Zip x Johanson Group Webinar: How the best vCISOs guide their clients through successful audits01d:01h:20m:51s

Legal

Zip Security Privacy Statement

How we collect, use, and protect your personal information.

Introduction

Zip Security is committed to providing our customers with cutting edge security. We offer a flexible, all-in-one platform that integrates across cybersecurity vendors to provide our customers with a single pane of glass security solution for everything from mobile device management to identity and access control.

We understand that you are aware of and care about your own personal privacy interests, and we take that seriously. This Privacy Notice describes Zip Security policies and practices regarding its collection and use of your personal data, and sets forth your privacy rights. We recognize that information privacy is an ongoing responsibility, and so we will from time to time update this Privacy Notice as we undertake new personal data practices or adopt new privacy policies.

Data Privacy Officer

Zip Security is headquartered in New York City in the United States. Zip Security has appointed an internal data protection officer for you to contact if you have any questions or concerns about Zip Security's personal data policies or practices. If you would like to exercise your privacy rights, please direct your query to Zip Security's data protection officer. Zip Security's data protection officer's name and contact information are as follows:

Gabriela Merz: privacy@zipsec.com

How we collect and use (process) your personal information

Zip Security collects personal information about its website visitors and customers to provide prospective customers and customers with services. The information we collect is summarized below:

Information you provide to us when you create an account with us:

  • Name
  • Company name
  • Email address
  • Access to your email account to send emails on your behalf

When you use our services:

  • Name
  • Company name
  • Email address
  • Location
  • Phone number
  • Payment Information

Additional information you submit to us:

  • Information you submit when completing a form on our website

Information collected automatically

  • Browser information, such as your IP address, browser version, and server logs, and information about your cookies and web browsing

We do not sell personal information to anyone and only share it with third parties who are facilitating the delivery of our services. When you create an account with Zip, we solicit your consent to connect your email account using the Oauth method of authentication.

For users authenticating via Google accounts, Zip Security's use of information received and Zip Security's transfer of information to any other app from Google APIs will adhere to Google's Limited Use Requirements. We do not store any information about your Google account, and instead rely on a 3rd party provider (Auth0) to store and manage your Google account information. When you log in via Google, we request authorization to send email on your behalf, which we use to enable compliance and security features. We do not have access to your inbox, and can only send messages on your behalf. Zip Security's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

If you connect your Google Workspace account as an Identity Provider (IdP) in the Zip Console, you will be asked to consent to authorize us to pull metadata from your Google Workspace account about users, groups, devices and other data essential for the functionality of the Zip Console. We will store some of this data in our environment for your use in understanding the security posture of your google workspace.

For Google Workspace connections as a Gmail Email Security Provider, Zip Security uses read-only access to fetch organizational domain, user directory, and organizational unit metadata to initialize the connection and correctly scope security assessments to the organization as a whole, and to determine the primary domain(s) being used for Gmail so that we can assess the security posture of their DNS records.

Gmail safety policy settings — including rules for attachment scanning, link and external image scanning, spoofing and authentication protection, and enhanced pre-delivery message scanning — are retrieved to identify configuration gaps. Audit log data is strictly limited to events where a user has reported a message as spam or phishing. For each such event, Zip Security collects only:

  • Reporting user's email address
  • Message subject
  • Timestamp
  • Threat classification
  • Domains found in linked URLs

Zip Security does not access the content of individual email messages or attachments. Zip keeps sensitive data protected by making collected data accessible only to authorized administrators within the organization and is used solely to assess and improve the organization's email security posture within the Zip Security platform.

From time to time, Zip Security receives personal information about individuals from third parties. Typically, information collected from third parties will include further details on your employer or industry. We may also collect your personal data from a third party website (e.g. LinkedIn).

Use of the Zip Security Website

As is true of most other websites, the Zip Security website collects certain information automatically and stores it in log files. The information may include internet protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system and other usage information about the use of Zip Security's website, including a history of the pages you view. We use this information to help us design our site to better suit our users' needs. We may also use your IP address to help diagnose problems with our server and to administer our website, analyze trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences.

Zip Security has a legitimate interest in understanding how members, customers and potential customers use its website. This assists Zip Security with providing more relevant products and services, with communicating value to our sponsors and corporate members, and with providing appropriate staffing to meet member and customer needs.

Sharing information with third parties

The personal information Zip Security collects from you is stored in one or more databases hosted by third parties located in the United States. These third parties do not use or have access to your personal information for any purpose other than cloud storage and retrieval. On occasion, Zip Security engages third parties to send information to you, including information about our products, services, and events.

A list of our third party sub processors can be found here:

  • Auth0
  • Amazon Web Services
  • Clearbit
  • Google Analytics
  • Hubspot
  • Hotjar
  • RB2B
  • Sendgrid
  • VWO
  • Webflow

We do not otherwise reveal your personal data to non-Zip Security persons or businesses for their independent use unless: (1) you request or authorize it; (2) it's in connection with Zip Security-hosted and Zip Security co-sponsored conferences as described above; (3) the information is provided to comply with the law (for example, compelled by law enforcement to comply with a search warrant, subpoena, or court order), enforce an agreement we have with you, or to protect our rights, property or safety, or the rights, property or safety of our employees or others; (4) the information is provided to our agents, vendors or service providers who perform functions on our behalf; (5) to address emergencies or acts of God; or (6) to address disputes, claims, or to persons demonstrating legal authority to act on your behalf. We may also gather aggregated data about our services and website visitors and disclose the results of such aggregated (but not personally identifiable) information to our partners, service providers, advertisers, and/or other third parties for marketing or promotional purposes.

The Zip Security website connects with third party services such as Facebook, LinkedIn, Twitter and others. If you choose to share information from the Zip Security website through these services, you should review the privacy policy of that service. If you are a member of a third party service, the aforementioned connections may allow that service to connect your visit to our site to your personal data.

We use Hotjar and VWO in order to better understand our users' needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users' experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don't like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users' behavior and their devices. This includes a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.

When you visit or log in to our website, cookies and similar technologies may be used by our online data partners or vendors to associate these activities with other personal information they or others have about you, including by association with your email. We (or service providers on our behalf) may then send communications and marketing to these email. You may opt out of receiving this advertising by contacting us at privacy@zipsec.com.

Transferring personal data to the U.S.

Zip Security has its headquarters in the United States. Information we collect about you will be processed in the United States. By using Zip Security's services, you acknowledge that your personal information will be processed in the United States. The United States has not sought nor received a finding of “adequacy” from the European Union under Article 45 of the GDPR. Pursuant to Article 46 of the GDPR, Zip Security is providing for appropriate safeguards by entering binding, standard data protection clauses, enforceable by data subjects in the EEA and the UK. These clauses have been enhanced based on the guidance of the European Data Protection Board and will be updated when the new draft model clauses are approved.

Depending on the circumstance, Zip Security also collects and transfers to the U.S. personal data with consent; to perform a contract with you; or to fulfill a compelling legitimate interest of Zip Security in a manner that does not outweigh your rights and freedoms. Zip Security endeavors to apply suitable safeguards to protect the privacy and security of your personal data and to use it only consistent with your relationship with Zip Security and the practices described in this Privacy Statement. Zip Security also enters into data processing agreements and model clauses with its vendors whenever feasible and appropriate. Since it was founded, Zip Security has received zero government requests for information.

For more information or if you have any questions, please contact us at privacy@zipsec.com

Data Subject rights

The European Union's General Data Protection Regulation (GDPR) and other countries' privacy laws provide certain rights for data subjects. Data Subject rights under GDPR include the following:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restrict processing
  • Right of data portability
  • Right to object
  • Rights related to automated decision making including profiling

This Privacy Notice is intended to provide you with information about what personal data Zip Security collects about you and how it is used.

If you wish to confirm that Zip Security is processing your personal data, or to have access to the personal data Zip Security may have about you, please contact us.

You may also request information about: the purpose of the processing; the categories of personal data concerned; who else outside Zip Security might have received the data from Zip Security; what the source of the information was (if you didn't provide it directly to Zip Security); and how long it will be stored. You have a right to correct (rectify) the record of your personal data maintained by Zip Security if it is inaccurate. You may request that Zip Security erase that data or cease processing it, subject to certain exceptions. You may also request that Zip Security cease using your data for direct marketing purposes. In many countries, you have a right to lodge a complaint with the appropriate data protection authority if you have concerns about how Zip Security processes your personal data. When technically feasible, Zip Security will—at your request— provide your personal data to you.

Reasonable access to your personal data will be provided at no cost. If access cannot be provided within a reasonable time frame, Zip Security will provide you with a date when the information will be provided. If for some reason access is denied, Zip Security will provide an explanation as to why access has been denied.

For questions or complaints concerning the processing of your personal data, you can email us at privacy@zipsec.com. Alternatively, if you are located in the European Union, you can also have recourse to the European Data Protection Supervisor or with your nation's data protection authority.

Data storage and retention

Your personal data is stored by Zip Security on its servers, and on the servers of the cloud-based database management services the Zip Security engages, located in the United States. Zip Security retains service data for the duration of the customer's business relationship with Zip Security and for a period of time thereafter, to analyze the data for Zip Security's own operations, and for historical and archiving purposes associated with Zip Security's services. Zip Security retains prospect data until such time as it no longer has business value and is purged from Zip Security systems. All personal data that Zip Security controls may be deleted upon verified request from Data Subjects or their authorized agents. For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact us at: privacy@zipsec.com

Children's data

We do not knowingly attempt to solicit or receive information from children.

Questions, concerns or complaints

If you have questions, concerns, complaints, or would like to exercise your rights, please contact us at: privacy@zipsec.com