Home > Stormshield Data Security for Email Privacy Policy

Stormshield SAS (also known as, "Stormshield", or "we" or "us") appreciate your interest in our products, services and business lines and your use of our websites, portals and "apps". Your privacy is important to us and we want you to feel comfortable using our websites. The protection of your privacy and Personal Data is an important concern to which we pay special attention throughout our business processes. Personal Data collected during use of our Web Application “Stormshield Data Security for Email”, also called “SDS for Email”, is processed by us according to the legal regulations valid in the European Union.

Stormshield is committed to protecting the rights of individuals in line with the General Data Protection Regulation (reference EU2016/679) of the European Parliament and of the Council of 27 April 2016 on the protection of physical persons with regard to the processing of Personal Data and on the free movement of such data (hereinafter referred as: 'GDPR') as well as each applicable national Personal Data protection laws and regulations (collectively referred to as "Data Protection Laws and Regulations").

This Privacy Policy serves to inform you of the Personal Data we collect when you access/use the service; how we use and disclose your data; how you can control the use and disclosure of your data; and how we protect your Personal Data.

 

What is Personal Data?

Personal Data is information that can be used to identify a person either directly or indirectly (hereinafter referred to as: 'Personal Data'). A 'personal identifier' is a piece of information that can identify an individual. This definition covers a wide range of personal identifiers to constitute Personal Data, including name, address, email address, identification number, location data or online identifier.

 

Which sources and what Personal Data do we use?

When you use this service, Stormshield will collect, use and process any information generated as a result of using the service, such as IP address or location information from your device. The user settings and private key are stored in the browser. This saves the user from having to re-import the key each time the application is opened.

NAME PURPOSE RETENTION PERIOD
Private keys (PGP) Storage of the private key on the user's browser to avoid having to re-import the key each time the application is opened Up to the cleaning of the data in the browser
Public keys (PGP) Speed of execution for sending emails Web Application life time (between application start and refresh or close of the tab)
User settings Storage of user settings (activation/deactivation of crash reporting) Up to the cleaning of the data in the browser

What is the purpose of processing your Personal Data?

By using the Web Application, Stormshield will collect and process your Personal Data in accordance with this Notice. Your Personal Data may be used for the following purposes (hereinafter referred as: the 'Purposes'):

  1. Website Browsers / Administration

We use your Personal Data for administrative purposes, including to help us better understand how our customers access and use our websites and applications; to provide reports to prospective partners, service providers, regulators, and others; to implement and maintain security, anti-piracy, fraud prevention, and other services designed to protect our customers, partners and us; and to enforce our policies, directives and processes.

  1. Customer service

We use your Personal Data for customer service purposes, including providing services to you, for technical support or other similar purposes and to provide you with tailored and personalized content and information based on your purchases of Stormshield products; to provide you with new updates; track the registration of your products; generate statistics on the deployment and use of our solutions...

  1. Research and development

We use your Personal Data for research and development purposes, including improving our websites, applications, services, and customer experience and for other research and analytical purposes dedicated to improving our products and services.

We use Sentry.io, a self-hosted and cloud-based error monitoring tool that helps software teams discover, triage, and prioritize errors in real-time.

The deactivation of this service is possible directly by the user. For this, a toggle button is available on the application. You just have to position the cursor on "off". Caution! If this option is disabled and you encounter a problem, its resolution will be more complex. You can reactivate Sentry.io at any time with the toggle button.

  1. Legal compliance

We use your Personal Data to comply with applicable legal obligations, including responding to an authority or court order or discovery request.

  1. To protect us and others

Where we believe it is necessary to investigate, prevent or act regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person or violations of policies, terms, and other policies.

 

What is the legal basis for processing your Personal Data?

As a responsible company, we need a lawful basis for collecting and/or processing your data. We generally rely on a number of grounds (reasons) for our business processing.

We process your Personal Data in accordance with the provisions set out in the GDPR and the relevant applicable Data Protection Laws and Regulations. The legal basis for processing your Personal Data is:

  1. To comply with contractual obligations

When you subscribe to a particular service through the Web Application, the purposes of processing your Personal Data are primarily determined by that service and we will process your information so that we can provide that service to you.

  1. As a result of your consent

When you consent to the processing of your Personal Data by us for the service, you can withdraw that consent at any time by contacting us at dpo@stormshield.eu. For further information on the right to withdraw your consent, please see below Section "Am I obliged to provide my Personal Data?"

  1. Within the scope of a legitimate interest

In certain circumstances we may not need your consent to use your data, given our legitimate interest to do so but we must inform you when we do this; examples of this are:

  • For the administration, management and performance of our business relationship including accounting, auditing and performance of the contract.
  • For the analysis and optimization of the Web Application.
  • For ensuring IT security (to detect security threats, frauds or other malicious or criminal activities) and for the IT operation of Stormshield.
  • For the prevention and investigation of criminal acts.
  • For ensuring efficient communication and to keep you up-to-date on the latest information about our services, solution and/or business activities, events, marketing campaigns, market analysis or other promotional activities and for analysis and improvement of the quality of our services and communication with you.
  • For monitoring compliance with our policies and standards.
  1. On the basis of Stormshield' legal obligations or in the public interest

Stormshield, as any other company, is subject to legal obligations and regulations. In some cases, the processing of your Personal Data will be necessary for Stormshield in order to fulfill these obligations.

 

Who will receive your Personal Data?

  • Authorized persons working for or on behalf of Stormshield;
  • Stormshield, on a need-to-know basis for the purposes outlined in this Privacy Policy;
  • Our agents, service providers (e.g. Third-party service providers providing a variety of products and services we need such as IT maintenance and support, procurement services, logistic services, etc.);
  • Law enforcement or government authorities where necessary to comply with applicable law.

If you access our Services from a third-party application or connect to our Services via a third-party application, you should also read that third-party application's Terms of Service and Privacy Policy.

If you are unclear about what information a third-party application is sharing with us, you should refer to the third-party application provider to find out more about their privacy practices.

Here you can find Google Products Privacy Policy.

 

Will your Personal Data be transferred to a third country outside the European Economic Area (EEA)?

Stormshield processes your Personal Data mostly in the EEA.

The data transferred outside of the EEA is the data reported to Sentry.io, an American company. It concerns in particular the application crash reports. See the table below for additional information about this.

 

Which countries will Stormshield transfer Personal Data to?

Stormshield is based in Europe, we process personal information mainly in Europe.

The data transferred outside of the EEA is the data reported to Sentry.io, an American company. It concerns in particular the application crash reports. See the table below for additional information about this.

 

For how long will your Personal Data be stored?

If your Personal Data is no longer required for contractual or statutory obligations, it will be erased on a regular basis, unless further processing is necessary, for instance, to preserve particular evidence under applicable Data Protection Laws and Regulations, or in the context of legal statutes of limitation.

All customer data stored on Sentry.io servers is erased upon a customer’s termination of service with account deletion following a 24-hour waiting period in case of accidental cancellation.

 

Security

We use technical and organizational security measures in order to protect the data we have under our control against accidental or intentional manipulation, loss, destruction and also against access by unauthorized persons. Our security procedures are continually enhanced as new technology becomes available.

 

What are your rights and how to exercise them?

You may at any time exercise your data protection rights:

  • Right to access/obtain a report detailing the information held about you: You have the right to obtain confirmation as to whether or not your Personal Data is being processed by Stormshield and if so, what specific data is being processed.
  • Right to correct Personal Data: You have the right to change any inaccurate Personal Data concerning you.
  • Right to be forgotten: In some cases, for instance, when the Personal Data is no longer necessary in relation to the Purposes for which they were collected, you have the right for your Personal Data to be erased.
  • Right to restriction of processing: You have the right to restrict the processing of your Personal Data by Stormshield, for instance when the processing is unlawful and you oppose the erasure of your Personal Data. In such cases, your Personal Data will only be processed with your consent or for the exercise or defense of legal claims.
  • Right to data portability: Under some circumstances provided by law, you have the right to receive the Personal Data concerning you in a structured, commonly used and machine-readable format and/or transmit the Personal Data to another data controller.
  • Right to object and to withdraw consent: please see the section below "Am I obliged to provide my Personal Data?"

To this effect, please contact Stormshield in writing either by e-mail at the following address: dpo@stormshield.eu or by writing to the address below, enclosing a copy of a document providing evidence of your identity.

Stormshield, Data Protection Officer, 1 Place VERRAZZANO, 69009 LYON, France

 

Am I obliged to provide my Personal Data?

You may at any time object to the processing of your Personal Data or where your consent is required, withdraw such consent by contacting us at dpo@stormshield.com. However, please note that if you withdraw your consent, you may not be able to access and use certain information, features or functions of the service.

 

To what extent will decision-making be automated?

As a matter of principle, we do not use fully automated decision-making processes. In the event that we should use such processes in individual cases, we will, if prescribed by law, specifically inform you of this and of your rights in this respect.

 

Will profiling take place?

As a matter of principle, your Personal Data will not be processed automatically with the objective of evaluating certain personal aspects (profiling). In the event that we should process your Personal Data with the objective of conducting profiling, we will, if prescribed by law, specifically inform you of this and of your rights in this respect.

 

How can I contact Stormshield in respect of my Personal Data?

If you are unhappy with the way in which your Personal Data has been processed or should you have questions regarding the processing of your Personal Data, you may refer in the first instance to the Stormshield Data Protection Officer, who is available for enquiries or complaints, at the following email address: dpo@stormshield.eu or you can write to the address below:

Stormshield, Data Protection Officer, 1 Place VERRAZZANO, 69009 LYON, France

 

Can I ask for assistance from the competent authorities?

If the answers supplied are unsatisfactory, you may then directly approach the French data protection authority: the Commission Nationale de l'Informatique et des Libertés (CNIL).

 

Cookies

What are cookies?

Cookies are small files or pieces of information, that may be stored, accessed and removed from your device when you access SDS for Email.

They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

For instance, a “Cookie” may refer to “http cookie”, “flash cookie” (used by some applications or websites relying on Flash technology), local storage area of your internet browser, unique identifier calculated from your internet browser characteristics (also known as “browser fingerprinting”), or unique identifiers related to your device or your internet browser (device serial number, MAC address, Android ID, advertising ID, etc...)].

Cookies allow us to recognize your device and store information about your preferences or past actions. We may use Cookies:

  • to record the preferences of our users,
  • to enable us to optimize the design of our Web Application,
  • to ease navigation, and increase the user-friendliness of our Web Application,
  • to analyze the usage of our Web Application, and/or to identify the most popular sections of our Web Application,
  • to provide content that is more accurately suited to your needs, and, in doing so, improve our Web Application. Cookies can be used to determine whether there has been any contact between us and your device in the past,
  • to facilitate secure online access so that you do not need to enter your user ID and password again when you access our Web Application

 

Which cookies do we use?

The table below aims to inform you about the type and purpose of each cookie, and the type of Personal Data processed inside, and that we may use in our Web Application:

 

NAME OF COOKIE PURPOSE RETENTION PERIOD MANDATORY
Functional cookies
Google Cookies Google SSO which allows the use of your servers (authentication, authorizations, mail api, contact api) Up to the cleaning of the data in the browser Yes
Audience measurement cookies
Atauthority Allows you to save the visitor's choice about audience cookies 1 year No
Atuserid Visitor ID 1 year No
At-optout Allows you to retain the refusal to collect audience measurement via AT Internet 6 months No

AT internet is an analytic solution that we use to get usage web application statistics.

 

How can you disable or delete cookies?

When the Cookies we use are strictly necessary for technical reasons, they are marked as "mandatory" in the table above. These Cookies do not require your consent and cannot be disabled.

You can prevent Cookies from being stored on your device by setting your browser to not accept cookies. The exact instructions for this can be found in the manual for your browser. You can also delete Cookies already on your device at any time through your browser’s settings.

On the Chrome browser, you just have to go to chrome://settings/clearBrowserData to be able to clear the cookies.

For more information, you can find here detailed documentation from Google on how to clear your browsing data.

 

Use of Google API

Stormshield Data Security For Email will only use access to read, write, modify, or control Gmail message bodies (including attachments), metadata, headers, and settings to provide a web email client that allows users to compose, send, read, and process emails and will not transfer this Gmail data to others unless doing so is necessary to provide and improve these features, comply with applicable law, or as part of a merger, acquisition, or sale of assets.

Stormshield Data Security For Email will not use this Gmail data for serving advertisements.

Stormshield Data Security For Email will not allow humans to read this data unless we have your affirmative agreement for specific messages, doing so is necessary for security purposes such as investigating abuse, to comply with applicable law, or for Stormshield Data Security For Email's internal operations and even then only when the data have been aggregated and anonymized.

Stormshield Data Security for email doesn’t use and doesn’t transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

 

Modification of the Privacy Policy

Stormshield will update this Privacy Policy from time to time in order to reflect changes in our practices and services and also to remain compliant to Data Protection Laws and Regulations. We will inform you of any substantial modification to how we process your Personal Data.