Effective Date: May 25th 2018.
At Brivo, privacy and security are core elements of our service. Accordingly, we are always conscious and respectful of the privacy and confidentiality of individuals who visit Brivo’s websites (“Visitors”), individuals who use our services (“Subscribers”), individuals who develop applications using Brivo’s APIs (“API Partners”) individuals engaged in selling Brivo’s products (“Partners”) and individuals or companies seeking a business relationship with Brivo (“Applicants”).
This Privacy and Security Policy covers the information practices of websites that link to this policy, collectively referred to as Brivo’s websites.
Brivo.com is our public website which also contains a login portal for our Brivo Onair® application. Brivo Onair (acs.brivo.com) is our application for delivering physical security management services using the Software as a Service (SaaS) model. Brivo Onair uses a common interface to control and display elements related to physical access control, ID badging, and video surveillance. Brivo Onair is a web-hosted application that allows Subscribers to manage physical security devices and monitor security events from their facilities.
Brivo’s websites may contain links to other websites. The privacy statements of those websites govern the information practices and the content of those websites. Brivo encourages you to review the privacy statements of other websites to better understand their information practices.
Brivo Business Data Privacy Statement
This Statement applies to the following:
- Personal information we collect through public websites operated by Brivo.
- Personal information we collect about you in the course of interacting with you, such as when you engage with us as a customer, potential customer, vendor, service provider, potential Partner, Partner, Applicant, consultant, contractor or other third party in relation to the operation of our business generally. This includes sales, marketing, business contact or registration activities conducted by Brivo.
Collectively this is considered “Business Data”.
This statement does not apply to:
- Personal information Subscribers or Subscriber Administrators input, upload or otherwise capture into Brivo services and systems.
- Activity and event data (including video) that is automatically collected by Brivo’s services in our role as a Data Processor.
- Personal information captured about Partners in order to establish or maintain their business relationship as a API Partner or Reseller of Brivo products and services.
Collectively this is considered “Account Data”. For more information on the handling of Account Data, please refer to the Brivo Services Privacy Statement below.
COLLECTION AND USE OF BUSINESS DATA
Brivo collects only the personal information necessary to enable us to respond to your requests for our products and services. When you use our websites, complete forms, schedule a demo, respond to a survey, complete a Partner application, contact us or otherwise interact with our business, we usually collect personal information such as your name, e-mail address, postal address, company name, telephone number and any other information you choose to provide that will enable us to provide an appropriate response to you.
The information you share with us is never sold to third parties, but may be shared with our Partners once you confirm that you would like to move forward with purchasing our services.
You can opt out of providing information by not entering it or not providing it if asked. If you wish to subscribe to news and information, we will use your email address information for this purpose. We will also provide you a way to unsubscribe.
Google Analytics is a web analysis service provided by Google that utilizes cookies to monitor web-traffic on our Websites. We use Google Analytics to collect, track and examine data about the Websites’ usage. We may run reports based on the data we collect and we may share the data with other Google services.
Brivo Services Privacy Statement
This Statement applies to the following:
- Personal information you or your Administrators input, upload or otherwise capture into Brivo services and systems.
- Activity and event data (including video) that is automatically collected by Brivo’s services in our role as a data processor.
- Personal and business information captured about Customers, Partners or Applicants in order to establish or maintain their business relationship with Brivo.
Collectively this is considered “Account Data”.
COLLECTION AND USE OF ACCOUNT DATA
Our Subscribers and Partners are responsible as Data Controllers for ensuring (i) their Data Subjects receive proper notice of the Data Controllers’ privacy practices, and that (ii) Account Data is obtained in accordance with all applicable laws. Since Account Data is managed by the Data Controllers, the Data Controller is responsible for providing appropriate notice and choice to its Data Subjects regarding our processing of Account Data on its behalf. If a Data Subject has any questions or concerns related to our handling of their data, the Data Subject may contact our Data Protection Officer via email@example.com and we will work with the Subscriber and/or Partner to address the concern.
From Partners, Brivo collects the personal information that is needed to properly manage our business relationship. Brivo Partners will receive login credentials to manage Subscriber accounts. Partners are able to create a new account for each Subscriber by providing Account Name, Reference Numbers, Username, and Email address. We only collect this information for the purposes of allowing you to manage your Subscriber accounts and for conducting business with Brivo.
Types of Account Data Collected related to Brivo Onair Services
Brivo collects information for the purposes of providing Brivo Onair services. We collect information in the following ways:
- Information provided by Subscribers: Brivo Onair provides the capability for Subscribers to store basic personal information such as an individual’s name, credential number, email address, phone number and photograph. This information is used to correlate security events to the correct individual, as well as to enable notifications and Brivo Onair Pass functionality. Though the system has the capability to store a number of personal data elements, these items are not essential for operation of the system.
- Information generated from events: Brivo Onair collects access control and video event data. For example, Brivo Onair records that an access card was used at a particular door at a certain time. This event may also be recorded on video, if that service is active. Through correlation with the information our Subscribers provide, we can tie that access event and video to a particular individual’s credential.
- Log Information: Brivo Onair records the actions of system Administrators, as well as the status and the settings of various devices that have been configured to operate with Brivo Onair. Log information is used by the Data Controller to review the activity of Administrators.
- Mobile Applications: Brivo provides mobile applications which can optionally be used with Brivo Onair. The Brivo Onair Mobile App (BOMA) provides administrative access to the system under the same conditions as using a web-browser. Brivo Onair Pass (BOP) is a form of digital credential used for physical access to a building. We collect information about the location of the device and information about Brivo Tri-Tech readers within Bluetooth range of the application to simplify connectivity to open the door. In order to provide these services Brivo collects various types of device, WiFi access point data and Bluetooth data. In order to use these services various features such as location services, WiFi and Bluetooth communication will need to be activated on your mobile device.
- Third Parties: Brivo shares data with relevant third party processors when explicitly authorized by Administrators in the relevant Brivo Onair account; for example, to enable integrations via our Application Programming Interface (API).
Account Data may be used by Brivo to:
- Enable event notifications and Brivo Onair Pass functionality.
- Contact you to inform you of product and service enhancements that we think may be of interest to you.
- Provide important service notices regarding the Brivo Onair application and related devices. While you use Brivo services, it will not be possible to opt out of communications regarding service notices.
- Ask you to participate in surveys that help us better understand your needs in order to improve our products.
Roles of Customers, Partners and Brivo in Protection of Brivo Onair Account Data
Brivo provides products to end customers via its authorized Partner channel. Brivo’s Partners handle the initial setup and configuration of the Brivo applications, services and hardware (collectively, the Brivo System). Customers can choose what data to share with the Partner and/or Brivo during the set-up process. After initial set-up, access to the Brivo System is limited to authorized Administrators.
Customers are responsible to verify that all Administrators of the Brivo System are authorized by them for the levels of access granted. In general, the customer should be the master Administrator for their Brivo System. In the event that the customer chooses to permit the Brivo Partner to have administrative rights to the Brivo System, the Customer is responsible for monitoring the Partner’s access to Account Data.
Brivo employees have access to Account Data solely to provide our services and in response to specific customer and Partner requests for technical support. Brivo will access Customer Data only for the purposes of providing the Services, preventing or addressing service or technical problems, or as may be required by law.
Brivo GDPR Compliance Statement
The EU General Data Protection Regulation (GDPR) is a data protection regime that becomes effective on May 25th, 2018. The GDPR extends the scope of the EU data protection law to all foreign companies processing data of EU residents.
The GDPR provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime.
At Brivo, privacy and security are core elements of our service. Accordingly, we are always conscious and respectful of the privacy and confidentiality of individuals who visit Brivo’s websites, use our services, develop applications using Brivo’s APIs and resell Brivo’s products.
Brivo maintains a comprehensive, written information security program that contains industry standard, administrative, technical, and physical safeguards designed to prevent unauthorized access to Customer Data. Brivo does not share, sell, rent or trade personally identifiable information with third parties.
Brivo has the distinction of being one of the first building security platforms to be SOC 2 audited and being the first physical security software-as-a-service (SaaS) company to utilize the SSAE 16/18 framework to provide security review. Brivo undertakes an independent third party annual SOC 2, Type 1 audit that reviews certain of its internal controls and processes. We recognize that the GDPR will help us move towards the highest standards of operations in protecting customer data.
Brivo is able to execute strong Data Processing Agreements based on the EU standard contractual clauses in accordance with Article 26(2) of Directive 95/46/EC to meet the requirements of the GDPR.
Application of the GDPR for Brivo:
In the context of the GDPR, individuals with data stored in Brivo Onair or individuals using Brivo applications are considered Data Subjects. Brivo end-users and in some cases Brivo Resellers are considered Data Controllers. Brivo is a Data Processor.
In Brivo’s role as a Data Processor, we are the responsible custodian of the Data Subject’s data, performing this role on behalf of the Data Controller. The Data Controller is completely responsible to determine what data is captured, stored and processed within our application. The Data Controller is the owner of the data. Brivo does does not rent, share, disclose or sell any data owned by the Data Controller.
Within our service model, most Data Subjects will have limited direct interaction with the Brivo application that captures and stores their data. This interaction will primarily be via the Brivo Onair Pass application. Most Data Subjects will be employees, visitors or contractors of the Data Controller. Data is captured based on their relationship with the Data Controller. The Data Controller is responsible for gaining explicit consent from the Data Subject regarding the data to be stored. Data Subject requests to purge data from Brivo subject to Brivo’s SLA with the Data Controller will be adjudicated by the Data Controller.
The GDPR includes provisions that grant Data Subjects portability rights in their personal data. Any personal data we store on behalf of Data Controllers belongs to the Data Subject. We will coordinate with Data Subjects and, as applicable Data Controllers, when requested to delete or port data. We provide for portability and are continually working to enhance our data export capabilities.
Privacy and security are core elements of Brivo’s services, so we are committed to the spirit and intent of the GDPR. While we have a solid data protection foundation in place, we recognize the need to make additional required operational changes resulting from the new legislation.
We have an internal cross-functional team who continue to monitor GDPR as it evolves, and who will continue to inform our strategy for GDPR. We will continue to monitor the GDPR and evolve our systems and processes to ensure continued compliance.
Right of Individual Access and Limited Use: European Union citizens may request access to or limited use of their personal data within the Brivo system by submitting a request to Brivo’s Data Protection Officer at firstname.lastname@example.org or by calling + 1 301-664-5242.
Lawful Requests: Brivo also may disclose Personal Data for other purposes or to other Third Parties when a Data Subject has consented to or requested such disclosure. Please be aware that Brivo may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. Brivo is liable for appropriate onward transfers of personal data to third parties.
Data Location & Transfer of Information
Brivo stores all Account Data in the continental United States. To facilitate our Subscribers’ global operations, Brivo transfers information to the United States and provides access to that information to Subscribers around the world.
The security of Account Data, including personal data, is very important to Brivo. Brivo maintains a comprehensive, written information security program that contains industry standard, administrative, technical, and physical safeguards designed to prevent unauthorized access to Customer Data. Brivo Onair is capable of safeguarding Personally Identifiable Information (PII), in accordance with NIST SP 800-122 and OMB memos M-06-16 and M-07-16 with specific provisions enabled by the Subscriber.
Brivo commits to resolve complaints about our collection or use of your personal information. Individuals with inquiries or complaints should contact Brivo’s Data Protection Officer at email@example.com or +1 301-664-5277.
If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed by Brivo, individuals may seek redress from www.jamsadr.com/about/submit-a-case for more information or to file a complaint. The services of www.jamsadr.com are provided at no cost to you.
If you have questions regarding this Statement or if you need to request access to or update, change or removal of personal information that we control, you can do so by contacting:
Brivo Data Protection Officer
Brivo Systems LLC
7700 Old Georgetown Road, Suite 300
Bethesda MD, 20814 USA
Changes to this Privacy Statement
Brivo reserves the right to change this Privacy and Security Policy from time to time and but will alert you that changes have been made by indicating on this Statement the date is was last updated.
Capitalized terms in this Privacy and Security Policy have the following meanings:
“Account Data” is data collected by Brivo in our role as a Data Processor based on a contracted service relationship.
“Administrator(s)” are individuals with a log-on to the Brivo Onair application.
“Applicants” are prospective employees or partners seeking to have a business relationship with Brivo.
“Business Data” means personal data collected through your interaction with our websites and via non-contractual sales, marketing and general business contact activities conducted by you and Brivo.
“Customers” are end-users of Brivo products.
“Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Data Processor” Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
“Data Subject” means an identified or identifiable natural living person. An identifiable person is one who can be identified, directly or indirectly, by reference to a name, or to one or more factors unique to his or her personal physical, psychological, mental, economic, cultural or social characteristics.
“Employee” means an employee (whether temporary, permanent, part-time, or contract), former employee, independent contractor, or job applicant of Brivo or any of its affiliates or subsidiaries, who is also a resident of a country within the European Economic Area.
“Europe” or “European” or “EU” refers to a country in the European Union.
“Personal Data” as defined under the European Union Directive 95/46/EC means data that personally identifies or may be used to personally identify a person, including an individual’s name in combination with country of birth, marital status, emergency contact, salary information, terms of employment, job qualifications (such as educational degrees earned), address, phone number, e-mail address, user ID, password, and identification numbers. Personal Data does not include data that is de-identified, anonymous, or publicly available. For Switzerland, the term “person” includes both a natural person and a legal entity, regardless of the form of the legal entity.
“Sensitive Data” means Personal Data that discloses a Data Subject’s medical or health condition, race or ethnicity, political, religious or philosophical affiliations or opinions, sexual orientation, or trade union membership.
“Third Party” means any individual or entity that is neither Brivo nor an Brivo employee, agent, contractor, or representative.
This Privacy and Security Policy is effective as of May 25th 2018.