to use all portions or features of MetaAccess. For more information about our use of cookies, please visit OPSWAT Cookies Policy.

Rights in relation to your information

You have the following rights regarding your Personal Data:

1 Right of Access.

You have the right to access your Personal Data that we hold about you, i.e. the right to require free of charge:

  • information whether your Personal Data is retained,

  • access to duplicates of the Personal Data retained,

Upon your request, along with a duplicate of the data we retained, will provide you information related to – purpose of the processing, personal data we collect, entities to which we transferred them, time we keep your Personal Data, if possible and the criteria we used to decide the period, your rights as European Union Citizen, unless the data was collected directly from you, the source of the data, whether there is an automated decisional process,

You can use the right to access to your Personal Data through your account. You may also request what other information we may hold. One request is free of charge, for the other we may charge a reasonable fee. If the effort of identifying data may be too much, or it may infringe with other people rights, we have the right to refuse it.

2 Right to Rectification.

When we process your Personal Data, we shall try to ensure that your Personal Data is accurate and up-to-date for the purposes for which it was collected. If your Personal Data is inaccurate or incomplete, you can change the information you provided by going to https://go.opswat.com/myuserright and following the steps as described.

  1. Right to suspend the processing

You have the right to request the termination of the processing with or without deletion of the data we have collected where one of the following applies:

  • the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

  • the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

  • the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

  • the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

  1. Right to data portability

You have the right to receive the Personal Data concerning you, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance us.

  1. Right to delete.

You have the right to obtain deletion by us of Personal Data concerning you by deleting your User Account or by by going to https://go.opswat.com/myuserright and following the steps as described.

Because of deleting your User Account, you will lose access to services provided to you by MetaAccess

We allow you to restore your User Account during a grace period of 30 (thirty) days from the moment you request deletion of your User Account. This functionality allows you not to lose your account by mistake, because of your loss of your account credentials or due to hacking. During the suspension period, we will be able to finalize financial and other activities that you may have initiated before sending the User Account deletion request. After the grace period, Personal Data associated with your account will be deleted.

In some cases, deletion of your User Account, and therefore Personal Data deletion, is complicated. Namely, if your account has a business relationship with US, you will only be able to delete your User Account after you have dissolved the business relationship. In some cases, considering the complexity and number of the requests, the period for Personal Data erasure may be extended, but for no longer than two further months.

5 Right to Object.

When our processing of your Personal Data is based on legitimate interests according to Article 6(1)(f) of the GDPR, you have the right to object to this processing. If you object we will no longer process your Personal Data unless there are compelling and prevailing legitimate grounds for the processing as described in Article 21 of the GDPR; in particular if the data is necessary for the establishment, exercise or defence of legal requirements.

You also have the right to lodge a complaint at a supervisory authority.

Contact Information:

Our lead supervisory authority is the Romanian Data Protection Agency which may be contacted at:

Autorității Naționale de Supraveghere a Datelor cu Caracter Personal

B-dul G-ral. Gheorghe Magheru 28-30, sector 1, 010336, București,

anspdcp@dataprotection.ro,

Phones: +40.318.059.211, +40.318.059.212

www.dataprotection.ro

You can also contact our data protection officer at the address below. Our European representative for data protection questions is:

Opswat Romania SRL

Timișoara, România

If you would like to exercise these rights or determine what, if any, personal information we have about you, please go to https://go.opswat.com/myuserright and follow the steps as described.

Automated decision making

We will not use your personal information for automated decision making or profiling.

Children

We understand the importance of protecting children's privacy and we never knowingly collect personal information about individuals under the age of 16. We adhere to laws regarding marketing to children.

IMPORTANT

If you are under 16 years of age, we ask that you do not use MetaAccess.

Data We Collect / How We Use Your Data / Sharing of Your Data With Service Providers / Your Choices / Data Retention Policies With Respect To MetaAccess

If you create an account:

Data We Collect

How We Use Your Data

Your Choices

Service Providers With Which We Share Data

Retention Policy

  • First name

  • Last name

  • Password

  • Email address

  • Company name

  • Files you upload unless you use the private scanning API

  • Validate that you are human and not a robot when you create an account

  • Authenticate your secure access to your account when you log-in

  • Associate your requests for support with your account

Refer to User Rights section for your choices with respect to:

  • Deleting your account

  • Restricting our use of your data

  • Correcting or updating data in your account

  • Accessing your data

  • Restricting access to your account (or later restoring access)

  • Obtaining a new password if you forget your current password

  • Amazon AWS, which powers MetaAccess and the file upload, analysis, and storage functions of MetaDefender Cloud

  • Zendesk, which provides the platform through which you submit requests for support and we respond to your support requests

  • Contractors to troubleshoot issues with MetaAccess and MetaDefender Cloud uptime, performance, and stability

If your account remains inactive for 6 months, we will deactivate it. Unless you ask us to reactive it, after another 6 months following deactivation, we will delete your account.

If your device is monitored by an administrator:

Data We Collect

How We Use Your Data

Your Choices

Service Providers With Which We Share Your Data

Retention Policy

Cloud app user info

  • Application user id

  • To provide the administrator auditing capability which user is logging in

This is disabled by default. Your administrator can enable to allow MetaAccess to record your user id when access an application.

  • Amazon AWS: Provides the systems we use to store and process this information

Configurable based on your choice if have a commercial subscription.

By default data is retained for 30 days.

Device information

  • Hostname

  • Mobile device name

  • Device serial number

  • Network adapter info such as DNS and media state

  • Local IP address

  • MAC address

  • Active Directory such as AD domain and OU/Group name

  • To identify your device(s) associated with your administrator's account

  • To provide your administrator with a way to locate those devices associated with his or her account

You or your administrator can uninstall the MetaAccess agent from your device. Please note that uninstalling the MetaAccess agent may violate your company's security policy resulting in your device being blocked from company assets which use MetaAccess to perform a security compliance check.

  • Amazon AWS: Provides the systems we use to store and process this information

  • Zendesk: Provides the system we use to interact with you concerning your support inquiries and to troubleshoot any specific error reported within a device

System and application Information

  • OS information such as OS name and language

  • Missing patches

  • Lock screen timeout

  • Hard disk information

  • Installed products (or packages) information

  • Running processes

  • Logged-in user name

  • To determine if each device associated with your administrator's account is compliant with the security policy that your administrator set

You or your administrator can uninstall the MetaAccess agent from your device. Please note that uninstalling the MetaAccess agent may violate your company's security policy resulting in your device being blocked from company assets which use MetaAccess to perform a security compliance check.

Anti-malware log

  • File path and file signature

  • Threat name

  • Anti-malware product name

  • To determine if your device is compliant with the security policy your administrator set

You or your administrator can uninstall the MetaAccess agent from your device. Please note that uninstalling the MetaAccess agent may violate your company's security policy resulting in your device being blocked from company assets which use MetaAccess to perform a security compliance check.

Devices in the network

  • All devices connect to a network segment

  • To discover devices in the network, including those which are not running the MetaAccess agent

This is disabled by default. Your administrator can enable the "discovery device" function from their MetaAccess console.

Custom check information

  • Undefined information which administrator collects from the device using scripts

  • To provide your administrator with customized information to be used for the purpose your administrator has determined

This is disabled by default. Your administrator can decide not to allow scripts to run on devices running the MetaAccess agent.

User entered information

  • Undefined information which end-users will input

  • To provide your administrator with a way of prompting you to input information requested by your administrator

This feature is disabled by default. You can decide not to enter information even after your administrator enables this feature, though doing so may violate your company's security policy.

MetaAccess agent crash dump and logs

  • Any process information above

  • To provide your administrator with a method to fetch logs from your devices running the MetaAccess agent.

  • To provide your administrator or OPSWAT support representatives with a method to troubleshoot issues reported by your devices running the MetaAccess agent.

You or your administrator can uninstall the MetaAccess agent from your device. Please note that uninstalling the MetaAccess agent may violate your company's security policy resulting in your device being blocked from company assets which use MetaAccess to perform a security compliance check.

  • Microsoft Office 365: Email with app log file from mobile phone for troubleshooting errors

Mobile device status

  • Connected IP addresses

  • Rooted or jail-broken state

  • OS information

  • Encryption state

  • Lost and Found enable state

  • Ad tracking enable state

  • Hardware specification such as CPU and storage

  • Installed apps and application binary

  • To determine if your device is compliant with the security policy set by your administrator.

You or your administrator can uninstall the MetaAccess agent from your device. Please note that uninstalling the MetaAccess agent may violate your company's security policy resulting in your device being blocked from company assets which use MetaAccess to perform a security compliance check.

  • Amazon AWS: Provides the systems we use to store and process this information

  • Zendesk: Provides the system we use to interact with you concerning your support inquiries and to troubleshoot any specific error reported within a device

Mobile device installed app

  • App file signature

  • App binary itself

  • To analyze apps installed on your mobile device by multiple anti-malware engines to determine if one or more engines report any installed app as "malicious"

You can control this feature by starting "Applications scan" from the MetaAccess app menu on your mobile device, provided the MetaAccess app is installed on your device.

NOTE: The following data is collected but they are de-identified and stored separately (so called, pseudonymised)

Data We Collect

How We Use Your Data

Your Choices

Service Providers with Which We Share Your Data

Data Retention Policy

Running processes

  • file signature of process

  • file signature of loaded modules

  • file properties such as version and descriptions

  • digital signature info

  • Running processes and its network connections

  • network connectivity: IP addresses and domain names

  • Application Info where the process is belong to

To determine whether the behavior of running processes on your device are safe or malicious (in other words to assess your device has been compromised by malware).

Software vendors which embed OESIS SDK into their applications have the option to enable this data submission process. By default this submission feature is disabled. Either your software vendor embedding OESIS SDK will make a specific API call to enable data submission, or you (as an end user) specifically click the data submission button in our free OESIS Endpoint Assessment application to trigger the submission process.

Amazon AWS provides us with the systems that analyze running process information and store the results of the analysis.

30 days

High level OS / Device information

  • Operating system name

  • Service pack version

  • Computer type (e.g., laptop)

  • OS language

OS information is for classifying the relative distribution or concentration of operating systems and versions across all data which is submitted to us.

Network information is for classifying the relative distribution or concentration of various network adapters as well as the distribution or concentration of WiFi vs. Ethernet connections across all data which is submitted to us.

Application List

  • product name and product version

  • vendor name

To identify endpoint security products besides antimalware (such as personal firewalls and disk encryption) installed on your device and determine whether your device is running the latest version made available by its vendor.

Antimalware Product

  • anitimalware definition info

To specifically identify antimalware product(s) installed on your device and whether such product(s) have their real time protection feature enabled, whether their definition database is up-to-date and the last time the product(s) scanned the device for malware infection.

Installed System Driver

  • driver information such as name and status

To determine whether the OPSWAT driver made available to software vendors for embedding in their application is able to function correctly based on other drivers already installed on your device.

OESIS Framework Account Token

If you are a Software vendor embedding OESIS SDK and enabling the data submission process this token identifies your company you as an authorized use user of the data submission process.

The third-party service providers identified above may use their own third-party subcontractors who have access to personal data (sub-processors). It is our policy to use only third-party providers that are bound to maintain appropriate levels of security and confidentiality, to process personal information only as instructed by us, and to flow those same obligations down to their sub-processors.

IMPORTANT

We do not collect personally identifying information for sale to third parties.

Other disclosures

OPSWAT may disclose personal information to third parties under the following circumstances:

  • When explicitly requested by you

  • As otherwise set out in this MetaAccess Privacy Policy

We may also disclose your personal information to law enforcement, regulatory and other government agencies, and to professional bodies and other third parties as required by and/or in accordance with applicable laws or regulations. This includes disclosures outside the country where you are located.

Finally, we will disclose personal information if required in urgent circumstances, to protect the personal safety of individuals or the general public, or to maintain the uptime or stability of MetaAccess.

Security of personal information

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing your personal information, we have implemented technical and organizational measures to ensure a level of security appropriate to the risk of unauthorized or unlawful processing of personal data. These measures also help us guard against accidental loss, destruction of, or damage to personal data.

Only authorized persons are provided access to the personally identifiable information we have collected, and such individuals have agreed to maintain the confidentiality of this information.

We safeguard the security of the personal information provided to us with physical, electronic, and managerial procedures. Inside OPSWAT, data is stored in secure and controlled servers with limited access.

Where we share your personal information with third-party providers, they may use subcontractors that have access to your personal data (sub-processors). It is our policy to use only third-party providers that are bound to maintain appropriate levels of security and confidentiality, to process personal information only as instructed by us, and to flow those same obligations down to their sub-processors.

Note that your information may be stored and processed in the United States or any other country where OPSWAT, its subsidiaries, or service providers are located.

IMPORTANT

While we strive to protect personal data, we cannot guarantee the security of the personal information provided to us. Although we use appropriate security measures, once we have received your personal information, the transmission of data over the Internet (including via email) is never completely secure. We urge you to protect your personal information when using the Internet by, for example, changing passwords often, using a combination of letters, numbers, and special characters (for example, % and $ and +) , and making sure to use a secure browser.

Data retention

If you create an account to use services associated with MetaAccess, we will retain your personal information while the account you’ve created remains active. We will also retain your information for as long as we have a legitimate business purpose to do so, and thereafter, for no longer than is required or permitted by law. This includes data you or others have provided to us, as well as data generated or inferred from your use of MetaAccess .

MetaAccess privacy policy updates

Our privacy policy may be updated from time to time, and we will notify you of any material changes by posting the new policy at MetaAccess privacy policy and revising the “Effective starting” date at the top of the policy.

Contacting OPSWAT and Privacy Shield dispute resolution

In compliance with the Privacy Shield Principles, OPSWAT, Inc. commits to resolve complaints about our collection, use, or sharing of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact OPSWAT, Inc. by either going to https://go.opswat.com/myuserright or sending postal mail to: OPSWAT, P.O. Box 77878, San Francisco, CA, 94103.

OPSWAT, Inc. has further committed to refer unresolved Privacy Shield complaints to JAMs, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit https://www.jamsadr.com/ or https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMs are provided at no cost to you.

Further, OPSWAT, Inc. is subject to the investigatory and enforcement powers of the United States Federal Trade Commission (FTC).

And importantly, OPSWAT remains responsible for any onward transfer of your personal information to third parties including, for example, third parties performing external processing your personal information on our behalf, as identified in the “Sharing of Your Data with Service Providers” section.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily by any of the above described methods, please contact:

In UK: The Information Commissioner Office (ICO). The ICO can be contacted by the following means:

  • Form: www.ico.org.uk/global/contact-us/email/

  • Telephone: 0303 123 1113 (local rate – calls to this number cost the same as calls to 01 or 02 numbers).

  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire
    SK9 5AF

In Romania: The National Supervisory Authority for Personal Data Processing of Romania (http://www.dataprotection.ro/)

In Switzerland: The Swiss Federal Data Protection and Information Commissioner (https://www.edoeb.admin.ch/edoeb/en/home/the-fdpic/task.html).

IMPORTANT

Under certain conditions, more fully described on the Privacy Shield website, https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.