Information We Collect
Information we collect and it collects information from your following departments and devices:
1. Information collected when you visit our websites
We may also collect contact and/or professional data about you through our websites and through tools such as online forms and/or communications. For example, when you sign up to learn more about Securify's products and services, download content, register for an event, and visit our offices, you may provide us with your name, surname and contact information, as well as your professional information.
2. Physically collected information
During our physical marketing efforts and commercial activities, you may provide your contact and professional information, especially in business card format or verbally. If you attend an event, we may receive contact and professional details about you by completing a form or providing us with a business card or other means by which you share your Personal Data with us, as well as providing photos and videos that can be shared on social media to illustrate Corporate activities. Typically, contact data includes your name and contact methods such as phone number, email address, and postal address, and professional data includes details such as your affiliation, your job title, and industry.
3. Information collected when you use our services
The information collected by our systems is as follows:
3.1 Mobile Applications
Securify has Android and IOS mobile applications. Therefore, when you download and start using our applications from online stores, we collect information at the following stages:
During the initial registration, you must register by entering your name, surname, and email address to use our mobile services. After entering your information, we send a registration code to your email address and ask you to enter this code in our application to complete your registration. During registration, we generate symmetric and asymmetric key pairs to use for digital signing and encryption of transactions. Depending on our usage, we may store these keys in the mobile application, the backend server, or both.
When you add a new service, you can add corporate or individual services. Individual services can only be used in Time-based One-Time Password (TOTP) authentication (RFC-6238). In this authentication mechanism, a third-party service (i.e., Twitter, Facebook, LinkedIn) can be added by scanning a QR code or a secret key can be manually entered to perform two-factor authentication. If you scan the QR code, we receive your secret key and the name of your third-party service, and if you manually enter it, we store the name you gave to the service and the secret key. When you recreate the OTP and move your application to another phone or reload the application as a backup for your convenience, we store your secret key in both your mobile application and our backend servers. We also emphasize that we need camera permissions to allow you to scan the QR code.
In corporate services, you enter a code provided by your service provider, and we only store the identity of the service provider and the user identity provided for the service. The user identity is a number generated by your company/service provider to anonymize your identity and is then shared with us by your company/service provider to uniquely identify your transaction. The user identity can only be an anonymous number and does not have to be a personally identifiable number. However, if your service provider provides personal data such as user identity, this is the responsibility of your service provider as stated in the contract we made with them.
Mobile Application Login: Normally, no authentication is required when logging into the mobile application. However, you can activate the password login or fingerprint/face recognition login options from the mobile application settings to increase your security. In such a case, the password you set is encrypted and stored only on your mobile application and is never exported. In the fingerprint/face recognition option, the verification processes provided by your mobile application are used. Therefore, we do not collect, process, or store any physical biometric data belonging to you.
During identity verification, we use some information about you and your device, application, and transaction to enhance your security and store it for public and third-party audit purposes, as well as to improve our services. This information may include your email address, user ID, Internet Protocol (IP) address, operating system platform, browser type and version, browser time zone, browser time offset, browser agent, screen resolution, date and time of your transaction, keystroke timing, mouse movements, geographic location, time spent on each page, clicks, and scrolls.
3.2 Management Console
For Corporate Users contracting with us, we provide a web-based management console for the identity and access management of their employees and/or customers. In this console, employers or customer data is presented to the system by the Organization. In such cases, the data controller is the Organization and we are in the role of data processor. Therefore, it is the Organization's responsibility to meet data privacy and other relevant legal requirements with the end user or employee.
As a Corporate User of our Site, Application and services, your data controller may keep and process your personal data under the following sections of the management console:
Administration Section: In the administration section, information about users, groups, identities and regions can be registered in the system. Personal data can be stored in the users or identities module. However, neither our system nor processes require users' personal data to function properly. Our system only needs user IDs and/or email addresses, which can be anonymous records that cannot be directly associated with users' identities. As a data supervisor, we recommend our Corporate Users to use anonymous user IDs to better comply with EU GDPR and Turkish Personal Data Protection Law. According to the Enterprise User configuration, users' data can be stored in Active Directory, Office 365, Radius, etc. It can also be obtained from an already existing third-party system.
Applications Section: In the Applications section, the Enterprise User can define their services and html forms to manage their access. Applications section handles normal data like service name, form html id, field html. The only personal data processed under this section are logs about services used by individual user IDs.
Policies Section: In this section, the Corporate User can define rules to allow or deny user groups to use defined services or forms based on time zone or IP addresses.
Licenses Section: In the Licenses section, product name, license name, start date, expiry date, users' e-mail address (for individual users), Organization information, Organization e-mail address, phone number, etc. We store Corporate or individual license information that includes.
Audit Section: In the audit section, Organization name, service name, user IDs, Internet Protocol (IP) address, operating system platform, browser type and version, browser time zone, browser time difference, browser agent, screen resolution for system, security and controls , stores some information about authentication processes, including the date and time of the operation, the timings of users' keystrokes, geolocation, time spent on each page, clicks, swipes.
Risk Management Section: In the risk management section, the system checks the data collected regarding the authentication processes of the users and performs static and automatic analysis. Automated analysis involves analyzing users' historical and behavioral data and detecting anomalies using machine learning or statistical techniques. In this section, the organization should define risk-based authentication parameters and actions when an anomaly is detected in the authentication process of users. Actions include activating a third-party system or sending notification emails or SMS. Therefore, information such as the IP address and service name of the third-party application or the e-mail and SMS information of the persons to be notified must be entered into the system.
3.3 API Services
Since our backend services run through API services, the data mentioned in previous systems must be transferred using these APIs.
Sometimes we provide some plug-ins to interact with third party systems. In the settings page of these plugins, the system can store users' email addresses, API Keys and other related configuration data.
How do we collect information?
We collect information in accordance with the rules and legally within your knowledge and consent. We also let you know why we collect the information and how it will be used. You are free to decline our request for information with the understanding that we may not be able to provide some of the services you request without it.
Use of information
We use your data to enhance the security of your authentication processes and to prevent malicious cyber attacks against your identities.
We may use a combination of identifying and non-identifying information to understand who our visitors are, how they use our Services, and how we can improve their experience with our Services in the future. We do not publicly disclose details of this information, but we may share aggregated and anonymized versions of this information, for example in website and customer usage trend reports.
We may use your personal information to contact you with promotional content that we believe may be of interest to you, as well as updates about our Services. If you wish to opt out of receiving promotional content, you may follow the "unsubscribe" instructions provided with the promotional communications.
Data processing and storage
We only transfer data in jurisdictions subject to data protection laws that reflect our commitment to protecting the privacy of our users.
We only retain personal information for as long as necessary to provide a service or improve our services in the future. While we may retain this data, we will protect it to the maximum extent by commercially acceptable means to prevent loss and theft, as well as unauthorized access, disclosure, copying, use or modification. However, we would like to inform you that no electronic transmission or storage method is 100% secure and cannot guarantee absolute data security.
If you want your personal information to be deleted or your personal information to become irrelevant to our activities, we will delete this information from our system within a reasonable period of time after we receive the relevant request. You can find detailed information on the destruction of personal data in our KVKK Policy at the address www.securifyidentity.com/personal-data-protection .
Third party access to information
We use third-party services to:
• Analytics tracking
• Advertising and promotion
• Content marketing
• Email marketing
• Payment process
These services may access our data only for the purpose of performing certain tasks on our behalf. We do not share any personally identifiable information with them without your express consent. We do not allow the third party to disclose or use any of our personal data for any purpose other than those listed in the express consent statement.
From time to time, we may allow limited access to our data by external consultants and agencies for analysis and service improvement purposes. This access is only allowed as long as it is necessary to perform a particular function. We only work with outside organizations whose privacy policies are in line with ours.
If we believe a request is too broad or irrelevant for the stated purpose, we will reject administrative or legal action. However, the information requested is necessary and appropriate to comply with legal process, protect our rights and property, protect the safety of the public and any person, prevent a crime or prevent what we reasonably believe is illegal, legally actionable or unethical activity. We can cooperate if we believe.
We do not otherwise share or give personal information to third parties. We do not sell or rent your personal information to marketers or third parties.
Limits of our policy
Our website may link to external sites not operated by us. Please note that we have no control over the content and policies of these sites and cannot accept responsibility or liability for their respective privacy practices.
Changes to the policy
Your rights and responsibilities
As a user, you have the right to be informed about how your data is collected and used. You have the right to know what data we collect about you and how it is processed. You have the right to correct and update personal information about you and to request that this information be deleted. You can change or remove your account information at any time using the links on our websites.
While maintaining the right to use your personal information for your own purposes, you have the right to restrict or object to our use of your data. You have the right to request that the use of data about you be discontinued only in decisions based on automated processing.
We can send you push notifications through our mobile apps. You can opt out of receiving such communications at any time by changing the settings on your mobile device.
You can choose not to receive promotional communications, such as marketing emails. You can opt out of interest-based advertising services in mobile apps by clicking the privacy settings on your Android or iOS device and turning off “Allow Apps to Send Tracking Requests” or by enabling “Limit Ad Tracking” (Apple iOS) or “Disable Ad Personalization” (Android).
You have the right to rectify or delete your personal data, object to the way we use and share your data, restrict the way we share your data or withdraw your consent.
We respond to all requests within a reasonable time. If you have an unresolved privacy or data usage question that we have not yet addressed to your satisfaction, you can contact firstname.lastname@example.org for unresolved complaints.
If you wish to exercise any of your above-mentioned rights as a data subject, please use the support options specified in the "Contact" section above. All requests are responded to in accordance with applicable laws. To protect your privacy, we may ask you for shopping invoice or other account information before fulfilling your request, ask you to link your account with your email address, or add additional steps to verify your identity by asking you about your activities on our services.
Securify Information Technologies and Security Education Consulting Industry and Trade Inc. is the data controller of personal information in personal services, but it is data processor in Corporate services.