As a data security business, data privacy forms a core part of the Egress Software Technologies Group’s ethos and services – both in their design and delivery. Egress takes its obligations very seriously and recognises the importance of compliance both within its own business and those of its customers.
How does Egress document its compliance with data laws?
Egress has extensive internal policy documentation in place which describes its approach to its obligations under the data protection laws relevant to the jurisdictions in which it operates. These ensure that it is focussed on compliance by embedding data privacy and security behaviours within its day-to-day activities.
Egress also provides information to customers and users about its services to enable them to not only understand how the services are delivered to them, but also to provide them with the information they need to ensure that they are themselves able to meet their own obligations in respect of data privacy and transparency.
Egress understands that its customers and users trust it with the data that they upload, send and share using its services (what Egress refers to as “Content”). That is why it wants to make sure that they understand how this is protected.
Does Egress disclose data to third-parties?
Third-parties may be involved in the delivery of the services (see the section on Sub-processors and sub-contractors above).
Egress only discloses data where it is required to do so to respond to a lawful request. You can find out more about Egress’ approach to these requests at www.egress.com/legal.
If you use Prevent, we do not, and will not, use analysis of your users' behaviour to provide insight to others – sometimes called “cross-tenant insights”
How does Egress protect data?
Egress treats the data that it collects, stores and processes in providing its services as falling into 4 categories:
|Type of Data||Definition||How does Egress help to protect it?|
|Content||The files, data, text, audio, video, images and other materials that are transferred, stored, shared or hosted on or through the services, software or support by customers, users and recipients, including any personal data in it. It does not include CRM Information, Smart Data or System Data.||A high level overview of the measures Egress takes to protect the personal data in the Content can be found at www.egress.com/legal/technical-measures.|
|CRM information||The information that we retain on our customer relationship management databases relating to your business including (a) information about your corporate entity and the financial records of our relationship with you; (b) the Services, Software and Support that you subscribe to with us and our Group and (c) any marketing permissions, consents or preferences of you and/or your Users.||
Egress has a Supplier On-boarding process in place to ensure that appropriate compliance and regulatory checks are carried out and information received.
The Egress Information Security team conduct audits on its suppliers appropriate to the services that they provide.
|Smart Data||The record of individual user email behaviour and associations formed from the machine learning and artificial intelligence led processing, collection and analysis of email metadata (e.g. date and time, sender and recipient email addresses, package classification and other unique and non-unique message identifiers) and other domain, location and ‘trust’ data. This excludes CRM Information and System Data.||Smart Data is stored in infrastructure provided by Egress’ Cloud Hosting Supplier. Access to Smart Data is restricted with access controls including Multi-Factor Access (MFA) and perimeter network controls; aligned with our ISO27001 certificate and cloud security principles. All production environments undergo regular vulnerability scanning.|
|System Data||(i) Usage statistics, system logs, performance and security data, feedback data, records of support requests, and aggregated data about how Egress sites, services, software, support and apps are used (e.g. performance counters, access logs, metrics and associated metadata, unique identifiers for devices, technical information about the devices used, the network, operating system and browsers); and (ii) data identified as malicious (e.g. malware infections, cyberattacks, unsuccessful security incidents, or other threats). This may contain limited CRM Information where it appears, for example, in log records but excludes Smart Data.||System Data is stored in infrastructure provided by Egress’ Cloud Hosting Supplier. Access to System Data is restricted with access controls including Multi-Factor Access (MFA) and perimeter network controls; aligned with our ISO27001 certificate and cloud security principles. All production environments undergo regular vulnerability scanning.|
What certifications and standards does Egress adhere to?
Egress is ISO:27001 certified and assessed annually to ensure that it continues to adhere to this well recognised and respected standard.
Egress Software Technologies, Inc. certified its compliance with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks to the U.S. Department of Commerce and has been added to the Department’s List of self-certified Privacy Shield participants. Whilst these were declared invalid in August and September 2020, Egress remains fully committed to the principles of the Privacy Shield programme, the General Data Protection Regulation and to the protection of the personal data sent, stored and shared using its services. In recognition of this continued commitment, in October 2020 Egress self-certified with the International Privacy Verification programme (IPV). The IPV’s assessment criteria are aligned with those of the Privacy Shield and therefore by certifying with the IPV Egress is able to continue to demonstrate its compliance with the core Privacy Shield Principles in relation to the protection of personal data transferred outside of the UK and EU. Privacy regulations are constantly evolving and Egress remains alive to the fact that further developments in this area are likely.
Further details about Egress’ certifications can be found on its website at https://www.egress.com/security/certifications.
Is Egress an Controller or Processor of personal data/PII?
The companies within the Egress group perform both of these roles depending on the nature of the personal data/PII in question.
|Type of Data||Egress Group company’s role|
|Content||Processor or sub-Processor|
|Smart Data||Processor or sub-Processor|
Customers may themselves be an independent Controller, not a joint Controller with Egress, of certain information within these data sets
Where can I find key information about data privacy at Egress?
|Individual rights||www.egress.com/legal/your-rights||Sets out the rights that individuals have by law and how they can exercise them in respect of personal data/information that Egress is the Controller of|
|Sub-processors||www.egress.com/subcontractors||Sets out third-parties involved in the delivery of Egress’ services|
|Law enforcement disclosure requests||www.egress.com/legal||Describes Egress’ approach when it receives a disclosure request from a law enforcement agency|
|Deletion and retention||www.egress.com/legal||Outlines the retention policy applicable to the different types of data collected, stored and processed by Egress|
|Technical measures||www.egress.com/legal/technical-measures||Provides a summary of the technical measures that Egress takes to protect Content and its networks.|
|Certifications||www.egress.com/certifications||Details the third-party certifications and standards that Egress complies with and adheres to|
|Products||www.egress.com/solutions-menu||Information about Egress’ products, the security they offer and how they can help customers and users to meet their own data privacy and security obligations|
Does Egress use sub-processors and sub-contractors?
Yes. As is common with many software-as-a-service businesses, Egress uses certain specialist sub-processors (e.g. datacentre providers, support platform software providers), and other Egress group companies, in the delivery of its services. Non-Egress third-parties are subject to terms that comply with relevant data privacy legislation and ensure that any processing that they carry out is only for the purposes of providing their specialist services to Egress and its customers/users. They do not have any rights to use any personal data/PII for their own purposes.
You can find out more information about them on Egress’ website at www.egress.com/subcontractors where you can also sign up to receive email alerts if Egress makes changes to the sub-processors it uses.
How is data deleted and retained?
Egress’ data retention policy is available at www.egress.com/legal.
How are data subject rights respected?
Egress recognises that individuals across the globe may have certain rights provided with by law. Details on how Egress itself enables individuals to exercise these rights is set out at www.egress.com/legal/your-rights. Egress provides assistance to its customers in line with its legal obligations and passes on any relevant request to a customer that relates to personal data that Egress is not the Controller of.
Please remember, if data subjects/individuals seek to exercise rights in relation to personal data that forms part of your Content, Egress will pass these requests to you in your role as Controller of that personal data/PII.
Egress may also direct the data subject/individual to contact you directly in relation to their request. Egress may provide your basic contact information to enable them to do this.
The customer or user will need to respond to/action them appropriately and in accordance with relevant legal timescales.
Does Egress have a Data Processing Addendum?
Yes. It can be found at www.egress.com/legal.
Did Egress self-certify with the EU-U.S. Privacy Shield?
Yes. Egress Software Technologies, Inc. certified its compliance with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks to the U.S. Department of Commerce and has been added to the Department’s List of self-certified Privacy Shield participants.
In order to achieve this approval, the Egress Software Technologies Group’s data privacy documentation, policies and procedures were externally reviewed for their compliance with these frameworks which closely align to the requirements of the General Data Protection Regulation.
Whilst these were declared invalid in August and September 2020, Egress remains fully committed to the principles of the Privacy Shield programme, the General Data Protection Regulation and to the protection of the personal data sent, stored and shared using its services. In recognition of this continued commitment, in October 2020 Egress self-certified with the International Privacy Verification programme (IPV). The IPV’s assessment criteria are aligned with those of the Privacy Shield and therefore by certifying with the IPV Egress is able to continue to demonstrate its compliance with the core Privacy Shield Principles in relation to the protection of personal data transferred outside of the UK and EU. Privacy regulations are constantly evolving and Egress remains alive to the fact that further developments in this area are likely.
If data transfers to the United States or otherwise outside of the EU and/or UK are relevant to your use of Egress’ services, then Egress uses the EU Standard Contractual Clauses as a method of protecting such transfers. Please execute a copy of Egress’ DPA here www.egress.com/legal which contains them.