Privacy

The types of data processed through our services include: identification and contact data (e.g., name, email address, title, contact details), employment details (e.g., job title, role, manager), and/or IT information (e.g., entitlements, IP addresses, usage data, cookies data, and geolocation) for the customer’s employees, contractors, and/or (where licensed under the Agreement) the customer’s business partners and/or end-users authorised by the customer. This type of data is typically not of interest to government or law enforcement agencies.

SailPoint discourages and/or prohibits customers from loading sensitive personal data into our products, including special categories of personal data as referenced in Art. 9 GDPR, such as health data, political opinions, religious or philosophical beliefs, trade union membership, race or ethnic origin, sexual orientation, genetic data, biometric data, criminal activity data, or financial account number or tax ID number.

Our products are typically licensed for use in managing the customer’s employees and contractors, in which case only employee and contractor data is processed. Again, this type of data is typically not of interest to government or law enforcement agencies.

Our customers control the types of personal data they provide to us. Our customers determine from whom the data is collected and whether this is done on an automated or voluntary basis. SailPoint will not collect personal data on the customer’s behalf.

Our customer is also solely responsible for determining the legal basis for its data processing. The customer’s legal basis for processing may be legitimate business interests and/or legal requirements. We would not expect customers to process employee data on the basis of consent, but the customer is responsible for that determination.

Consistent with the GDPR’s “data minimization” principle, we limit the collection and transfer of data to that which is necessary in relation to the purposes for which it is processed.

For SailPoint’s SaaS Services, the customer determines the location where the SaaS Services are hosted. SailPoint leverages Amazon Web Services (AWS) or Microsoft Azure for hosting its SaaS solutions. The solutions can be run from any one of several AWS/Azure Regions, based on customer proximity and preference. Although the data in the solutions will physically reside in the chosen location, the customer’s SaaS Services environment will be managed, maintained, and accessed by SailPoint from its relevant locations.

A list of SailPoint’s affiliates as well as third parties who may have access to personal data in connection with the SailPoint’s provision of the services, as well as each of their respective locations, is available at https://www.sailpoint.com/legal/sub-processors/.

SailPoint makes an affirmative commitment to adhere to the EU-US and Swiss-US Data Privacy Framework Principles, as well as the UK Extension to the EU-US Data Privacy Framework, and maintains a Data Privacy Framework Certification. The Data Privacy Framework Principles define a set of requirements that govern the use and handling of personal data transferred from the European Economic Area (EEA) as well as access and dispute resolution mechanisms that participating companies must provide to EEA citizens. The European Commission has adopted the EU-US Data Privacy Framework, and the UK has adopted the UK extension of it (UK-US Data Bridge), and both concluded that the United States ensures adequate protection under these respective frameworks – comparable to that of the European Union and the UK – for personal data transferred from the EEA and the UK to US companies certified under these frameworks.

Where personal data originates from Switzerland and is transferred to the US, SailPoint is certified with the Swiss-US Data Privacy Framework and is committed to adhering to the principles of this framework. SailPoint acknowledges that organizations cannot rely on this framework for data origination from Switzerland until the Swiss Federal Administration grants its adequacy decision on the framework. Therefore, in addition to the Swiss-US Data Privacy Framework, our DPA incorporates the protections afforded by the EU SCCs. Our DPA is included in our standard terms for EMEA customers and is an option for all other customers where appropriate. Our standard contract terms are available at https://www.sailpoint.com/legal/customer-agreements/.

SailPoint has also conducted a Data Transfer Impact Assessment (DTIA) as required by the SCCs.

SailPoint’s affiliates have also entered into an Intra-group Data Transfer Agreement (IGDTA) with one another, which binds the affiliates to the SCCs in connection with their processing of personal data.

SailPoint will not engage a sub-processor unless we enter into a written agreement with the sub-processor imposing data protection terms that require the sub-processor to protect the customer’s personal data to the same standard as SailPoint.

We also require our sub-processors to ensure that they have appropriate technical and organizational measures to protect against and report a personal data breach, appropriate to the harm that might result from such personal data breach, having regard to the state of technological development and the cost of implementing any measures. Such measures may include where appropriate: pseudonymising or encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after a physical or technical incident, and regularly assessing and evaluating the effectiveness of the technical and organizational measures adopted by it.

SailPoint will only retain customer data in the SaaS Services that it processes on behalf of a customer for the duration of the SaaS Services subscription term. Data in the SaaS Services can be downloaded by the customer at any time. Within 30 days of termination or expiration of the SaaS Services, where required, SailPoint will delete all customer data from the SaaS Services unless prohibited by law. Customer data archived on back-up systems will be securely isolated and protected from any further processing.

Yes, SailPoint has appointed a Data Protection Officer who can be reached at [email protected].