Service Privacy Policy

How your personal data is collected

From you when you

• subscribe to our services
• log into or use your Egress account
• fill out forms on our website or apps
• use our website, apps and services
• communicate with those who use our services (see more on that below)
• contact us
• take part in our competitions and promotions
• attend webinars (we may record our webinars and keep a record of attendees)
• communicate by email with our customers

From other parties such as

• companies or individuals that introduce you to us (like our partners)
• credit reference agencies
• third-party data providers who we purchase information from
• publicly accessible records
• government and law enforcement agencies
• Microsoft where, if you use our add ins, you grant us permission to access each email you send or receive in order to encrypt or decrypt it (if you use Protect), process Smart Data (if you use Prevent) and/or Threat Data (if you use Defend)
• Open Source Intelligence (OSINT) providers such as HaveIBeenPwned

From other parties who

• use our services
• fill out forms on our website or apps and provide personal data about you
• contact us and provide personal data about you
• fill out forms on websites or webforms that we host on behalf of one of our customers
• deliver other services to you and who you choose to integrate with our adaptive risk scoring service within the Egress Security Centre

From cookies

You can find out more about the cookies on we use on our website in our Cookie Policy.  For information about cookies that we use to deliver our services, check out our Product Cookie Policy.  Some web browsers may transmit “do-not-track” signals to the websites and online services you communicate with. Whilst there is no industry standard that governs what, if anything, we should do if we receive such a signal, our website will not set cookies if your browser is set to ‘do-not-track’.

IP addresses

When you visit our website, apps or use our services we record your IP address.  This may be kept in log files or matched against public or proprietary databases to provide us with information about your visit. It may identify the organisation to whom the IP address is registered (and in some cases enable us to identify you).

Remember, if you communicate with us and with organisations that use our services

Your emails and their associated metadata will be routinely monitored to protect against outbound risk (such as misaddressed emails), inbound risk (such as phishing) and to improve the accuracy of the guidance provided by our services. This monitoring may include the processing of certain information about you (e.g. the strength of your association with the sender/recipient, and the trustworthiness of your domain).

Lastly, you may provide us with information about other people….

This could be Content which belongs to another person.  You must make sure you have the rights and permission to do so.  By providing it, or sending it via, or uploading it to, our services, you confirm that you do.

How we use your personal data

We use the data that we collect for a few reasons, examples of which are given below.

Managing our relationship with you and/or your organisation

• communicating with you
• retaining appropriate financial and business records
• contacting you in relation to potential sales opportunities, and to understand you and/or your organisation better
• creating reports or profiles for marketing and analytics purposes
• contacting you and any relevant regulator in the event of a data breach where required to do so

Delivering our services

• providing our service access and support to you including
  • providing reporting analytics and risk insights about your organization
  • providing guidance on our services
• responding to, and resolving, complaints, queries, requests and support tickets
• ensuring our services are working properly
• pro-active maintenance and investigations
• alerting you to issues or updates to the services you subscribe to

Meeting our contractual obligations or rights

• managing payments between us
• meeting and performing our audit obligations
• recovering money owed to us or our group companies
• responding to requests made by you in relation to your information
• exercising our rights under our contract with you or applicable law

Legal and regulatory risk management

• detecting and preventing crime
• security and operations management
• managing risk for us, our group and our customers and users
• complying with our and our group’s legal obligations
• keeping records accurate and up-to-date
• running our business in an efficient and proper way

Innovation and service  improvement

• identifying new features, functionality and ways to meet customer and user needs
• studying how customers and users use our websites, apps and services
• creating anonymous reports and statistics
• creating anonymous data sets
• using Threat Data and System Data to improve, update and modify the service (including any block/allow lists, threat analysis, reports and records)

If you subscribe to our Prevent service, we do not use analysis of your behaviour (or, you are a business, your users' behaviour) to provide insight to other organisations and users (this is sometimes called ’cross-tenant insights’)

Marketing and promotion 

• enabling you to participate in competitions and promotions
• developing and carrying out marketing activities

How we process personal data lawfully

This table shows the main basis we rely on to process personal data. Sometimes there may be a secondary basis for the same type of processing (like keeping a financial transaction and then sharing it with authorities). If we share personal data, we only do so after careful consideration of whether it is necessary and lawful to do so.  We will only share information where we have a contract with the receiving party which requires them to keep the information just as secure as if we store it, or where we are legally required to make the disclosure.

How we use automated decision-making

Some of our services make use of machine learning.  These services always involve some kind of meaningful human interaction during the processing activity. This means that if a particular risk is identified, or action is carried out, it has been done so by confirmation of a person after being alerted. That person may be yourself or a member your organisation’s administrative or security teams setting an allow/deny list.  Where we have verified a particular as a verified risk (such as a malware/ransomware email), then it may be automatically blocked. In these scenarios an administrator can always unblock any potential ‘false-positive’ restriction.

Risk scoring uses profiling of a customer organization’s emails using a number of sources. The scoring is adaptive using the best available information at any given time.  Customers that choose to integrate with additional third party sources will have an enriched score. This means that by combining public sources of verified data, the accuracy of risk scoring increases. This information is presented to customers so they can make informed risk-based decisions. This might include an admin team choosing to set policy-led decisions being set to automatically apply. For example, an email with certain keywords may have encryption enforced.

Who we may share your personal data with

Sub-Processors

You can find details on our Sub-Processors here. These third-parties provide key services to us that enable us to deliver our services to you or to run our own business operations. They are only authorised to use your personal data where this is necessary to provide the services to us that we request from them, and we have contracts in place with them that require them to comply with applicable law.

Examples of where they are involved include where they provide:

• hosting platforms (such as Microsoft Azure and Amazon Web Services) which we use to host our services
• Customer relationship management platforms
• Ticketing, online chat, out-of-hours support calls and other support service platforms that we use to provide our support services to you
• Multi-factor authentication services
• Mail relay delivery services
• Webinar, conference calls and remote access services
• Digital marketing platforms used to send out marketing communications
• Online editors (such as Microsoft Office Online) embedded in some of our products

Where personal data is transferred outside of the country or region that you are located in, we will ensure that it is subject to appropriate legal and technical safeguards as required by local law.

Law enforcement requests

We reserve the right to disclose personal data to comply with laws and legal or regulatory demands which apply to us, our group or our services. You can find out more on our approach here.

Online purchases

If you purchase a paid-for subscription to our services through our website, then limited personal data about you and your purchase will be shared with relevant payment service providers.  Personal data may be used by those providers in accordance with their own privacy policies and terms to complete your purchase, manage your relationship and any future renewal, and to comply with applicable law.

Transfer of rights

We and our group companies reserve the right to transfer obligations, rights and permissions to any organisation to which we or they may transfer business or assets.  This includes if a third-party is exploring investing in or purchasing us (or a relevant part of our group or assets).

Other important things to know

Data Privacy Framework

We participate in the EU-U.S. and Swiss-U.S. Data Privacy Frameworks (DPF) and have self-certified to the U.S. Department of Commerce our adherence to the Principles for all personal information received from countries in the European Economic Area, Switzerland, and the United Kingdom in reliance on the DPF. To learn more about the DPF, visit the website at Program Overview (dataprivacyframework.gov). If there is any conflict between the terms in this Privacy Policy and the DPF Principles, the Principles shall apply where it enables stronger protections.

Under the Data Privacy Framework, we are responsible for the processing of personal information we receive and subsequently transfer to a third party acting for or on our behalf. We are liable for ensuring that the third parties we engage support our DPF commitments. The U.S. Federal Trade Commission has regulatory enforcement authority over our processing of personal information received or transferred pursuant to Data Privacy Framework. We commit to cooperate and comply with the advice of the regulatory authorities to whom you may raise a concern about our processing of personal information about you pursuant to Data Privacy Framework, including to the panel established by the EU authorities and the Swiss FDPIC. This is provided at no cost to you.

If you do not feel that we have resolved your complaint or concern satisfactorily you can contact our U.S. based third-party dispute provider (free or charge) at https://https://www.privacytrust.com/drs/open. Under certain conditions, more fully described on the Data Privacy Framework website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

Complaints

If you have a complaint relating to our services you can raise it by emailing us or by calling +1-800-732-0746 (if you are in North America) or +44 (0) 20 3973 1333 (for anywhere else).   Please note calls may be recorded and/or monitored for quality assurance and compliance purposes. Call recordings are stored in the United Kingdom.

If your complaint relates specifically to the processing of your personal information, please email us here. 

You may also have the right to make a complaint at any time to a Supervisory Authority (such as the Information Commissioner's Office (ICO) in the UK).  We would, however, appreciate the chance to deal with your concerns before you approach a regulator so please contact us in the first instance.

You can find our detailed Complaints Policy at www.egress.com/legal.

About us

We are Egress Software Technologies Limited, for and on behalf of ourself and our group of companies.  You can find out more details about us at www.egress.com/about and you can contact us at info@egress.com. When contacting us we strongly recommend you do not email us confidential or personal information. If you do, it is at your own risk although the terms of this policy will apply to our use of that information.