Cirrus-Identity-Logo

 

Privacy Policy

 

Effective: May 9, 2023

OVERVIEW

Cirrus Identity, Inc. (“Cirrus Identity”, “We”, “Us”, “Our”) values the privacy of individuals. This Privacy Policy describes the data We collect, why We collect it, and how We use it on Our website, Our products, Our solutions, and any other services which display a link to this Privacy Policy (collectively Our “Services”). By providing information to Cirrus Identity via Our Services, you accept the practices described in this Privacy Policy.

Customers ( “Customer”, “They”, “Them”, or “Their”) evaluating Our Services for future purchase, or contracting with Cirrus Identity to run Services on Their behalf are consenting to Our privacy and data management policies as described in this Privacy Policy unless otherwise stipulated by contract.

 

DEFINITIONS

(a) “Authorized Administrative User” or “Sponsor” - Any individual authorized by the Customer to configure, support, utilize, or otherwise use Cirrus Identity Services to provide access to Customer applications.

(b) “End User”, “You” or “Your” - Any individual with personal data shared with Cirrus Identity.

(c) “Personal Data” - Personally identifiable information (PII) provided by You to Cirrus Identity or to a Customer and processed by Cirrus Identity under a contract.

 

CHANGES TO THIS POLICY

Cirrus Identity may change this Privacy Policy from time to time, and will update the "Last Updated" date at the top of this Privacy Policy accordingly. We will provide additional notification, such as a notice on the Cirrus Identity home page prior to the change becoming effective, in the case of material changes to this Policy. We encourage you to review our Privacy Policy whenever you access Cirrus Identity Services to stay informed about our privacy practices and the ways you can help protect your privacy. Your use of any of the Cirrus Identity Services after the posting of such changes shall constitute your consent to such changes.

 

PERSONAL INFORMATION COLLECTED

Cirrus Identity aims to collect and store the least amount of Your Personal Data necessary to deliver Services. The reasons for Cirrus Identity processing Your Personal Data are both to fulfill the legal requirements to deliver the Services as defined by Cirrus Identity’s Terms of Service, and to meet Cirrus Identity’s legitimate interests as defined in the section Use of Personal Data. We may also process Your Personal Data when delivering Services once you have provided Your consent, should that be appropriate.

 

TYPES OF DATA COLLECTED

PERSONAL DATA

Many of the Cirrus Identity Services require basic Personal Data such as name or email address. This Personal Data may include additional pieces of data called identifiers which are generally not visible to You, but can be used to uniquely identify You. An everyday example of an identifier that is visible to You would be a mobile phone number. Each Cirrus Identity Service has different data requirements and those will be outlined in the “How Data is Collected” section.

LOGGING

All Cirrus Identity Services have a transaction logging component. The logs may record Personal Data collected for the Cirrus Identity Service along with Your IP address, the time of the transaction, and which Customer application You were attempting to use. Logs are retained as outlined in the “Data Retention” section.

The following are the Personal Data collected in the logs for each Cirrus Identity Service:

Cirrus Bridge (SAML Protocol)

ip address

date/time

browser user agent

user - first value found when checking eduPersonPrincipalName, mail, or uid

eduPersonPrincipalName - all values

mail - all values

givenname - all values

sn - all values

uid - all values

Cirrus Bridge (CAS Protocol)

ip address

date/time

browser user agent

cas:user - any attribute that is configured in the Cirrus CAS Bridge and can be configured per cas service

Cirrus Gateway

ip address

date/time

browser user agent

mail registered with provider

givenname registered with provider

sn registered with provider

uid issued by provider

Cirrus Proxy

ip address

date/time

browser user agent

user - first value found when checking eduPersonPrincipalName, mail, or uid

eduPersonPrincipalName - all values

mail - all values

givenname - all values

sn - all values

uid - all values

Cirrus Account Linking

Same attributes as Cirrus Proxy

The primary identifier defined by customer for associating a user record with a login method

Cirrus Invitation

ip address

date/time

browser user agent

eduPersonPrincipalName - collected during claim

mail - invitation was sent to

mail - collected during claim

givenname - collected during claim

sn - collected during claim

Cirrus OrgBrandedID

ip address

date/time

browser user agent

mail - used to register

givenname - used to register

sn - used to register

uid - created by Cirrus Identity

Cirrus MFA

ip address

date/time

browser user agent

mail

givenname

sn

attribute defined by customer for authentication

security token created by Cirrus Identity

 

COOKIES

To deliver Cirrus Identity Services, We make use of both persistent cookies (which are retained until some future end date) and session cookies (which disappear when you log out). The individual cookies are unique to the web browser You are using. This uniqueness is important to the operation of Cirrus Identity Services and is the reason why we use them.

The session and persistent cookies associated with Cirrus Identity Services will either be stored as “cirrusidentity.com”, “apps.cirrusidentity.com”, “www.cirrusidentity.com”, “info.cirrusidentity.com”, or “blog.cirrusidentity.com”, another subdomain under “cirrusidentity.com” that is associated with one of Our Customers, or another subdomain under “cirrusidentity.com”.

Cirrus Identity also makes use of third-party cookies for some monitoring and marketing processes. Third-party cookies are stored by a domain that is different from the one associated with the site You are visiting. This can happen when a file, such as JavaScript, is located outside the webpage’s domain.

 

HOW DATA IS COLLECTED  

Cirrus Identity provides authentication and user registration solutions that assist Our Customers in providing You access to applications They operate. Each Customer may use one or more of our Services in combination to accomplish this. Cirrus Identity collects the minimum Personal Data required to allow You to use our Customer’s applications. The type and amount of Personal Data that is collected depends on Your specific relationship with one of Our Customers. We encourage You to ask the Customer that is administering the application You are trying to access for the specifics on how Your Personal Data is being used. If You still have questions or if Customers have questions, they may contact Us as outlined in the “Contacting Us” section.

The following is a list of each Cirrus Identity Services and the Personal Data collected:

 

CIRRUS GATEWAY

Via an integration controlled and managed by individual Cirrus Identity Customers, Cirrus Identity processes Personal Data provided by one or more of the following login methods for Them. The login methods are as follows:

Amazon

Apple

Facebook

Google

LinkedIn

Microsoft

ORCID

Twitter

Weibo

The Personal Data provided by the login methods varies but does not exceed the following information:

Name (given name, family name, and/or display name)

Email address

A unique ID issued by the Social Identity Provider

This information may be included in the transaction log (see Logging) for the Cirrus Gateway but is not stored unless needed for other Cirrus Identity Services. To enable access, the Gateway will utilize session cookies while You are logged in (see Cookies) and a persistent cookie to support load balancing.

 

CIRRUS INVITATION SERVICE

The Cirrus Invitation Service establishes a relationship between You and a Sponsor. This relationship is used by The Customer to deliver services to You.

The Customer will provide an email address for You. Cirrus Identity will send You a request at the email address on behalf of the Customer to claim the invitation using a method of login. Regardless of the method of login, the following Personal Data may be processed and stored by Cirrus Identity on behalf of the Customer depending on settings They configure:

Name (given name, family name, and/or display name)

Email address

A unique ID based on the method of login

Personal Data provided by the Customer

To enable the claim process, session cookies are used for the duration of the claim process and a persistent cookie is used to support load balancing (see Cookies). Transactions using the Cirrus Invitation Service are also logged (see Logging).

 

CIRRUS ACCOUNT LINKING

Cirrus Account Linking establishes a relationship between You and Personal Data provided by a Customer. This relationship is used by the Customer to deliver service to You.

Data provided by a login method (such as the Cirrus Gateway, the Cirrus OrgBrandedID, or another login method) when You log in is processed and stored by Cirrus Identity on behalf of the Customer as a record of this relationship.

Data provided by the Customer about You is also processed and stored as a record of this relationship. This data typically consists of one or more identifiers The Customer maintains about You and is provided in accordance with the contract Cirrus Identity has with the Customer.

To enable account linking, session cookies are used until the relationship is established and a persistent cookie is used to support load balancing (see Cookies). Transactions using Cirrus Account Linking are also logged (see Logging).

 

CIRRUS ORGBRANDEDID

The Cirrus OrgBrandedID allows the Customer to offer You the option to create an account if You do not have, or want to use one of the login options provided. To use this service, You must provide the following Personal Data:

Name (given name and family name)

Email address

A password

Other data required by the Customer

Depending on the requirements of the Customer, You may also be required to provide answers to selected security questions. When complete, Your account will also have a machine generated identifier for use with other Cirrus Identity Services and/or by the Customer.

To enable account creation, session cookies are used until the process is complete and a persistent cookie is used to support load balancing (see Cookies). Transactions using the Cirrus OrgBrandedID are also logged (see Logging).

 

CIRRUS DISCOVERY SERVICE

The Cirrus Discovery Service, if configured by the Customer, is used by You to select login methods. The service does not ask for Personal Data, but will remember login method choice for thirty (30) days using a persistent cookie. A persistent cookie is also used to support load balancing (see Cookies).

 

CIRRUS PROXY AND CIRRUS BRIDGE

Cirrus Proxy and Cirrus Bridge are technology solutions the Customer may use to allow You to access Their services. Both the Proxy and the Bridge process Your Personal Data to enable access, but do not collect or store Your Personal Data. To enable access, the solutions will utilize session cookies while You are logged in, and a persistent cookie is used to support load balancing (see Cookies).

Transactions processed by the Cirrus Proxy and the Cirrus Bridge are logged. This can include any Personal Data needed to enable access (see Logging).

 

CIRRUS MFA

Cirrus MFA is a technology solution the Customer may use to increase security when You access Their services. Cirrus MFA processes and stores Your Personal Data. This will include your email address, a machine generated identifier, and an associated security token. You must store this security token on a local device (mobile phone app, or other device capable of storing OATH-TOTP tokens). To enable access, the solutions will utilize session cookies while You are logged in, and a persistent cookie is used to support load balancing (see Cookies).

Transactions processed by Cirrus MFA are logged. This can include any Personal Data needed to enable access (see Logging).

 

CIRRUS CONSOLE

The Cirrus Console is a solution used by Authorized Administrative Users and Sponsors. Both must be designated by the Customer. Authorized Administrative Users use the Console to configure other Cirrus Identity services and conduct support operations. Sponsors use the Console to send invitations to You, to monitor the status of sent invitations, to renew invitations, and to revoke invitations.

The Cirrus Console requires the Customer to assert Personal Data about Authorized Administrative Users or Sponsors to control access. One or more of the following Personal Data will be sent sent by the Customer to the Cirrus Console:

Organizational email address

Organizational identifier called eduPersonPrincipalName

Instead of sending Personal Data, the Customer may choose to send a membership designation called eduPersonScopedAffiliation, or an entitlement designation called eduPersonEntitlement to enable access.

Transactions conducted in the Cirrus Identity Console are logged (see Logging) and may be reviewed to maintain security. Configuration and other data entered into the Cirrus Console is covered by the contract with the Customer.

To enable access, the solutions will utilize session cookies while Authorized Administrative Users or Sponsors are logged in, and a persistent cookie is used to support load balancing (see Cookies).

 

CIRRUS IDENTITY SUPPORT CENTER

The Cirrus Identity Support Center is a solution used by Authorized Administrative Users of the Customer to obtain customer service from Cirrus Identity. The solution is based on a third party solution (FreshDesk -- https://freshdesk.com/) in conjunction with the Cirrus Proxy. The Cirrus Identity Support Center requires the Customer to assert the Authorized Administrative User’s organizational email address and identifier called eduPersonPrincipalName to the console.

Transactions conducted in the Cirrus Identity Support Center are logged (see Logging) and may be reviewed to maintain security. Both the Cirrus Proxy and FreshDesk set cookies to support the operation of the application (see Cookies). Support information and other data entered into the Cirrus Identity Support Center would be covered by the contract with the Customer.

 

CIRRUS IDENTITY WEBSITE, SOCIAL MEDIA, AND MARKETING

For Cirrus Identity to serve its customers, it must participate in the marketplace. To accomplish this, Cirrus Identity maintains a website, presence on multiple social media platforms, and tools to deliver content to individuals interested in our solutions. Cirrus Identity may request Your email address to receive updates and information from Us. Cirrus Identity may include in Its communication people who have subscribed to mailing lists, and people who have been identified as having a legitimate interest in Our solutions. In all cases Cirrus Identity will provide an option to opt-out of communications (see “Your Choices” section).

The website (“www.cirrusidentity.com”, “info.cirrusidentity.com”, and “blog.cirrusidentity.com”), LinkedIn social media platform, and content delivery tools (Hubspot) make use of cookies or tools such as Google Analytics as part of their operation. These cookies are set and maintained by Google, Hubspot, and DoubleClick with life spans from one (1) day to two (2) years. Most browsers allow these third-party cookies to be disabled by adjusting the browser settings (see Cookies).

 

USE OF PERSONAL DATA

Cirrus Identity uses Personal Data to deliver Services to Customers and ultimately to You. To accomplish this, We process requests, complete transactions, deliver notices, fulfill requests, monitor access, aggregate metrics, report on activity, or perform other information processing in any other way appropriate to ensure You are able to use Cirrus Identity Services to access Customer applications and to meet the contractual agreements with Our Customers.

Cirrus Identity may use or aggregate any of the data we collect through the Services to understand how Cirrus Identity Services are used. We do this to improve the Services we provide to You and Our Customers, as well as to develop new solutions for future release. If Cirrus Identity needs to consider Personal Data for this purpose the data is only used in aggregate form.

 

DISCLOSURE OF DATA

 

CIRRUS IDENTITY AS A BROKER

Some Cirrus Identity Services (Cirrus Gateway, Cirrus Proxy, Cirrus Bridge) act as a broker or data processor between identity providers (for example Google, Microsoft, enterprise providers, and others) and Customers. You log in with one of those identity providers and Personal Data is shared with Customers using Cirrus Identity Services. Customers configure the connections to the identity providers in Cirrus Identity Services and are responsible for maintaining developer accounts or other integration agreements with each identity provider. Cirrus Identity has access to Personal Data provided by identity providers, but processes it on behalf of the Customer according to an established contract.

Other Cirrus Identity Services (Invitation, Account Linking, OrgBrandedID, and MFA) may be configured by Customers to collect limited Personal Data directly from You. For example, The Customer may configure Cirrus Account Linking to prompt You to supply Your email address when linking a login method to an identifier provided by the Customer. During this process, the Customer can configure the service to request You to accept some terms and conditions as part of using the service. In cases like this example, Cirrus Identity has both a data processing function and a data controlling function jointly with The Customer.

 

END USER CONSENT

In those cases where Cirrus Identity acts as a broker for the Customer, We have no direct relationship with You when You use Our Services to access a Customer’s application. When You register with a login method (for example Google, Microsoft, or others), You agree to terms and conditions for those providers, including release to a third party. In this case, the third party is the Customer that is operating the application you are accessing.

In those cases where Cirrus Identity is directly collecting personal data from You for the Customer, We jointly control Your Personal Data with the Customer. We rely on the Customer to be Your point-of-contact for providing consent and addressing Your questions about privacy. Again, this is because Our Services are used to enable You to access a Customer’s application.

In all cases, Customers are data controllers of Your personal data. Cirrus Identity Customers are responsible for obtaining consent from You to use Your Personal Data with Cirrus Identity Services to which the Customer subscribes. Cirrus Identity Customers are also responsible for addressing any questions you might have about how Your Personal Data is used, and fulfilling any legal obligations to You to provide, correct, or delete Your Personal Data. Cirrus Identity will assist the Customer as appropriate, but the Customer will be your primary point-of-contact for any requests.

 

INTEGRATION BETWEEN CUSTOMER AND LOGIN METHOD

In the course of using the Cirrus Gateway to configure the use of OAuth-based social identities, an Authorized Administrative User for the Customer will be required to register directly with one or more social identity providers; and create an API key-secret pair for each integration between the Cirrus Gateway and the social identity provider. In so doing, the Customer must accept and agree to the terms and conditions set by each social identity provider regarding management of Your Personal Data that may be supplied by a given social identity provider and which, in turn, is exposed via the integration.

When You authenticate via a login method to third party services (such as applications managed by the Customer) many social identity providers present an "attribute release consent screen" where You agree to release Personal Data to the Customer. Personal Data passed to the Customer from social identity providers using the Cirrus Gateway is not Customer data, but has been released to the Customer as a third party.

At all times, the Customer controls the processing of Your Personal Data (see Cirrus Gateway section). The Customer is responsible for handling your Personal Data in compliance with all applicable laws.

 

INTEGRATION BETWEEN CUSTOMER AND FEDERATED IDENTITY PROVIDER

Cirrus Identity helps Customers to enable federated identity. In the most basic form, federation allows You to leverage a login at one organization (University A) to access an application at another organization (University B). To enable this method of login, legal entities called federations are established to manage agreements between organizations. Federations exist across the world (https://refeds.org/federations/federations-map) and Cirrus Identity belongs to both the InCommon Federation (https://www.incommon.org/) based in the United States (US) and the UK Access Management Federation (https://www.jisc.ac.uk/uk-federation) based in the United Kingdom.

When You authenticate via a federated identity provider to applications managed by the Customer, the federated identity provider may release Your Personal Data to the Customer’s application. Cirrus Identity Services may be used to enable this access to the Customer’s application. The control of this data passing through Cirrus Identity Services depends on the relationship between the federated identity provider and the Customer.

For organizations that participate in a common federation, this exchange of data may be governed by federation agreements. In other cases, there may be bilateral agreements. At all times, the Customer controls the processing of Your Personal Data (see “How Data is Collected” section). The Customer is responsible for handling your Personal Data in compliance with all applicable laws.

 

DATA CONTROLLER AND DATA PROCESSOR

As stated in the “End User Consent” section, Cirrus Identity’s Customers are always considered data controllers for Your personal data. Cirrus Identity will not disclose or release Your personal data or the data of Our Customers to another third party unless directed to by the Customer or in situations where release of data is required or appropriate. This includes, but is not limited to (i) outside service providers who are bound by confidentiality in connection with the provision of the Services, (ii) when Cirrus Identity has a good faith belief in the need to protect its rights or the rights of others, (iii) to protect the integrity of the Services, (iv) to protect the safety of others, (v) in connection with violations of the Service terms of use or applicable law, or (vi) to detect, prevent or respond to fraud or intellectual property infringement.

As outlined in the “Use of Personal Data” section, Cirrus Identity aggregates data for the purposes of monitoring and measuring how Our Services are being used. Cirrus Identity reserves the right to share aggregate data about the use of Our Services as long as the aggregate data cannot be used to identify an individual or a Customer. This can include but is not limited to the number of users, social identity providers it registers, number of sales, website traffic, and utilization.

 

CHANGE OF OWNERSHIP

We may disclose or transfer Your Personal Data and the data of Our Customers in connection with an acquisition, merger, or sale of all or a substantial portion of Our business, with or to another company. In such an event, Customers will receive notice if data is transferred and becomes subject to a substantially different privacy policy.

 

SECURITY

Cirrus Identity follows generally accepted industry standards to protect Your Personal Data and the data of Our Customers. We will deploy the Services in an environment that implements commercially reasonable administrative, physical, and technical safeguards for protection of the security, confidentiality, integrity, and privacy of Personal Data.

Those safeguards will include commercially reasonable measures to prevent unauthorized use, access, processing, destruction, loss, alteration, or disclosure of both Your Personal Data and any Customer data. Examples but not a full list of those safeguards include virtual private networks, encryption of data, and multiple layers of access control.

While we take security very seriously, we recognize any technology or process will contain flaws. We practice a defense in depth strategy in an effort to manage this reality. However, if You believe Your Personal Data has been compromised, or you have questions about Our security practices, please contact Us as indicated in the “Contacting Us” section.

 

DATA TRANSFER

Cirrus Identity Services are currently hosted in the United States (US). This means Cirrus Identity processes and stores Your Personal Data using service providers in the US. The US may not have the same data protections as the jurisdiction in which You are currently using Cirrus Identity Services. If You choose to use Cirrus Identity Services from other regions of the world where data protection laws differ from current US law, understand that, unless explicit exceptions are granted via contract, You may be transferring Personal Data outside of those regions to the US for storage and processing according to the Cirrus Identity Terms of Service and this privacy policy.

Where appropriate, Cirrus Identity may add a Data Protection Addendum (“DPA”) to the Cirrus Identity Customer’s agreement to define the terms of any transfer of Personal Data outside of the European Economic Area ("EEA"), Switzerland, or the United Kingdom ("UK"). Our DPA with Cirrus Identity Customers makes use of Standard Contractual Clauses approved by the appropriate jurisdiction. Please contact Us as indicated in the “Contacting Us” section if You need more information about the legal mechanisms We rely on to transfer Personal Data outside the EEA, Switzerland, and UK. We may direct Your inquiry to the appropriate Cirrus Identity Customer for further assistance.

Contractual Clauses approved by the appropriate jurisdiction. Please contact Us as indicated in the “Contacting Us” section if You need more information about the legal mechanisms We rely on to transfer Personal Data outside the EEA, Switzerland, and UK. We may direct Your inquiry to the appropriate Cirrus Identity Customer for further assistance.

 

DATA RETENTION

Our processing and storage of Your personal data is guided by the contracts with Cirrus Identity Customers to use Cirrus Identity Services (See Disclosure of Data). In general, Personal Data is retained as follows:

Services that require the storage of Your Personal Data (Cirrus Account Linking, Cirrus Invitation Service, Cirrus OrgBrandedID, and Cirrus MFA), retain data for the duration of the contract with the Customer. Cirrus Identity will delete Your Personal Data and/or the data of the Customer upon the request of the Customer, or thirty (30) calendar days after the contract with the Customer terminates. The Customer has thirty (30) calendar days from the effective termination date of the Customer’s Service contract with Cirrus Identity to request Cirrus Identity to make data controlled by the Customer (including Your Personal Data) available for download by the Customer as provided in the Service’s documentation. After the 30-day availability period, Cirrus Identity will have no obligation to maintain or provide access to Customer data or Your Personal Data. Thereafter, Cirrus Identity will delete the operational data from Cirrus Identity systems or otherwise in Cirrus Identity’s possession or control as provided in the documentation, unless legally prohibited from doing so. Data contained in transaction logs and system backups will be deleted according to those respective data retention schedules.

Transaction logs and system backups that may contain Your Personal Data or the data of the Customer are retained for one (1) year and then deleted.

Data retained by Cirrus Identity will be handled in accordance with this Privacy Policy until it is deleted.

 

MINORS AND CHILDREN’S PRIVACY

Cirrus Identity does not knowingly accept any Personal Data from children under 13 years of age. If You become aware that Your child or any child under Your care has provided Us with Personal Data without Your consent, please contact Us as indicated in the “Contacting Us” section. We may direct Your inquiry to the appropriate Cirrus Identity Customer for further assistance.

 

YOUR CHOICES

 

COMMUNICATIONS

You or other parties may supply Cirrus Identity with contact information to receive news and updates on Our Services. In some cases, You have subscribed to mailing lists. In other cases You were identified as having a legitimate interest in Our solutions. You may opt-out of such notices by following unsubscribe instructions included in correspondence, included on Our website, or by contacting privacy@cirrusidentity.com.

 

SHARING, UPDATING, OR DELETING DATA

You may choose to not share certain Personal Data with Cirrus Identity, in which case We may not be able to provide Services that allow You access to Customer applications.

You and Our Customers may update or correct information provided to Cirrus Identity using Cirrus Identity Services, or by contacting privacy@cirrusidentity.com.

You and Our Customers may delete information provided to Cirrus Identity using Cirrus Identity Services, or by contacting privacy@cirrusidentity.com. If You delete Your information, Our Customers or Cirrus Identity may no longer be able to provide some Services to You.

Data supplied to the Cirrus Gateway by any of the login methods listed in the “Cirrus Gateway Section” must be corrected by You at each login method (such as Google, Microsoft, or others). After making corrections, You may still have to contact the Customer to also have the change reflected. An example of this would be if You used LinkedIn for the Cirrus Account Linking and the Customer uses the email address You have listed in LinkedIn. If you change this email address in LinkedIn, You may also have to notify The Customer of the change.

 

CONTACTING US

Questions, concerns, or complaints regarding this Privacy Policy, Your Personal Data, Our use and disclosure practices, or Your consent choices should be directed by email to privacy@cirrusidentity.com. Cirrus Identity reserves the right to direct Your inquiry to the appropriate Cirrus Identity Customer for further assistance. Questions or concerns about security issues should be directed to security@cirrusidentity.com.

cirrus-cloud-logo

Want to hear more?

Talk to Us!

cirrus-cloud-logo