Privacy Policy for Secteer Personal CARMA

This page is obsolete, please see:

https://secteer.com/privacy-policy-for-secteer-vulndetect/

The SecTeer Personal CARMA was discontinued and replaced by the SecTeer VulnDetect.

Privacy Policy for SecTeer Personal CARMA

This policy describes the type of information gathered and processed by SecTeer.

Creating an account and installing SecTeer software implies acceptance of this Privacy Policy. Links to this privacy policy is provided at account creation, the website, and user interfaces.

Active accounts will be notified in case significant changes are made to the privacy policy.

This Policy was last updated on 25 May 2018.

Text with strikethrough means that it has not yet been implemented, but is planned. Contact support if in doubt.

Who is SecTeer

SecTeer is a privately held limited company, incorporated in Denmark.

SecTeer ApS
Njalsgade 76, 3.
DK2300 Copenhagen S
Denmark

Company / VAT number: DK38330462
Phone: +45 70707759
Email: contact [at] secteer.com
Management / Director: Michael Zaman
Privacy Officer: Thomas Kristensen

If you feel that something needs to be clarified, then you are most welcome to write to SecTeer via support [at] secteer.com.

Data collected

SecTeer will collect the following information for CARMA consumer accounts:

  • Name (optional)
  • Email / Username (mandatory)
  • Password (mandatory)
  • Other personal information is not required to use the product, but you may be encouraged to supply this
  • IP addresses used to log in and submit data

The SecTeer CARMA products will collect the following information from your PC or device:

  • Program file names (NOT data files)
  • Meta data of program files, including, but not limited to size, version information, date, hashes, digital signatures, and other header / meta information
  • Directory structure i.e location of program files
  • Registry information related to installed software
  • Hostname or other unique identifier, to ensure correct correlation in reporting

SecTeer products will not intentionally collect data from non-program files, should such data be collected by accident, then it will be removed as soon as possible.

Potential personal information obtained from folder names, e.g. user names from “C:\users\<user name>\” will be removed or replaced by a non-reversible placeholder after the initial processing.

Users can configure CARMA to ignore specific parts of the directory structure, if they find this to be a concern. SecTeer encourages programmers and developers to exclude their own programs, to avoid false positives and negatives.

Your access to your data

You can view all processed data stored by SecTeer via the user interface. Most data can be extracted via reports.

Raw non-personal data

SecTeer does not offer a specific option to download the data in a raw format, as our format is considered proprietary and incompatible with other solutions.

SecTeer will store the raw file data in a separate database for statistical, analytical and quality assurance purposes. This data is purely non-personal meta data based on executable and executable library files and registry information about installed programs, as well as certain hardware and driver information.

This data is associated (pseudonymised) with your account via a unique random string, you may delete this association, by generating a new random identifier string, you may also choose to anonymise or delete this data automatically. This will, however, prevent SecTeer from reassessing your historic scan data, in case we update historical rules. For most users this may be irrelevant and generating a new random string would have no adverse effect, however, for business customers who wants a more thorough insight to their historical performance, it may not be advisable to delete the association.

If SecTeer finds any personal data in the raw file data, then it will be deleted without undue delay, and automated processes will ensure that such data will be removed from subsequent scans.

Erasure and right to be forgotten

All private CARMA users can delete their account via the user interface.

Deleting an account is effective immediately and is irrevocable.

Backup data will be retained for 8 days, before it is automatically purged and overwritten. SecTeer will NOT restore this data, even upon direct request from the account owner.

The raw file data will be completely anonymized as the unique pseudonymised string will be deleted together with the user data. You may also request to have this data deleted, however, this must be done before the account is deleted, after the account is deleted, we will not be able to identify who the owner of the data was.

Inactive accounts will be automatically deleted after 12 months, you will receive a notification via email 3 months and 1 months prior to the automated deletion.

Rectification

If you find any data stored by SecTeer to be inaccurate, then you can update the information through the user interface.

If you believe there is wrong information based on your inspection results, then you are most welcome to file a support case, this may be done by providing feedback the console or by sending an email to support [at] secteer.com. However, this is not considered rectifiable data under the GDPR and will only be updated at SecTeers discretion.

Jurisdiction

SecTeer is based in Denmark which is a member of the European Union.

Our data policies are aligned with the European GDPR.

All data is stored at data center facilities in Ireland, Germany and Denmark.

SecTeer intend to abide to European data protection laws at any given time and will adapt to future changes.

Data at rest

All user data is stored on encrypted disks.

Offline data i.e. backups are encrypted before leaving active storage and is transmitted using encrypted communication to a device that is also encrypted.

Access to storage and encryption keys is restricted to few trusted members of staff.

Backups with personally identifiable information is only retained for 8 days.

Log data is stored on active systems for 30 days and is further retained in non-active backup archives for 3 months.

Data pertaining to orders, email communication, and support cases will be retained for longer periods. Information relevant for accounting and tax will be archived for approx. 5 years to adhere with applicable Danish law.

Third parties access to data

SecTeer does not share data with any third parties, unless explicitly stated prior or during collection.

SecTeer will honour court orders issued by a Danish Court. If we receive court orders from other jurisdictions we will consult legal counsel to assess if we need to comply.

SecTeer utilises third party data processors, all of whom comply with GDPR like SecTeer. When possible, we will store and process data in the EU, in case we can’t control the geographic location of data, we will choose a provide who is GDPR and / or EU-US Privacy Shield compliant.

Third Party processors used by SecTeer:

Amazon AWS: Our services and live data is hosted on Amazon AWS in Europe:
https://aws.amazon.com/compliance/eu-data-protection/

MongoDB Cloud Services: Your raw scan data is temporarily stored on a Mongo instance managed by MongoDB Cloud Services and hosted at Amazon AWS in Europe:
https://www.mongodb.com/cloud/compliance

Microsoft: We utilise Microsoft Office 365 for email:
https://www.microsoft.com/en-us/TrustCenter/CloudServices/office365/GDPR

ZOHO CRM: Our CRM and support systems are based on ZOHO:
https://www.zoho.eu/gdpr.html

The above list will be updated when more processors are added or if we change processors who hold sensitive information.

Cookies, logging and tracking

SecTeer also analyses user behaviour, both on our website and in the SecTeer CARMA application. This is done via cookies and logging.

Cookies is also used for identifying authenticated users in the SecTeer CARMA application.

SecTeer does not currently set any cookies on behalf of third-parties.

Disabling cookies may alter the user experience and prevent usage of the SecTeer CARMA application.

You may, however, choose to delete cookies after each visit / usage of the application, the only consequence of this is, that you will be prompted for authentication details on every visit.

SecTeer logs access to all sites and services. The only identifiable information in the log files are an IP address and a pseudonymised part of an authentication token (when you access a service that requires authentication). This is used for statistical, analytical, forensic, and troubleshooting purposes only. These logs are not correlated to customer data in automated ways.

SecTeer does not currently utilise a cloud based web analytics tool, however, we reserve the right to implement a cloud based analytics tool, if we find one that honours our users and customers right to privacy (i.e. doesn’t share data with ad networks and similar).

Logs may be retained for extended periods of time, in case we suspect an incident. Logs can’t be used to recreate personal identifiable information, except from IP addresses and account / agent tokens.

If a user deletes the profile, then all data that exists (i.e. agent tokens) which can correlate the user with any other personal data is deleted.

Logfiles is archived for 3-4 months and will be reviewed and analysed in case of a suspected incident as part of our security incident response process. These archives will only be accessed in case of legal issues or for forensic purposes.

Security and Encryption

Data transfer

All data transmitted to and from SecTeer services is encrypted. We follow best practices for implementation for HTTPS and TLS on our services and prevent access to our services using low grade encryption.

HTTP access is automatically redirected to HTTPS. Our HTTP service does not provide access to anything, except the redirection.

Certificates

All certificates used by SecTeer are issued by Amazon, LetsEncrypt, and GlobalSign. Amazon is used for the SecTeer Personal CARMA. LetsEncrypt is used for the website and secondary services including VulnDetect and some staging environments. GlobalSign is used for signing our executables and installers.

Our binary code is signed using a certificate from DigiCert. The certificate currently used is issued to SecTeer ApS and is valid from 23/03/2018 to 28/03/2019. It has serial number: 08b9eef742de8863f6f45dddc5e2e253

If a certificate claiming to be issued for any *.secteer.com site is signed by another party, you shouldn’t trust it. This page and our CAA NS record will be updated, in case we decide to change provider.

SecTeer also utilises CAA, HSTS and CT.

Domain names

SecTeer operates exclusively from:

*.secteer.com

We do own other domains, but these are not actively used.

However, we do sponsor the VulnDetect forum, which is used for support for the free SecTeer Personal CARMA:

https://vulndetect.com/

Passwords

All usernames and passwords are hashed BEFORE being sent to SecTeer. This prevents SecTeer from actually knowing your password.

When the hashed username and password is received by SecTeer it will be hashed again and subsequently used to lookup and authenticate the appropriate account.

NOTE: The above process does not make your account more secure, it does, however, prevent SecTeer from knowing your actual password and it does make brute force attempts on your account significantly slower.

Regardless of this, we always recommend that you use individual passwords for all online services.

You should also note that the “agent” which is installed on your machine, does not know your password, instead it uses a token for authentication, this token is a “submit data only” token, thus it can’t be used to read your data, only your username and password can do that.

Password reset

If you have lost your password, you can only gain access to your account by resetting your password. This requires access to the email address used during creation of the account. If you don’t have access to your email, then you must create a new account. The old account will automatically be deleted, if it remains inactive.

Encryption at rest

All user data is stored on encrypted devices to prevent leakage when disposing of old / broken hardware or recycling storage at the cloud provider.

Software

All software used on SecTeer server systems is updated regularly. We intend to test and deploy all security related updates released by the vendor within a few business days after public availability of the updates.

Access

Access to user data is on a “need to” basis. All access to data and systems hosting data requires authentication and is logged.

Backups

Backups are encrypted before being retrieved and stored on a separate location. Backups containing user data are usually only retained for a 8 days. Other backups are retained for longer.

Disputes and complaints

If you feel the need to lodge a complaint, then you may contact the Supervisory Authority in Denmark, called Datatilsynet:

https://www.datatilsynet.dk/
DATATILSYNET
Borgergade 28, 5
1300 København K
Telefon 3319 3200
Fax 3319 3218
E-mail dt@datatilsynet.dk