Last Update: May 4, 2022
We provide important information for individuals located in the European Economic Area, Switzerland, and United Kingdom (collectively, “Europe”) in the Notice to European Users, and for California residents in the section entitled Information for California Residents.
Table of Contents
Information you provide to us. Personal information you provide to us through the Service or otherwise includes:
Information we obtain from other third parties. We may receive personal information about you from third-party sources, such as marketing partners, publicly-available sources and data providers. Our use of any information obtained from our business customers is restricted by our agreements with those business partners.
A list of our sub processors and nature of processing can be found at https://drata.com/sub-processors.
Marketing and advertising. We, our service providers and our third-party advertising partners may collect and use your personal information for marketing and advertising purposes:
Cookies and Other Information Collected by Automated Means
We, our service providers, and our business partners may automatically log information about you, your computer, and activity occurring on or through the Service. The information that may be collected automatically includes your computer type and version number, manufacturer and model, device identifier (such as the Google Advertising ID or Apple ID for Advertising), browser type, screen resolution, IP address, the website you visited before browsing to our website, general location information such as city, state or geographic area; and information about your use of and actions on the Service, such as pages or screens you viewed, how long you spent on a page or screen, navigation paths between pages or screens, information about your activity on a page or screen, access times, and length of access. Our service providers and business partners may collect this type of information over time and across third-party websites.
On our webpages, this information is collected using cookies, browser web storage (also known as locally stored objects, or “LSOs”), web beacons, and similar technologies, and our emails may also contain web beacons.
Users of the Service may have the opportunity to refer friends or other contacts to us. If you are an existing user, you may only submit a referral if you have permission to provide the referral’s contact information to us so that we may contact them.
To operate the Service. We use your personal information to:
For research and development. We analyze use of the Service to analyze and improve the Service and to develop new products and services, including by studying user demographics and use of the Service.
To comply with law. We use your personal information as we believe necessary or appropriate to comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities.
For compliance, fraud prevention, and safety. We may use your personal information and disclose it to law enforcement, government authorities, and private parties as we believe necessary or appropriate to: (a) protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims); (b) enforce the terms and conditions that govern the Service; and (c) protect, investigate and deter against fraudulent, harmful, unauthorized, unethical or illegal activity.
With your consent. In some cases we may specifically ask for your consent to collect, use or share your personal information, such as when required by law.
To create anonymous, aggregated or de-identified data. We may create anonymous, aggregated or de-identified data from your personal information and other individuals whose personal information we collect. We make personal information into anonymous, aggregated or de-identified data by removing information that makes the data personally identifiable to you. We may use this anonymous, aggregated or de-identified data and share it with third parties for our lawful business purposes, including to analyze and improve the Service and promote our business.
Partners. We may sometimes share your personal information with partners or enable partners to collect information directly via our Service.
Professional advisors. We may disclose your personal information to professional advisors, such as lawyers, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us.
For compliance, fraud prevention and safety. We may share your personal information for the compliance, fraud prevention and safety purposes described above.
Business transfers. We may sell, transfer or otherwise share some or all of our business or assets, including your personal information, in connection with a business transaction (or potential business transaction) such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution.
In this section, we describe the rights and choices available to all users. Users located in Europe can find additional information about their rights below in the section entitled Notice to European Users, and California residents can find additional information about their rights in the section entitled Information for California Residents.
Access or Update Your Information. If you have registered for an account with us, you may review and update certain personal information in your account profile by logging into the account.
Opt out of marketing communications. You may opt out of marketing-related emails by following the opt-out or unsubscribe instructions at the bottom of the email, or by contacting us at [email protected] You may continue to receive service-related and other non-marketing emails.
Cookies. Most browser settings let you delete and reject cookies placed by websites. Many browsers accept cookies by default until you change your settings. If you do not accept cookies, you may not be able to use all functionality of the Service and it may not work properly. For more information about cookies, including how to see what cookies have been set on your browser and how to manage and delete them, visit https://www.allaboutcookies.org. We use Google Analytics to help us understand user activity on the Service. You can learn more about Google Analytics cookies at https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage and about how Google protects your data at https://policies.google.com/privacy. You can prevent the use of Google Analytics relating to your use of the Service by downloading and installing a browser plugin available at https://tools.google.com/dlpage/gaoptout.
Advertising choices. You can limit use of your information for interest-based advertising by:
You will need to apply these opt-out settings on each device from which you wish to opt-out.
Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. We currently do not respond to “Do Not Track” or similar signals. To find out more about “Do Not Track,” please visit https://www.allaboutdnt.com.
Choosing not to share your personal information. Where we are required by law to collect your personal information, or where we need your personal information in order to provide the Service to you, if you do not provide this information when requested (or you later ask to delete it), we may not be able to provide you with our services. We will tell you what information you must provide to receive the Service by designating it as required at the time of collection or through other appropriate means.
The Service may contain links to other websites, and other online services operated by third parties. These links are not an endorsement of, or representation that we are affiliated with, any third party. In addition, our content may be included on web pages or online services that are not associated with us. We do not control third party websites, or online services, and we are not responsible for their actions. Other websites and services follow different rules regarding the collection, use and sharing of your personal information. We encourage you to read the privacy policies of the other websites and online services you use.
The security of your personal information is important to us. We employ a number of organizational, technical and physical safeguards designed to protect the personal information we collect. However, security risk is inherent in all internet and information technologies and we cannot guarantee the security of your personal information. Email, in particular, is an insecure way to transmit personal information. Please take special care regarding what information you send to us via email.
The Service is not directed to, and we do not knowingly collect personal information from, anyone under the age of 13. If a parent or guardian becomes aware that his or her child has provided us with information without their consent, he or she should contact us. We will delete such information from our files as soon as reasonably practicable. We encourage parents with concerns to contact us.
If you would like to exercise your rights under this Policy, please submit your request via this Web Form.
Please direct any questions or comments about this Policy or privacy practices to [email protected]. You may also write to us via postal mail at:
4660 La Jolla Village Dr.
San Diego, CA 92122
Osano International Compliance Services Limited
25/28 North Wall Quay
Dublin 1, D01 H104
Scope. This section applies only to California residents. It describes how we collect, use, and share Personal Information of California residents online and offline in our capacity as a “business” under the California Consumer Privacy Act of 2018 (“CCPA”) and their rights with respect to that Personal Information. For purposes of this section, “Personal Information” has the meaning given in the CCPA but does not include information exempted from the scope of the CCPA. In some cases we may provide a different privacy notice to certain categories of California residents, such as job applicants, in which case that notice will apply instead of this section.
Your California privacy rights. As a California resident, you have the rights listed below. However, these rights are not absolute, and in certain cases we may decline your request as permitted by law.
We will need to verify your identity to process your information, access and deletion requests and reserve the right to confirm your California residency. To verify your identity, we may require government identification, a declaration under penalty of perjury or other information. Your authorized agent may make a request on your behalf upon our verification of the agent’s identity and our receipt of a copy of a valid power of attorney given to your authorized agent pursuant to California Probate Code Sections 4000-4465. If you have not provided your agent with such a power of attorney, you must provide your agent with written and signed permission to exercise your CCPA rights on your behalf, provide the information we request to verify your identity, and provide us with written confirmation that you have given the authorized agent permission to submit the request. We cannot process your request if you do not provide us with sufficient detail to allow us to understand and respond to it.
|Statutory category of Personal Information (Cal. Civ. Code § 1798.140)||Personal Information we collect in this category (See the “Personal information We Collect” section above for description)|
|Identifiers (excluding online identifiers)||
|California Customer Records (as defined in California Civil Code section 1798.80)||
|Internet or Network Information||
|Inferences||May be derived from the information listed above|
|Sources. We describe the sources from which we collect this Personal Information in the section above entitled Personal Information We Collect. Purposes. We describe the business and commercial purposes for which we collect this Personal Information in the section above entitled How We Use Your Personal Information. Disclosure. We disclosed this Personal Information to the categories of third parties described in the section above entitled How We Share Your Personal Information.|
The information provided in this Notice applies only to individuals in the European Economic Area, Switzerland, and United Kingdom (collectively, “Europe”).
Privacy Shield Data Protection Principles
Drata complies with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the European Union, the United Kingdom, and Switzerland, as applicable, to the United States in reliance on Privacy Shield. Drata has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such data. If there is any conflict between the terms in this notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, please visit, https://www.privacyshield.gov
If you have any inquiries or complaints regarding the handling of your personal information under Privacy Shield, our contact details are provided in the “Contact Us” section. For any unresolved privacy concerns, please contact our US based third party dispute resolution provider (free of charge) at https:// www.jamsadr.com/eu-us-privacy-shield. You may have the option to select binding arbitration under the Privacy Shield Panel for the resolution of your complaint when other dispute resolution procedures have been exhausted. Drata is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
Choice. When Drata maintains Personal Information about you outside of a direct relationship with you, because we obtained or maintain your Personal Information as a processor, Drata’s customers are responsible for providing you with certain choices about the customer’s use or disclosure of your personal information.
When we obtain or maintain your Personal Information as a controller, we may disclose the Personal Information, without offering you a choice, in the following cases: to our processors or service providers; to our affiliates; as part of a corporate restructuring (e.g., a merger or acquisition); or as required by law. You may also choose to disable third-party cookies that collect Personal Information through Drata’s website. If we disclose your Personal Information to other third parties, we will obtain your consent. We also allow you to choose to opt out of marketing-related emails from us, and to update or correct Personal Information in your account.
Onward Transfer. In the context of onward transfer, Drata is responsible for the processing of personal data it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on our behalf. Drata shall remain liable under the Privacy Shield Principles if our agent processes your Personal Data in a manner inconsistent with the Privacy Shield Principles, unless Drata is not responsible for the event giving rise to the damage.
|Processing Purpose Details regarding each processing purpose listed below are provided in the section above titled “How we use your personal information”.||Legal Basis|
|To operate the Service||Processing is necessary to perform the contract governing our provision of the Service or to take steps that you request prior to signing up for the Service. If we have not entered into a contract with you, we process your personal information based on our legitimate interest in providing the Service you access and request.|
||These activities constitute our legitimate interests. We do not use your personal information for these activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).|
|To comply with law||Processing is necessary to comply with our legal obligations.|
|With your consent||Processing is based on your consent. Where we rely on your consent you have the right to withdraw it any time in the manner indicated when you consent or in the Service.|
Sensitive personal information. We ask that you not provide us with any sensitive personal information (e.g., information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background or trade union membership) on or through the Service, or otherwise to us.
We retain personal information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes.
To determine the appropriate retention period for personal information, we consider the amount, nature, and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
When we no longer require the personal information we have collected about you, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. If we anonymize your personal information (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you.
European data protection laws give you certain rights regarding your personal information. If you are located within the European Union, you may ask us to take the following actions in relation to your personal information that we hold:
Cross-Border Data Transfer
If we transfer your personal information from Europe to another country that is not deemed by the European Commission and/or UK Government, as applicable, to provide an adequate level of protection to personal information, that transfer will be performed subject to appropriate safeguards (most commonly standard contractual clauses) and otherwise in accordance with applicable European data protection laws. Please contact us for further information about any such transfers or the specific safeguards applied.