<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

We're blowing the whistle on Legacy PAM 🏀 Join us for an Access Madness Webinar on March 28

Search
Close icon
Search bar icon

Privacy Policy

StrongDM Privacy Policy

Last revised and effective as of: February 1, 2023

This Privacy Policy relates to information collected online and offline by StrongDM, Inc. (“StrongDM” “we” or “us” or “our”), including through your use of the StrongDM website at www.strongdm.com, and any subdomains, services and information available thereon (together with associated and successor websites, services, and information available thereon or any part thereof, the “Site”). You may also provide information to us when you meet us in person, such as at business conferences or when you are involved in networking activities and we may collect information about you in connection with developing our business (collectively, “Networking Activities”), and this Privacy Policy relates to such information as well.

You should carefully read this Privacy Policy. By using the Site, you are signifying your acceptance of this Privacy Policy. If you do not agree to this Privacy Policy, you may not use the Site.

To the extent that the Site is available to, or we collect information in connection with Networking Activities from individuals located in the European Economic Area or the United Kingdom, this Privacy Policy sets out our practices and obligations under the General Data Protection Regulation 2016/679 (the “GDPR”). If an organization with which you are associated (an “Organization”) becomes a client of StrongDM’s business, we may receive personal information about you in connection with our provision of our business services to your Organization. To the extent we process (as defined below) that personal information solely in order to provide the business services, including our SaaS services, to your Organization, under the GDPR, to the extent applicable, we will act as a processor (as defined in the GDPR) on behalf of your Organization in respect of that personal information; this Privacy Policy will not apply to the processing of that personal information and your Organization will act as a controller (as defined in the GDPR), in respect of that personal information and is responsible for obtaining all necessary consents and providing you with all requisite information as required by applicable law. To the extent we process your personal information for any other lawful business purpose of ours, under the GDPR, to the extent applicable, we will act as a controller of such personal information and this Privacy Policy will apply to the processing of such personal information.

As used in this Privacy Policy, the terms “using” and “processing” information include using cookies on a computer, subjecting the information to statistical or other analysis and using or handling information in any way, including but not limited to collecting, storing, evaluating, modifying, deleting, using, combining or disclosing.

This Privacy Policy serves to notify you of the following:

What information about me is collected?

Where and when is information collected?

What does StrongDM do with the information it collects?

When does StrongDM disclose the information to third parties?

Could my information be transferred to other countries?

For how long is my personal information kept?

What choices do I have regarding my personally identifiable information?

How will I know if there are changes to this Privacy Policy

Whom do I contact if I have any privacy questions?

Privacy Notice for California Residents

WHAT INFORMATION ABOUT ME IS COLLECTED?

StrongDM may collect two types of information from you: personally identifiable information and non-personally identifiable information.

Personally identifiable Information

Personally identifiable information is information that identifies you or can be used to identify or contact you. Such information may include your first name, last name, title, company name, workplace address, email address, telephone number(s), and internet protocol address. Personally identifiable information amounts to ‘personal data’ for the purposes of and as defined in the GDPR. All references to personally identifiable information shall be deemed to include ‘personal data’ as defined and used in the GDPR (to the extent applicable).

Non-Personally Identifiable Information

Non-personally identifiable information is information, any single item of which, by itself, cannot be used to identify or contact you, including analytics/audit logging features; browser type and version, time zone setting and location, username, browser plug-in types and versions, operating systems and other technology on the devices used to access our website, non-identifiable demographic information, device types, URL’s, browser language, pages you view, the date and time of your visit, and statistical data about your use of the Site. Please note that while non-personally identifiable information may be considered a part of your personally identifiable information in the event it was to be combined with other identifiers (for example, combining your zip code with your street address) in a way that would enable you to be identified. However, the same pieces of information are considered non-personally identifiable information when they are considered alone or combined only with other non-personally identifiable information in a way that would not enable you to be identified.

WHERE AND WHEN IS INFORMATION COLLECTED?

We will collect personally identifiable information that you submit to us. We may also receive information about you from third parties providing us with analytics, lead generation, or other services. We may also collect personally identifiable information about you that is publicly available from sources such as LinkedIn.


While you use the Site…

We may obtain your personal information from you if you identify yourself to us through email or comments or if you engage in a “chat” on the Site.

Cookies

We may collect information passively using “cookies”. “Cookies” are small text files that can be placed on your computer or mobile device in order to identify your web browser and the activities of your computer on the site and other websites. Cookies can be used to personalize your experience or to assist you, and to allow us to monitor how you are using the Site to improve your experience. In addition to cookies that we may place on your computer or mobile device, cookies might also be placed on your computer or mobile device by third parties that we use to display or serve advertisements for our products and services or to collect non-personally identifiable information in order to provide advertising-related services to us. In the course of serving advertisements, such third parties could place or recognize unique cookies on your browser.

You do not have to accept cookies to use the Site. Although most browsers are initially set to accept cookies, you may reset your browser to notify you when you receive a cookie or to reject cookies generally. Most browsers offer instructions on how to do so in the “Help” section of the toolbar. However, if you reject cookies, certain features or resources of the Site may not work properly or at all and you may experience some loss of convenience. For the avoidance of doubt, the Site may use third-party service platforms (including to help analyze how users use the Site).  These third-party service platforms may place cookies on your computer or mobile device.  If you would like to disable “third party” cookies, you may be able to turn them off by going to the third party’s website.

Log Files

We also collect information through our Internet log files, which record data such as user IP addresses, other addressing information, the date and time of your request, browser types, screen resolution, domain names, and other anonymous statistical data involving the use of the Site. This information may be used to analyze trends, to administer the Site, to monitor the use of the Site, and to gather general demographic information. We may link this information to personally identifiable information for these and other purposes such as personalizing your experience on the Site and evaluating the Site in general.

WHAT DOES STRONGDM DO WITH THE INFORMATION IT COLLECTS?

We will only use your personally identifiable information to the extent that the law allows us to do so. Pursuant to the GDPR, legal bases for our processing your personally identifiable information may include (without limitation):

(a) where you have given consent to the processing, which consent may be withdrawn at any time without affecting the lawfulness of processing based on consent prior to withdrawal;

(b) where it is necessary to perform the contract we have entered into or are about to enter into with you (whether in relation to the provision of the Site or otherwise); and/or

(c) where it is necessary for the purposes of our legitimate interests (or those of a third party) in providing the Site, or engaging in Networking Activities, and your interests or fundamental rights and freedoms do not override those legitimate interests.

We use the information collected to provide the Site to you, to engage in Networking Activities, to help us understand who uses the Site, for internal operations such as operating and improving the Site,  and, unless you “opt out”, so that we can contact you about products and services that may be of interest to you.

We may send you electronic newsletters and contact you about the Site, Networking Activities, products, services, information and news that may be of interest to you, If you no longer desire to receive these communications, we will provide you with the option to change your preferences in each communication we send to you. You may also inform us by email to dpo@strongdm.com.

If you identify yourself to us by sending us an e-mail with questions or comments, we may use your information (including personally identifiable information) to respond to your questions or comments, and we may file your questions or comments (with your information) for future reference. We may also use the information gathered to perform statistical analysis of user behavior or to evaluate and improve the Site. We may link some of this information to personally identifiable information for internal purposes or to improve your experience with the Site.

WHEN IS YOUR INFORMATION SHARED WITH THIRD PARTIES?

Generally, information gathered from you through the Site or in connection with Networking Activities is shared with these types of third parties and as otherwise detailed in this Policy, or with authorization from you.

Legal Disclosure

We may disclose your information (including personally identifiable information) if we believe in good faith that we are required to do so in order to comply with an applicable statute, regulation, rule or law, a subpoena, a search warrant, a court or regulatory order, lawful requests by public authorities, including to meet national security or law enforcement requirements, or other valid legal process. We may disclose personally identifiable information in special circumstances when we have reason to believe that disclosing this information is necessary to identify, contact or bring legal action against someone who may be violating a contract with us, to meet contractual obligations, to protect our rights or our property, to detect fraud, or to protect the safety and/or security of our users, the Site or the general public.

Third Parties We Use

We may provide to third parties non-personally identifiable information, including where such information is combined with similar information of other users of the Site. For example, we might inform third parties regarding the number of unique users who use the Site, the demographic breakdown of our users of the Site. In addition to the above, when users use our Site, third parties (including without limitation analytics and other service providers) may directly collect personally identifiable and non-personally identifiable information about our users’ online activities over time and across different websites.  The third parties to which we may provide or who may independently directly collect personally identifiable and non-personally identifiable information may include providers of services (including vendors and website tracking services), analytics service providers, merchants, affiliates and other actual or potential commercial partners, and other similar parties. Please note in particular that the Site may use Google Analytics, including its data reporting features.  Information collected by Google Analytics includes but is not limited to web metrics.  For information on how Google Analytics collects and processes data, please see the site “How Google uses data when you use our partners’ sites or apps”, currently located at www.google.com/policies/privacy/partners/. For information on opting out of Google Analytics, we encourage you to visit Google’s website, including its list of currently available opt-out options.

Contractors

We may employ independent contractors, vendors and suppliers (collectively, “Outside Contractors”) to provide specific services and products related to the Site, such as hosting and maintaining the Site, and developing applications for the Site, and related to our Networking Activities. In the course of providing products or services to us, these Outside Contractors may have access to your information collected through the Site, including your personally identifiable information.  We use reasonable efforts to ensure that these Outside Contractors are capable of (1) protecting the privacy of your personally identifiable information consistent with this Privacy Policy, and (2) not using or disclosing your personally identifiable information for any purpose other than providing us with the products or services for which we contracted or as required by law.

Sale of Business

We reserve the right to transfer information to a third party (i) in connection with a sale, merger or other transfer of all or substantially all of the assets of StrongDM, or that portion of StrongDM to which the Site relates, (ii) in connection with a strategic investment by a third party in StrongDM, or (iii) in the event that we discontinue our business or file a petition or have filed against us a petition in bankruptcy, reorganization or similar proceeding, provided that the third party agrees to adhere to the terms of this Privacy Policy.

COULD MY INFORMATION BE TRANSFERRED TO OTHER COUNTRIES?

Your personally identifiable information collected on the Site may be transferred from time to time to our personnel, or to third parties, located throughout the world, and the Site may be viewed and hosted anywhere in the world, including countries that may not have laws of general applicability regulating the use and transfer of such information. By using the Site and submitting such information on it, or engaging in Networking Activities with us, you voluntarily consent to the trans-border transfer and hosting of such information. Without limitation of the foregoing, you hereby expressly grant consent to StrongDM to: (a) process and disclose such information in accordance with this Privacy Policy; (b) transfer such information throughout the world, including to the United States or other countries that do not ensure adequate protection for personally identifiable information (as determined by the European Commission); and (c) disclose such information to comply with lawful requests by public authorities, including to meet national security or law enforcement requirements. If you are from a jurisdiction with laws or regulations governing personal data collection, use, and disclosure that differ from those of the United States, please be advised that all aspects of the information collected and processed under this Privacy Policy are governed by the internal laws of the United States and the State of Delaware, USA, regardless of your location.

HOW LONG WILL STRONGDM KEEP MY INFORMATION?

We will only retain your personally identifiable information for as long as necessary to fulfill the purposes for which we collected it.

To determine the appropriate retention period for personally identifiable information, we consider the amount, nature, and sensitivity of that information, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process your personally identifiable information and whether we can achieve those purposes through other means, and the applicable legal requirements.

WHAT CHOICES DO I HAVE REGARDING MY PERSONALLY IDENTIFIABLE INFORMATION?

We generally use personally identifiable information as described in this Privacy Policy or as authorized by you or as otherwise disclosed at the time we request such information from you. You generally must “opt in” and give us permission to use your personally identifiable information for any other purpose. You may also change your preference and “opt out” of receiving certain marketing communications from us by following the directions provided in association with the communication or such other directions we may provide or by contacting privacy@strongdm.com.

Under certain circumstances and in compliance with the GDPR, you may have the right to:

Request access to your personally identifiable information (commonly known as ‘subject access request’). This enables you to receive a copy of the personally identifiable information we hold about you and to check that we are lawfully processing it;

Request correction of the personally identifiable information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;

Request erasure of your personally identifiable information. This enables you to ask us to delete or remove your personally identifiable information where there is no good reason for us to continue processing it. You also have the right to ask us to delete or remove all of your personally identifiable information in certain circumstances;

Object to processing of your personally identifiable information where we are relying on a legitimate interest (or that of a third party) and there is something about your particular situation which makes you want to object to processing on this ground;

Request the restriction of processing of your personally identifiable information. This enables you to ask us to suspend the processing of your personally identifiable information, for example, if you want us to establish its accuracy or the reason for processing it;

Request the transfer of your personally identifiable information to another party; and

Lodge a complaint with the relevant supervisory authority (as defined in the GDPR). If you have any complaints about the way we process your personally identifiable information, please do contact us. Alternatively, you may lodge a complaint with the supervisory authority which is established in your country.

If you want to review, verify, correct or request erasure of your personally identifiable information, object to the processing of your personally identifiable information, or request that we transfer a copy of your personally identifiable information to another party, please contact dpo@strongdm.com.

Such updates, corrections, changes and deletions will have no effect on other information that we maintain, or information that we have provided to third parties in accordance with this Privacy Policy prior to such update, correction, change or deletion. To protect your privacy and security, we may take reasonable steps (such as requesting a unique password) to verify your identity before granting you profile access or making corrections. You are responsible for maintaining the secrecy of your unique password and account information at all times.

You should be aware that it may not be technologically possible to remove each and every record of the information you have provided to us from our system. The need to back up our systems to protect information from inadvertent loss means that a copy of your personally identifiable information may exist in a non-erasable form that will be difficult or impossible for us to locate. After receiving your request, we will use commercially reasonable efforts to update, correct, change, or delete, as appropriate, all personally identifiable information stored in databases we actively use and other readily searchable media as appropriate, as soon as and to the extent reasonably practicable.

HOW WILL I KNOW IF THERE ARE ANY CHANGES TO THIS PRIVACY POLICY?

We may revise this Privacy Policy from time to time.  We will not make changes that result in significant additional uses or disclosures of your personally identifiable information without allowing you to “opt in” to such changes. We may also make non-significant changes to this Privacy Policy that generally will not significantly affect our use of your personally identifiable information, for which your opt-in is not required. We encourage you to check this page periodically for any changes. If any non-significant changes to this Privacy Policy are unacceptable to you, you must immediately contact us and, until the issue is resolved, stop using the Site. Your continued use of the Site following the posting of non-significant changes to this Privacy Policy constitutes your acceptance of those changes.

PRIVACY NOTICE FOR CALIFORNIA RESIDENTS

Privacy Notice for California Residents: Notwithstanding any earlier Effective Date applicable to this Privacy Policy generally, this Privacy Notice for California Residents shall be effective from and after January 1, 2020 to the extent that we are regulated as a business (as defined in the CCPA) under the CCPA (as defined below) and shall apply to you only if you are a California resident.

If an organization with which you are associated (an “Organization”) is or becomes a client of StrongDM, we may receive consumer information (as defined below) about you (either directly from you or from the Organization) in connection with our provision of business services, including SaaS services to your Organization.,  To the extent we process such information solely to provide our services to your Organization, under CCPA, to the extent applicable, we will act as a “service provider”  (as defined in the CCPA) on behalf of your Organization in respect of that consumer information; this Privacy Policy will not apply to the processing of that consumer information and your Organization will act as a business (as defined in the CCPA) in respect of that consumer information. The business is responsible for obtaining all necessary consents and providing you with all requisite information as required by the applicable law. To the extent we process your consumer information for any other lawful business purpose of ours, under the CCPA, to the extent applicable, we will act as a business with respect to such consumer information and this Privacy Notice for California Residents will apply to the processing of such consumer information

As used in this Privacy Notice for California Residents, “sell” (including any grammatically inflected forms thereof) means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, consumer information (as defined below) to another business or a third party for monetary or other valuable consideration.

“Selling” does not include (i) disclosing consumer information to a third party at your direction, provided the third party does not sell the consumer information except in accordance with the California Consumer Privacy Act (the “CCPA”), (ii) where you intentionally interact with a third party through the Site, provided the third party does not also sell the consumer information, (iii) where you have opted out in accordance with this Privacy Notice for California Residents, disclosures to third parties for the purposes of alerting such third parties that you have opted out of the sale of your consumer information, (iv) using or sharing your consumer information with a service provider as necessary to perform business purposes, provided that such service provider provides its services on our behalf and provided that the service provider does not further collect, sell or use the consumer information except as necessary to perform the business purpose, or (v) transfers of your consumer information to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of StrongDM, provided that information is used or shared consistently with the CCPA.

Consumer Information Collected: Through the Site and in connection with Networking Activities, we may collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with particular California residents, devices or households (“consumer information”). Examples of information collected are:



Category Examples Business or commercial purpose for which we use consumer information
A. Identifiers

Name, business address, email, IP addresses, business phone

  • For Networking Activities;
  • To provide and help us; understand who uses the Site and to perform statistical analysis of user behavior;
  • For internal operations such as evaluating, operating and improving the Site;
  • To send news to you that may be of interest; and
  • To respond to your comments or questions.
B. Internet or other similar activity

Browsing history

  • For Networking Activities;
  • To provide and help us understand who uses the Site and to perform statistical analysis of user behavior;
  • For internal operations such as evaluating, operating and improving the Site;
  • To contact you about the Site, Networking Activities, products, services or other information that might be of interest to you; and
  • To respond to your questions and comments.
C. Professional or employment related information

Current job title

  • For Networking Activities;
  • To provide and help us understand who uses the Site and to perform statistical analysis of such behavior;
  • For internal operations such as evaluating, operating and improving the Site;
  • To send you electronic news letters and contact you about the Site, Networking Activities, products, services, information and news that may be of interest to you; and
  • To respond to your questions and comments.


California Residents’ Rights and Choices

The CCPA provides California residents with specific rights regarding their consumer information. This section of the California Privacy Notice describes your CCPA rights (to the extent applicable to you) and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

You may have the right to request that StrongDM disclose certain information to you about our collection and use of your consumer information over the past 12 months. Once we receive and confirm your verifiable consumer request (in the manner described in below under the heading “Exercising Access, Data Portability, and Deletion Rights”), to the extent required by the CCPA, we will disclose to you:

  • The categories of consumer information we collected about you.
  • The categories of sources for the consumer information we collected about you.
  • Our business or commercial purpose for collecting that consumer information.
  • The categories of third parties with whom we share that consumer information.
  • The specific pieces of consumer information we collected about you (also called a data portability request).
  • If we disclosed your consumer information for a business purpose, two separate lists disclosing (i) sales, identifying the consumer information categories that each category of buyer purchased; and (ii) disclosures for a business purpose, identifying the consumer information categories that each category of recipient obtained.

Deletion Request Rights

You have the right to request that StrongDM delete any of your consumer information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm a verifiable request from you (if you are a California resident) in the manner described in below under the heading “Exercising Access, Data Portability, and Deletion Rights”) (“verifiable consumer request”), we will delete (and direct our service providers to delete) your consumer information from our records, unless an exception applies. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

  • Complete the transaction for which we collected the consumer information, provide a product or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  • Debug products or services to identify and repair errors that impair existing intended functionality.
  • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
  • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
  • Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
  • Comply with a legal obligation.
  • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights described in above under the heading “Deletion Request Rights”, please submit a verifiable consumer request to us by either: (1) visiting www.strongdm.com/privacy-policy; or (3) contacting us by email at privacy@strongdm.com. Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your consumer information. You may also make a verifiable consumer request on behalf of your minor child. You may make a verifiable consumer request for access or data portability no more than twice within a 12-month period. The verifiable consumer request must: (i) provide sufficient information that allows us to reasonably verify you are the person about whom we collected consumer information or an authorized representative; and (ii) describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. We cannot respond to your request or provide you with consumer information if we cannot verify your identity or authority to make the request and confirm the consumer information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use consumer information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request. We will provide email receipt acknowledgement to verify consumer requests.

We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to ninety (90) days), we will inform you of the reason and extension period in writing. If you have an account with us, we may deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your consumer information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance. If your requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may either charge a reasonable fee, taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request and notify you of the reason for refusing the request.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights, including, unless permitted by the CCPA, by:

  • Denying you goods or services.
  • Charging you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Providing you a different level or quality of goods or services.
  • Suggesting that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

BY USING THE SITE, YOU SIGNIFY YOUR ACCEPTANCE OF THIS PRIVACY POLICY. IF YOU DO NOT AGREE TO THIS PRIVACY POLICY, YOU SHOULD NOT USE THE SITE.  CONTINUED USE OF THE SITE, FOLLOWING THE POSTING OF CHANGES TO THIS PRIVACY POLICY THAT DO NOT SIGNIFICANTLY AFFECT THE USE OR DISCLOSURE OF YOUR PERSONALLY IDENTIFIABLE INFORMATION, MEANS THAT YOU ACCEPT THOSE CHANGES.