Brivo Services Privacy Statement
Effective Date: October 23, 2023
At Brivo®, privacy and security are core elements of our service. This Brivo Services Privacy Statement (the “Privacy Statement”) describes Brivo’s privacy practices in relation to the data Brivo receives through the use of hardware, services and applications provided by Brivo (collectively, the “Brivo System”). Brivo Systems LLC and its subsidiaries are collectively referred to in this Privacy Statement as “Brivo”.
This Privacy Statement applies to the following:
- Personal information that a Customer’s Administrator, or Brivo Reseller, inputs or uploads or that is otherwise captured by the Brivo System;
- Activity and event data that is automatically collected by Customers using the Brivo System; and,
- Personal information acquired by or captured about Customers, their users and visitors, in order to establish or maintain their business relationship with Brivo.
Collectively this is considered “Customer Data”.
Roles of Customers, Resellers and Brivo in Protection of Customer Data
Brivo provides the Brivo System to Customers via its Reseller channel. Resellers selected by the Customer handle the initial setup and configuration of the Customer’s Brivo account. Customers can choose what data to share with the Reseller and/or Brivo during the set-up process. After the initial set-up, the Customer’s access to the Brivo System is limited to its authorized Administrators.
Customers are responsible for verifying that all individuals who are designated as Administrators are authorized by the Customer for the levels of access granted. In general, Brivo recommends that the Customer designate an employee of the Customer to be the Primary Administrator. If the Customer chooses to permit an individual who is not an employee of the Customer (such as, for example, an employee of a Reseller to have any administrative rights or other access or privileges to the Customer’s account or Customer Data), the Customer is responsible for monitoring the third party’s access to and use of the account and Customer Data. Brivo is not responsible for any unauthorized use or misuse of the Customer’s account access, account privileges or Customer Data by anyone using access provided by the Customer.
COLLECTION AND USE OF CUSTOMER DATA
Customers are responsible for ensuring that Customer Data is collected and processed in accordance with all applicable laws. Since Customer Data is managed by the Customer, the Customer is responsible for providing appropriate notice and choice regarding Brivo’s processing of Customer Data on behalf of the Customer. If an individual has any questions or concerns related to Brivo’s handling of Customer Data pertaining to them, he or she may contact us at firstname.lastname@example.org and we will work with the applicable Customer to address the concern.
Brivo may also collect the personal information from Customer employees, contractors or agents in order to properly manage Brivo’s business relationship with Customer. Customers will receive login credentials to manage their Brivo System accounts, including such personal information.
Types of Customer Data Collected Related to the Brivo System
Brivo collects the following types of Customer Data:
- Information provided by Customers: The Brivo System provides the capability for Customers to store basic personal information such as an individual’s name, credential number, email address and photograph. This information is used to correlate events to the correct individual, as well as to enable notifications and mobile application functionality. The Customer is solely responsible for determining if storage of this data is appropriate and permitted in the context of applicable laws and regulations.
- Information generated from security events: The Brivo System is used by the Customer to collect activity and event data. For example, the Customer can use the Brivo System to record that an access credential was used at a particular door at a certain time. Through correlation with the information a Customer provides, Brivo may be able to tie an access event to a particular individual’s credential.
- Log Information: The Brivo System records the actions of Administrators, as well as the status and the settings of various devices that have been configured to operate with the Brivo System. Log information may be used by the Customer to review the activity of Administrators.
- Mobile Applications: Brivo provides mobile applications which can optionally be used with the Brivo System. The Brivo Mobile App provides administrative access to the Brivo System. Brivo Mobile Pass is a form of digital credential used, for example, to authorize physical access to a building. Brivo uses Wi-Fi and Bluetooth to identify when the device is within proximity to applicable available Brivo readers to open the proper lock or door. In order to use the services of the Brivo Mobile App, various features such as location services, Wi-Fi and Bluetooth communication must be activated on the mobile device.
Customer Data may be used by Brivo to:
- Enable event notifications and Brivo Mobile Pass functionality.
- Contact the Customer to inform them of product and service enhancements that Brivo thinks may be of interest to them.
- Provide important service notices regarding the Brivo System and related devices. (While Customers use Brivo System services, it will not be possible to opt out of communications regarding Brivo System service notices.)
- Ask the Customer to participate in surveys that help Brivo better understand the Customer’s needs in order to improve Brivo products and services.
Brivo also shares data with relevant third-party service providers when explicitly authorized by Administrators in the relevant Brivo System account; for example, to enable integrations via Brivo’s Application Programming Interface (API).
Compliance with General Data Protection Directive (GDPR) Application of the GDPR for Brivo:
In Brivo’s role as a Data Processor, Brivo is the responsible custodian of the Data Subject’s data, performing this role on behalf of the Data Controller. The Data Controller is completely responsible to determine what data is captured, stored and processed within the Brivo System. Brivo does not share, sell, rent or trade personally identifiable information with third parties unless directed by a Data Controller.
Within Brivo’s service model, most Data Subjects will have limited direct interaction with the Brivo System applications that capture and store their data. This interaction by Data Subjects will primarily be via the Brivo Mobile Pass application. Most Data Subjects will be employees, visitors or contractors of the Data Controller. Data is captured based on their relationship with the Data Controller. The Data Controller is responsible for gaining necessary consent from the Data Subject regarding the data to be stored. In cases where a Data Subject requests Customer Data to be deleted from the Brivo System, Brivo will refer such request to the Data Controller for adjudication.
The GDPR includes provisions that grant Data Subjects portability rights in their personal data. Brivo will coordinate with Data Controllers and, as applicable Data Subjects, when requested to delete or port data. Brivo provides for portability and is continually working to enhance its data export capabilities.
GDPR Right of Individual Access and Limited Use
Those residing within the European Economic Area may request to access, correct or to limit the use of their personal information within the Brivo System by submitting a request to Brivo at email@example.com or by contacting us as set forth below.
Brivo maintains a comprehensive, written information security program that contains industry standard, administrative, technical, and physical safeguards designed to prevent unauthorized access to Customer Data.
Brivo has the distinction of being one of the first building security platforms to be SOC 2 audited and being the first physical security software-as-a-service (SaaS) company to utilize the SSAE 16/18 framework to provide security review. Brivo undertakes an independent third party annual SOC 2 audit that reviews certain of its internal controls and processes. Brivo also is certified under ISO27001. Brivo recognizes that the GDPR will help it move towards the highest standards of operations in protecting Customer data.
Law Enforcement Requests
Brivo may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
Data Location & Transfer of Information
Brivo stores all Customer Data in the continental United States or Europe depending on the instance you use. To facilitate Customers’ global operations, Brivo transfers some information to the United States and provides access to that information to Customers around the world.
Accountability for Onward Transfer of Personal Data
Except as otherwise provided herein, Brivo may share personal information with third parties in connection with the operation of our business and consistent with the purpose for which the personal information was collected.
If Brivo becomes aware of any improper access, unauthorized use or disclosure of Customer Data (a “Data Breach”), Brivo will analyze the facts of the Data Breach in the context of applicable laws, regulations, policies and contractual obligations to determine the appropriate notification process. Brivo will conduct notifications in a timely manner after becoming aware of a Data Breach and take reasonable steps to minimize harm and mitigate further risks to Customer Data.
If you have questions regarding this Privacy Statement or if you need to request access to or update, change or removal of personal information that we control, you can do so by contacting:
Brivo Systems LLC
7700 Old Georgetown Road, Suite 300
Bethesda MD, 20814 USA
CALIFORNIA PRIVACY RIGHTS (FOR CALIFORNIA RESIDENTS ONLY)
California law may provide California residents with additional rights regarding our use of their personal information. To learn more about the privacy rights of California residents, visit our CCPA Privacy Notice page.
CERTAIN RIGHTS FOR RESIDENTS OF COLORADO, CONNECTICUT, UTAH and VIRGINIA
Residents of Colorado, Connecticut, Utah and Virginia may have additional rights under applicable state law. Please contact Brivo as described above with any questions you may have.
Changes to this Privacy Statement