Last Updated: March 20, 2019
Table of Contents:
- Applicability of this Policy
- Global Operations and E.U.-U.S. Privacy Shield and Swiss-U.S. Privacy Shield
- Identifying the Data Controller and Data Processor
- Information We Collect and Receive
- Google Analytics
- How We Use Information
- How We Share and Disclose Information
- inSync Mobile Application
- Data Retention
- Your Rights
- Choice and Opt-out
- Information from Children
- Changes to This Policy
- Email a Friend
- Blogs and Forums
- Social Media Widgets
- Data Protection Officer (DPO)
- Contacting Us
Applicability of this Policy
This Policy applies to www.druva.com (“Site”) and services owned and operated by Druva. If you do not agree with the terms, do not access or use the Sites, services, or any other aspect of Druva’s business.
This Policy does not apply to any third-party applications or software that integrate with Druva’s services through the Druva platform or any other third-party products, services, or businesses.
If you use the Site and services as part of an entity or organization that has a corporate account with Druva, like your employer or a university (“Customer”), that Customer may have entered into a separate agreement with Druva, which may contain more restrictive terms than what is described in this Policy (“Customer Agreement”).
Global Operations and EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield
We operate globally and have offices, partners, and subprocessors around the world to deliver our services. When you use our Site and services, your collected information may be sent to and processed in countries outside your country of residence, including the U.S. For individuals residing in the European Economic Area (“EEA”), and for Personal Data (as defined below) subject to European data protection laws, this includes transfers outside of the EEA. Some of these countries may not have data protection laws that provide an equivalent level of data protection as the laws in your country of residence.
If Druva transfers Personal Data (as defined below) originating from the European Union (E.U.) to other countries not deemed adequate under applicable data protection laws, we will deploy the following safeguards:
- E.U.-U.S. Privacy Shield. Druva participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We are committed to subjecting all personal data received from European Union (EU) member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List at https://www.privacyshield.gov.
Druva is responsible for the processing of personal data it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Druva complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Druva is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Druva may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
To learn more about the Privacy Shield program and to view Druva’s certification, please visit https://www.privacyshield.gov/list. Under certain conditions, more fully described on the Privacy Shield website at https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider for free at https://feedback-form.truste.com/watchdog/request.
- E.U. Model Clauses. Druva offers E.U. Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our Customers that operate in the E.U. and other international transfers of Customer data. To receive a copy of our standard Data Processing Addendum, incorporating Model Clauses, please email firstname.lastname@example.org.
Identifying the Data Controller and Data Processor
Druva acts as a data controller when we collect and process Personal Data (as defined below) for Druva’s legitimate interests, such as analyzing user interaction with our Site to enable the use of our Site.
Druva acts as a data processor when we provide our products and services to our Customers. When acting as a data processor, Druva will only process Personal Data (as defined below) in accordance with a Customer’s instructions and this Policy. Druva’s affiliates or subsidiaries may also act as data controllers or data processors to the extent Customers purchase the product and services from those entities or Personal Data is shared with those entities.
Information We Collect and Receive
Druva may collect and receive Customer data and other information in various ways when you use our Site and services. We collect two types of information: Personal Data and Aggregate Data.
As used in this Policy, “Personal Data” means information that directly or indirectly identifies an individual, such as a name, email address, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual. “Personal Data” excludes Aggregate Data. As used in this Policy, “Aggregate Data” is anonymized information, learnings, logs, and data we collect about a group or category of services or users, . Aggregate Data helps us understand trends in our users’ needs, so that we can better consider new features or otherwise tailor our services. This Policy in no way restricts or limits our collection and use of Aggregate Data. We may share Aggregate Data about our users with third parties for various purposes, including to help us better understand our Customers’ needs, improve our services, and for advertising and marketing purposes. We collect information you give us on our Site and when you register for and use our services. Examples include the following:
- Registration and Profile Information. When you register to use our services or update your profile, we may collect various kinds of information about you, including your name, email address, title, company and other profile information you provide, demographic information, and information you upload like photos, files, and documents.
- Contact Information. We collect the email addresses you provide for contacts you enter or upload into your private contacts page. When you choose to collaborate or share files with others, we also collect email addresses you provide to email invitations to those individuals on your behalf. When you provide us with personal information about your contacts we will only use this information for the specific reason for which it is provided.
- Payment Information. If you choose to use a paid Druva account or service, our payment processing vendor collects your credit card information and billing address.
- Submissions and Customer Service. From time to time, we may use surveys, contests, or sweepstakes requesting personal or demographic information and Customer feedback. Participation in these surveys or contests is completely voluntary and thus, you have a choice whether or not to disclose this information.
- Automatically Collected Information. We automatically receive certain types of information when you interact with our Site, services, and communications. For example, it is standard for your web browser to automatically send information to every site you visit, including ours. That information includes your computer’s IP address, access times, your browser type and language, Internet service provider (ISP), and referring site addresses. We may also collect information about the type of operating system you use, your account activity, and files and pages accessed or used by you. We do not link this automatically-collected information to personal information.
- When You Download and Use Our Services. We automatically collect information on the type of device you use, operating system version, and the device identifier (or “UDID”). We also access the device file storage for photos and contacts. You can opt out of this at the device level.
- Mobile Tracking and Data Loss Prevention (DLP). We do not ask for, access, or track any location-based information from your mobile device at any time, unless the DLP add-on is activated when using our mobile applications or services. A user must explicitly turn on the location information feature but may or may not be able to disable this feature depending on your employer’s policy.
- Mobile Analytics. We use mobile analytics software to allow us to better understand the functionality of our mobile software on your phone. This software may record information, such as how often you use the application, the events that occur within the application, aggregated usage, performance data, and from where the application was downloaded. We do not link the information we store within the analytics software to any personally identifiable information you submit within the mobile application.
- Tracking Technologies. We and our partners, affiliates, or analytics or service providers may also use certain kinds of technology such as cookies, web beacons, scripts, and tags to collect information, analyze trends, administer the Site, track users’ movements around the Site, and gather demographic information about our user base as a whole. We may receive reports based on the use of these technologies from these companies on an individual or aggregated basis.
- Local Storage (HTML5). We and our third-party partners use Local Storage (HTML5) to provide certain features on our Site, display advertising based on your web browsing activities, or store content information and preferences. Various browsers may offer their own management tools for removing HTML5.
- Advertising. We partner with a third party to display advertising on our Site or manage our advertising on other sites. Our third-party partner may use technologies, such as cookies to gather information about your activities on this Site and other sites to provide you advertising based on your browsing activities and interests. If you wish to not have this information used for the purpose of serving you interest-based ads, you may opt out by clicking here. If you are located in the E.U., click here. Please note this does not opt you out of being served ads; you will continue to receive generic ads.
How We Use Information
To deliver a consistent and personalized user experience, Druva collects your personal information to understand your interests and requests. For example, we may use your personal information to:
- Facilitate your account administration and use of the operation of the Site and services;
- Process your request or assist you in completing a transaction;
- Provide you with information or services you request, including our product documentation and white papers;
- Inform you about other information, events, promotions, products, or services we find will be of interest to you
- Contact you for feedback to enable us to develop, customize, and improve the Site and our publications, products, and services;
- Conduct marketing analysis, send you surveys or newsletters, contact you about services, products, activities, special events, or offers from Druva or our partners, and for other marketing, informational, product development, and promotional purposes;
- Send you a welcoming email and contact you about your use of the Site and services; to respond to your emails, submissions, comments, requests, or complaints; to perform after-sales services; to anticipate and resolve problems with our service; to respond to Customer support inquiries, for assistance with our product and service development; and to inform you of updates to products and services from Druva that better meet your needs;
- Store contacts you enter or upload into your contacts list for your private use and viewing;
- Send emails to users you invite (and contacts you invite to become users) to collaborate and access your files;
- Enable you to communicate, collaborate, and share files with users you designate;
- Contact you if you win a contest; and
- Accomplish other purposes about which we notify you.
How We Share and Disclose Information
This section describes how Druva may share and disclose Information. Customers determine their own policies and practices for the sharing and disclosure of Information, and Druva does not control how they or any other third parties choose to share or disclose Information.
- Aggregate or De-identified Data. Druva reserves the right to share aggregated demographic information about our Customers, sales, and traffic to our partners and advertisers. We will not share any of your personal information or any data that you store using our services to any third party, except as outlined in this Policy or with your consent.
- Service Providers. We may engage with service providers to perform business functions and provide services to us in the U.S. and other countries. For example, we use a variety of third-party services to help operate our services, such as processing your payment or offering live Customer support chat. Druva may share your Personal Data with these service providers on the condition that they use your Personal Data only on our behalf and pursuant to our instructions and are subject to obligations consistent with this Policy and any other appropriate confidentiality and security measures.
- Corporate Affiliates. Druva may share other information with its corporate affiliates, parent(s), or subsidiaries.
If you are an individual Druva registered user, and the domain of the primary email address associated with your Druva account is owned by your employer and that email address was assigned to you as an employee of that organization, and that organization wishes to establish a Druva corporate account and add you to it, then certain information concerning past use of your individual account may become accessible to that organization’s administrator, including your email address. Druva includes collaboration features that, by their nature, support sharing with users you choose. Those users can see your name, email address, photo and information from your profile page, and any files you choose to share. Further, they can post comments and email you. Collaborators you invite as editors can also edit your shared files, upload documents and photos to your shared files, share those documents outside of Druva, and give other users the rights to view your shared files.
inSync Mobile Application
Our inSync mobile application for Android allows end users to use a special permission BIND_DEVICE_ADMIN to permit administrators to securely and remotely delete data on lost or stolen devices. This feature is subject to enterprise administrator’s enablement and must be accepted by the end user.
Druva will retain data, including Personal Data, in accordance with a Customer’s instructions, any applicable terms in the Customer Agreement, and as required by law. We may retain and use your information, even after your account is suspended or terminated, to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes, and enforce our agreements. We do not retain geo-location information, except current known location when DLP service is activated. For more information on Druva’s data retention policies, please email email@example.com.
Druva maintains appropriate technical and organizational safeguards to protect the security, confidentiality and integrity of the information we collect from you, including any personal information. These safeguards are designed to prevent loss, misuse and unauthorized access, disclosure, alteration, and destruction of the information we collect from you and our platform. Such measures include, but are not limited to, logical data segregation, data encryption in flight and at rest, network security, security logging and monitoring, envelope encryption model, and regular third-party penetration testing. For more information on Druva’s security protocols, please email firstname.lastname@example.org or review Druva’s security white papers at https://www.druva.com/resources/white-papers/.
While we take reasonable efforts to guard personal information we knowingly collect directly from you, no security system is impenetrable. We cannot guarantee that any passively-collected personal information you choose to include in documents you store on our systems are maintained at adequate levels of protection to meet specific needs or obligations you may have relating to that information.
For some customers, your account information and access to our service are accessible only through the use of an individual user ID and password. To protect the confidentiality of personal information, you must keep your password confidential and not disclose it to any other person. Always log out and close your browser when you finish your session. Please advise us immediately if you believe your password has been misused. Further, always log out and close your browser when you finish your session. Please note that we will never ask you to disclose your password in an unsolicited phone call or email. If you have any questions about the security of your personal information, please email email@example.com.
Subject to applicable data protection laws, individuals who are located in certain countries, including the European Economic Area, have specific statutory rights in relation to their Personal Data.
|Data Processed via Druva’s Services||Personal Data Collected by Druva|
|Right to Access and/or Rectify|
|Druva does not have access to the Customer data that is stored and processed by using our services. If you would like to access or correct inaccurate or incomplete Personal Data, please contact your employer. If your employer requests Druva to remove your Personal Data, we will respond to their request within 30 business days. Even if you request that we, or your employer, delete your personal information, we may still retain data collected from you in an aggregated and anonymized form.||If you would like to access or correct in accurate or incomplete Personal Data, please contact us at firstname.lastname@example.org and we will respond to your request within 30 business days. Even if you request that we delete your personal information, we may still retain data collected from you in an aggregated and anonymized form.|
|Right to Erasure|
|Druva does not have access to the Customer data that is stored using our services. If you would like to delete your Personal Data, please contact your employer.||You can request your Personal Data to be deleted by contacting us at email@example.com and we will respond to your request within 30 business days. Even if you request that we delete your personal information, we may still retain data collected from you in an aggregated and anonymized form.|
|Right to Data Portability|
|Druva does not have access to the Customer data that is stored using our services. However, your employer can provide a means to download the information you have shared through our services.||If you would like to receive a copy of the personal information Druva has collected about you, please email firstname.lastname@example.org and we will respond to your request within 30 business days.|
Objecting to Processing. If you object to any processing by Druva, we will communicate such request to your employer as soon as we can.
Additional Information or Assistance. From time to time, we may send you push notifications to perform administrator-initiated backups and restores and device decommissioning. If you wish to opt out of push notifications on your mobile device, please change your settings at the device level. To ensure you receive proper notifications, we will need to collect certain information about your device, such as operating system and user identification information.
Choice and Opt-Out
Druva may send you communications or data regarding our Site and services, including but not limited to (a) notices about your use of our Site and services, including those concerning violations of use, (b) updates, (c) promotional information and materials regarding our products and services, and (d) newsletters. You may opt out of receiving promotional emails and newsletters from Druva by following the unsubscribe instructions provided in those emails. Alternatively, you can opt out, at any time, by emailing email@example.com with your specific request. Opt-out requests will not apply to transactional service messages, such as security alerts and notices about your current account and services.
If you believe that one of your contacts has provided us with your personal information and you would like to request that it be removed from our database, please email firstname.lastname@example.org.
Information from Children
We do not knowingly collect any personal information directly from children under 16. If we discover we have received any personal information from a child under 16 in violation of this Policy, we will take reasonable steps to delete that information as soon as possible. If you believe we have any information from or about anyone under 16, please email email@example.com.
Changes to This Policy
From time to time, we may change this Policy to reflect changes to our information practices. If we make any changes to this Policy, we will change the “Last Updated” date above. If we make any material changes, we will notify you by email, sent to the e-mail address specified in your account, or by means of a notice on this Site prior to the change taking effect. We encourage you to periodically review this Policy for the latest information on our privacy practices.
Email a Friend
If you choose to use our referral service to tell a friend about our Site, we will ask you for your friend’s name and email address. We will automatically send your friend a one-time email inviting him or her to visit our Site. Druva stores this information and is only used for the sole purpose of sending this one-time email and tracking the success of our referral program.
We display personal testimonials of satisfied Customers on our Site and other endorsements. With your consent, we may post your testimonial along with your name. If you wish to update or delete your testimonial, please email firstname.lastname@example.org.
Blogs and Forums
Our Site offers publicly-accessible blogs or community forums. These blogs and forums are created for general informational purposes only and do not constitute legal advice or a solicitation to provide legal services. Although we attempt to post complete, accurate, and up-to-date information, we assume no responsibility for its completeness, accuracy, or timeliness. You should be aware that any information you provide in these blogs or forums may be read, collected, and used by others who access them. To request removal of your personal information from our blogs or community forums, please email email@example.com. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.
Social Media Widgets
Our Site includes social media features. Your use of these features may result in the collection or sharing of information about you. This may include your IP address, which page you are visiting on our Site, and a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on our Site. Your interactions with these features are governed by the privacy policies of the companies providing these features. We encourage you to carefully review the privacy policies and settings of any social media websites, services, and applications you access.
Data Protection Officer (DPO)
To communicate with our DPO, please address any questions, concerns, or comments to:
Eugenia Buzogly, DPO
800 W. California Avenue, Suite 100
Sunnyvale, CA 94086
Any questions, concerns, or comments about this Policy should be addressed to:
800 W. California Avenue, Suite 100
Sunnyvale, CA 94086
1Druva means Druva Holdings, Inc., a Delaware, United States company, Druva Singapore Pte. Ltd., a Republic of Singapore company, Druva Data Solutions Private Limited, a Republic of India company, Druva Europe Limited, an England and Wales, United Kingdom company, Druva Inc., a Delaware, United States company, Druva G.K., a Japan company, Druva GmBH, a Germany company, Silver Lining Cloud Consulting Limited (t/a CloudRanger), and all other Druva subsidiaries