Brivo Services Privacy Statement
Effective Date: June 1, 2020
At Brivo®, privacy and security are core elements of our service. This Brivo Services Privacy Statement (the “Privacy Statement”) describes Brivo’s privacy practices in relation to the data Brivo receives through the use of hardware, services and applications provided by Brivo (collectively, the “Brivo System”). Brivo Systems LLC and its subsidiaries are collectively referred to in this Privacy Statement as “Brivo”.
This Privacy Statement applies to the following:
- Personal information that a Customer, a Customer’s Administrator, or Partner, inputs, uploads or otherwise captures in the Brivo System;
- Activity and event data that is automatically collected by Customers using the Brivo System; and,
- Personal and business information captured about Customers and their users, Partners and/or applicants in order to establish or maintain their business relationship with Brivo.
Collectively this is considered “Account Data”. “Administrator” means individual administrators of the Brivo System authorized by the Customer, which may, in the discretion of the Customer, include Customer’s employees, agents and contractors. “Customer” means an end user customer of the Brivo System. “Partner” means the authorized Brivo reseller or technology partner from whom a Customer obtains access and use to the Brivo System or related third-party services.
Roles of Customers, Partners and Brivo in Protection of Account Data
Brivo provides the Brivo System to Customers via its Partner channel. Partners selected by the Customer handle the initial setup and configuration of the Customer’s Brivo account. Customers can choose what data to share with the Partner and/or Brivo during the set-up process. After the initial set-up, the Customer’s access to the Brivo System is limited to its Administrators.
Customers are responsible for verifying that all individuals who are designated as Administrators are authorized by the Customer for the levels of access granted. In general, Brivo recommends that the Customer designate an employee of the Customer to be the Master Administrator. If the Customer chooses to permit an individual who is not an employee of the Customer (such as, for example, an employee of a Partner to have any administrative rights or other access or privileges to the Customer’s account or Account Data), the Customer is responsible for monitoring the third party’s access to and use of the account and Account Data. Brivo is not responsible for any unauthorized use or misuse of the Customer’s account access, account privileges or Account Data by anyone using access provided by the Customer.
COLLECTION AND USE OF ACCOUNT DATA
Customers and Partners are responsible for ensuring that Account Data is obtained and processed in accordance with all applicable laws. Since Account Data is managed by the Customer, the Customer is responsible for providing appropriate notice and choice regarding Brivo’s processing of Account Data on behalf of the Customer. If an individual has any questions or concerns related to Brivo’s handling of Account Data pertaining to them, he or she may contact our Privacy Officer via [email protected] and we will work with the applicable Customer to address the concern.
From Customers, Brivo collects the personal information that is needed to properly manage Brivo’s business relationship. Customers will receive login credentials to manage their Brivo System accounts.
Types of Account Data Collected Related to the Brivo System
Brivo collects the following types of Account Data:
- Information provided by Customers: The Brivo System provides the optional capability for Customers to store basic personal information such as an individual’s name, credential number, email address and photograph. This information is used to correlate security events to the correct individual, as well as to enable notifications and mobile application functionality. The Customer is solely responsible for determining if storage of this optional data is appropriate in the context of applicable laws and regulations.
- Information generated from events: The Brivo System is used by the Customer to collect activity and event data. For example, the Customer can use the Brivo System to record that an access card was used at a particular door at a certain time. Through correlation with the information a Customer provides, Brivo may be able to tie an access event to a particular individual’s credential.
- Log Information: The Brivo System records the actions of Administrators, as well as the status and the settings of various devices that have been configured to operate with the Brivo System. Log information may be used by the Customer to review the activity of Administrators.
Mobile Applications: Brivo provides mobile applications which can optionally be used with the Brivo System. The Brivo Onair Mobile App provides administrative access to the Brivo System. Brivo Onair Pass is a form of digital credential used, for example, to authorize physical access to a building. Brivo collects information about the location of the device and its proximity to certain available Brivo readers within Bluetooth range of the Brivo Onair Pass application to simplify authorization to open the proper lock or door. In order to provide these services, Brivo collects various types of device, Wi-Fi access point data and Bluetooth data. In order to use the services of the Brivo mobile applications, various features such as location services, Wi-Fi and Bluetooth communication will need to be activated on the mobile device.
Account Data may be used by Brivo to:
- Enable event notifications and Brivo Onair Pass functionality.
- Contact the Customer to inform it of product and service enhancements that Brivo thinks may be of interest to it.
- Provide important service notices regarding the Brivo System and related devices. While Customers use Brivo System services, it will not be possible to opt out of communications regarding Brivo System service notices.
- Ask the Customer to participate in surveys that help Brivo better understand the Customer’s needs in order to improve Brivo products and services.
Brivo also shares data with relevant third-party service providers when explicitly authorized by Administrators in the relevant Brivo System account; for example, to enable integrations via Brivo’s Application Programming Interface (API).
Compliance with General Data Protection Directive (GDPR)
Application of the GDPR for Brivo:
In the context of the GDPR, individuals resident in the European Economic Area with data stored in the Brivo System or using Brivo applications are considered “Data Subjects.” Customers (and in some cases Partners) are considered “Data Controllers.” Brivo is a “Data Processor.”
In Brivo’s role as a Data Processor, Brivo is the responsible custodian of the Data Subject’s data, performing this role on behalf of the Data Controller. The Data Controller is completely responsible to determine what data is captured, stored and processed within the Brivo System. Brivo does not share, sell, rent or trade personally identifiable information with third parties unless directed by a Data Controller.
Within Brivo’s service model, most Data Subjects will have limited direct interaction with the Brivo System applications that capture and store their data. This interaction by Data Subjects will primarily be via the Brivo Onair Pass application. Most Data Subjects will be employees, visitors or contractors of the Data Controller. Data is captured based on their relationship with the Data Controller. The Data Controller is responsible for gaining necessary consent from the Data Subject regarding the data to be stored. In cases where a Data Subject requests Account Data to be deleted from the Brivo System, Brivo will refer such request to the Data Controller for adjudication.
The GDPR includes provisions that grant Data Subjects portability rights in their personal data. Brivo will coordinate with Data Controllers and, as applicable Data Subjects, when requested to delete or port data. Brivo provides for portability and is continually working to enhance its data export capabilities.
Brivo has entered into a number Data Processing Agreements that include the EU standard contractual clauses in accordance with Article 26(2) of Directive 95/46/EC to meet the requirements of the GDPR.
Brivo will continue to monitor the GDPR and evolve Brivo’s systems and processes to ensure continued compliance.
GDPR Right of Individual Access and Limited Use
Those residing within the European Economic Area may request to access, correct or to limit the use of their personal information within the Brivo System by submitting a request to Brivo’s Privacy Officer at [email protected] or by calling us at +31 20 8880980 (The Netherlands) or + 1 301 664 5242 (USA).
Brivo maintains a comprehensive, written information security program that contains industry standard, administrative, technical, and physical safeguards designed to prevent unauthorized access to Account Data.
Brivo has the distinction of being one of the first building security platforms to be SOC 2 audited and being the first physical security software-as-a-service (SaaS) company to utilize the SSAE 16/18 framework to provide security review. Brivo undertakes an independent third party annual SOC 2 audit that reviews certain of its internal controls and processes. Brivo recognizes that the GDPR will help it move towards the highest standards of operations in protecting Customer data.
Law Enforcement Requests
Brivo may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
Data Location & Transfer of Information
Brivo stores all Account Data in the continental United States. To facilitate Customers’ global operations, Brivo transfers information to the United States and provides access to that information to Customers around the world.
If Brivo becomes aware of any improper access, unauthorized use or disclosure of Account Data (a “Data Breach”), Brivo will analyze the facts of the Data Breach in the context of applicable laws, regulations, policies and contractual obligations to determine the appropriate notification process. Brivo will conduct notifications in a timely manner after becoming aware of a Data Breach and take reasonable steps to minimize harm and mitigate further risks to Account Data.
Privacy Shield Commitment
U.S. Federal Trade Commission enforcement
Brivo’s commitments under Privacy Shield are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
In compliance with the Privacy Shield Principles, Brivo commits to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Brivo at: [email protected] or +1 301-664-5277.Brivo has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States and around the world. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS are provided at no cost to you. If neither Brivo nor our dispute resolution provider resolves your complaint, you may have the possibility to engage in binding arbitration through the Privacy Shield Panel.
Individuals have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. For additional information please go to the Privacy Shield website at https://www.privacyshield.gov/article?id=ANNEX-I-introduction
If you have questions regarding this Privacy Statement or if you need to request access to or update, change or removal of personal information that we control, you can do so by contacting:
Brivo Privacy Officer
Brivo Systems LLC
7700 Old Georgetown Road, Suite 300
Bethesda MD, 20814 USA
YOUR CALIFORNIA PRIVACY RIGHTS (FOR CALIFORNIA RESIDENTS ONLY)
If you are a California resident, California law may provide you with additional rights regarding our use of your personal information. To learn more about your California privacy rights, visit our CCPA Privacy Notice page.