Last Updated: April, 2021
1. Introduction & Overview
- Skybox Security develops integrated security management solutions for enterprise–scale vulnerability and threat management, security policy and firewall management (the “Service”).
- This Policy defines the ways in which Skybox collects, stores, shares, uses, retains and protects Personal Information (as defined below).
- This policy describes the types of Personal Information collected by Skybox, the way Skybox uses and protects this information, and to whom it is disclosed.
- In this Policy, “Skybox” or "we" refer to Skybox Security, Inc. and its “Affiliates”, which shall mean subsidiaries, parent companies, joint ventures and other corporate entities under common ownership.
- “Data Subject” - a natural person whose Personal Information is processed by a controller or processor
- “Identifiable natural person” - means one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
- "Personal Information" means any information relating to an identified or identifiable natural person;
1.3 Purpose and Scope
- This Policy defines the ways in which Skybox collects, stores, shares, uses, retains and protects Personal Information.
2.1 Collection of Data
We may collect two types of data:
- Personal Information:
- The type of Personal Information collected in accordance with the Service may vary depending on the activity and may include:
- First and last name (or the name you have associated with your device);
- Telephone number;
- Transaction identifiers for purchases;
- Age and date of birth;
- Email address;
- If applicable, physical geolocation and that of the devices you use to access our Services;
- internet protocol (IP) addresses;
- zip code;
- area code;
- Personal information collected in connection with your job application may include the following:
- Name, address, telephone number, e-mail address, and other contact information;
- Username and password;
- Work authorization status;
- CV, resume, cover letter, previous work experience, and education information;
- Job openings you wish to be considered for;
- Knowledge, skills, and abilities;
- Professional and other work-related licenses, permits, and certifications held;
- Referral names and contact information for referrals;
- Information relating to character and employment references; and
- Any other information you elect to provide to us (e.g., employment preferences, willingness to relocate, current salary, desired salary, awards or professional memberships).
- The type of Personal Information collected in accordance with the Service may vary depending on the activity and may include:
- Un-identified and non-identifiable information pertaining to a user(s), which may be made available or gathered via the user's use of the Services (“Non-personal Information”). We are not aware of the identity of the user from which the Non-Personal Information was collected. Such information includes the following:
- Skybox may receive public information from third parties in connection with market and demographic studies and/or data that Skybox may use to supplement Personal Information provided directly by the customer.
- Skybox gathers certain non-personal identification information and stores it in log files when you interact with Skybox websites. This information includes browser type, internet service provider, URLs of referring/exit pages, operating system, date/time stamp, information you search for, locale and language preferences, identification numbers associated with your devices, your mobile carrier, and system configuration information.
2.2 Use of Personal Information
- Skybox uses the Personal Information to create accounts, to process transactions, to operate and optimize our Services, to provide you with a safe, smooth, efficient and customized experience, to fulfill specific requests and to send its customers other account-related information.
- In addition, the Personal Information provided to Skybox will allow it to send the users messages regarding, among other things, updates, new products, features, enhancements, special and promotional offers, upgrade opportunities and events of interest (unless you have opted out of receiving such communications).
- Skybox may also use Personal Information to
- Better understand the behavior and preferences of its customers;
- Provide technical support and respond to inquiries;
- Help create a safer and more trusted environment for our customers by preventing fraud or potentially illegal activities;
- Deliver and enforce our Terms of Service,
- Target and serve static and dynamic advertising;
- Solicit input and feedback to improve Skybox products and Services and their content;
- Ensure proper functioning of our products and Services;
- Personalize our services and manage and deliver contextual and behavioral advertising;
- Administer surveys or other promotional activities or events sponsored or managed by us or our business partners;
- Comply with our legal obligations, resolve any disputes we may have with customers;
- Enforce our agreements with third parties and conduct research.
- Skybox may send periodic emails. The email address users provide for order processing will be used only to send them information and updates pertaining to their order or to respond to their inquiries, requests or questions. Users who decide to opt in to Skybox’ mailing list will receive emails that may include company news, updates, related product or service information, etc. Users who wish to unsubscribe from the list may do so at any time by following the detailed instructions found at the bottom of each email they receive from Skybox.
- In addition to the direct Service, Skybox uses Personal Information that people voluntary provide to reply to users' request of information regarding Skybox products and services.
2.3.1 Use of Personal Information for job applications and recruitment
If you apply for a job with Skybox, your information will undergo some additional processing.
We use your personal information to
- enable you to express interest in and allow you to apply for employment at Skybox;
- assess and compare your skills, qualifications, and experience against other candidates and consider your candidacy for employment at Skybox;
- update and sync with information we may have previously collected about you related to employment at Skybox;
- communicate with you about the recruitment process, your application, recruitment events, and other potential career opportunities at Skybox;
- inform our internal analysis and reporting on our hiring practices and make improvements to our application and recruitment process;
- ensure or enhance the security and functionality of Skybox’s electronic recruitment systems;
- protect against fraud; conduct internal investigations; or comply with legal obligations.
If we decide that you may be a good fit for employment at Skybox, we will contact you to request additional information as part of the screening and interviewing process, which may include:
- Your desired salary and other terms relating to computation of compensation and benefits packages, willingness to relocate, and other job preferences
- Your fitness for a particular position, including your skills, qualifications, and experience
- Any previous applications you submitted to Skybox or any previous employment history with Skybox
We use this information to assess and compare your skills, qualifications, and experience against other candidates; consider your candidacy for employment at Skybox; to generate interviewer notes and candidate scores; and to update and sync with information we may have previously collected about you related to employment at Skybox.
Verification Information: As part of the recruitment process, we may also request information necessary to verify your information and run background checks, including:
- Your tax Identification or other government identification number (e.g., a social security number);
- Your nationality or citizenship;
- Whether you previously used other names;
- Whether you previously worked at Skybox and in what capacity;
- Whether you are legally authorized to work in the country you are applying to work in;
- Whether you require sponsorship to continue or extend your current work authorization, and what your current immigration status is;
- Information regarding potential conflicts of interest issues, including whether you or a member of your family have been a Government Official and
- Your date and place of birth.
We will use this information (in addition to your other personal information) to
- verify your information and identity;
- conduct background checks;
- confirm your eligibility and right to work at a particular Skybox office;
- confirm that there are no potential conflicts of interest issues in hiring you;
- and populate your employee records with your name and email address in the event you are hired by Skybox.
In addition, where requested by you, we will use this information to assist you with obtaining an immigrant visa or work permit, if required.
Your information may be shared with the Skybox employee who referred you to inform them about the limited, general status of the referral.
In addition, where permitted by local law, we will share your information with employment background check providers to verify your information and to obtain necessary background checks.
If you are offered and accept employment with Skybox, the personal information collected during the job application and recruitment process may become part of your employment record.
We will use your personal information only in ways that are compatible with the purposes described in this policy.
2.3 Cross-Border Transfer, Processing and Storage of Personal Information
- As part of its international operations, Skybox may transfer Personal Information to its Affiliates or vendors from time to time for our legitimate business purposes.
- Skybox transfers Personal Information only if the recipient of the Personal Information has provided appropriate safeguards, and on condition that enforceable Data Subject rights and effective legal remedies for Data Subjects are available.
- Skybox vendors are carefully vetted through a vendor assessment procedure and are legally committed to comply with relevant regulations.
- For EU Residents: Certain third parties may be located in jurisdictions outside of the EEA. If we share your personal information with such third parties, we will ensure that the transfer is done only to such countries as approved by the European Commission as providing adequate level of data protection, or otherwise ensure that the transfer is done in accordance with an approved legal mechanism under the applicable privacy legislation (including without limitation the GDPR).
2.4 Sharing Information With Third Parties
- In all cases of data access and collection, the information provided will not be disclosed, rented, loaned, leased, sold, or otherwise voluntarily distributed to unaffiliated third parties and will be used solely for the purpose stated herein. Specifically, Skybox does not share Personal Information with third parties for their direct marketing purposes unless upon specific consent to such disclosure.
- Skybox has not sold Personal Information in the preceding 12 months.
- In the 12 preceding months, Skybox has disclosed Personal Information for a "Business Purpose" (as this term is defined under the California Consumer Privacy Act of 2018 ("CCPA") as follows:
Category of Personal Information Collected Personal Information Collected Categories of service providers to whom Personal Information was disclosed A. Identifiers Full name, email address, device identifiers, including certain software and hardware information (e.g. IP address, internet service provider, domain server, type of computer, browser type and language and operating system). Cloud services, Website analysis, Affiliated companies B. Personal Information Categories listed in the California Customer Records Statute (Cal. Civ. Code § 1798.80(e)) Address, telephone number, financial information (e.g. credit card number). Cloud services, Affiliated companies C. Commercial Information Feedback of users. Cloud services, Affiliated companies D. Internet or Other Electronic Network Activity Information Information regarding the user's interaction with the website. Cloud services, Website analysis, Affiliated companies E. Geolocation Data Geolocation data based on device identifiers. Cloud services
F. Professional or Employment-related Information Current or past job history. Cloud services, Affiliated companies
- Skybox may share Personal Information with third parties who help Skybox to maintain, administer or develop its website, such as sending out newsletters or surveys. Skybox may share users’ information with such third parties, for those limited purposes, for a limited time and only subject to Users’ permission.
- Skybox discloses Personal Information to third parties only if they have satisfactory measures to protect Personal Information.
- Skybox cooperates with government and law enforcement officials and private parties to enforce and comply with the law. We will disclose any Personal Information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate to respond to claims and legal process (including but not limited to subpoenas), to protect our or a third party's property and rights, to protect the safety of the public or any person, or to prevent or stop any activity we may consider to be, or poses a risk of being, illegal, unethical, inappropriate or legally actionable. We also may be required to disclose an individual’s Personal Information in response to a lawful request by public authorities, including meeting national security or law enforcement requirements.
2.6 Links to Third Parties’ Sites
- Skybox may include or offer links to third party products or services. Skybox does not control the content or links that appear on such other sites and is not responsible for the practices they employ. These parties should have separate and independent privacy policies, and Skybox has no responsibility or liability for the content and activities of these linked sites.
2.7 Children’s Privacy
- Skybox is committed to protecting the privacy needs of children and encourages parents and guardians to take an active role in their children’s online activities and interests. Skybox does not knowingly collect information from children under the age of 18 without their parents' or guardians’ consent. Skybox relies upon the accuracy of information provided by the controller to determine age. In the event that we become aware that a user under the age of 18 has shared any information, we will discard such information. If have any reason to believe that a child under 18 has shared any information with us, please contact us at GDPR-DP@Skyboxsecurity.com.
2.8 Legal Basis for Collection
- If you are an individual from the European Economic Area, please note that our legal basis for collecting and using your Personal Information will depend on the Personal Information collected and the specific context in which we collect it.
- We normally collect Personal Information only where: (a) we have your consent to do so, (b) where we need your Personal Information to perform a contract with you (e.g. to deliver the Services you have requested), (c) where the processing is in our legitimate interests; or (d) where we are required to collect, retain or share such information under applicable laws. In some cases, we may need the Personal Information to protect your vital interests or those of another person.
- Where we rely on your consent to process your Personal Information, you have the right to withdraw or decline consent at any time. Where we rely on our legitimate interests to process your Personal Information, you have the right to object.
- If you are a job applicant, Skybox processes your personal information pursuant to one or more of the following legal bases:
- The processing is necessary in connection with our legitimate interests in recruitment and hiring candidates.
- The processing is necessary to take steps, at your request, relating to potentially entering into an employment contract with you.
- The processing is necessary to comply with our legal obligations, such as retaining records relating to the recruitment process for periods required under applicable laws or regulations.
- We may also seek your consent to process or retain your personal information in certain, limited circumstances that we clearly identify to you.
- If you have any questions about or need further information concerning the legal basis on which we collect and use your Personal Information, please contact us through the contact details available below
2.9 User Rights
- As an EU resident, you may request to:
- Receive confirmation as to whether or not Personal Information concerning you is being processed, and access your stored Personal Information, together with supplementary information.
- Receive a copy of Personal Information you directly volunteer to us in a structured, commonly used and machine-readable format.
- Request rectification of your Personal Information that is in our control.
- Request erasure of your Personal Information.
- Object to the processing of Personal Information by us.
- Request to restrict processing of your Personal Information by us.
- Lodge a complaint with a supervisory authority.
- Please note that these rights pertain to EU residents only, are not absolute, and may be subject to our own legitimate interests and regulatory requirements.
As of January 1st 2020, California residents will be granted with the following rights:
- Receive confirmation as to whether or not Personal Information concerning you is being processed, and access your stored Personal Information, which was collected in the 12 months prior to the request, together with supplementary information.
- Receive a copy of Personal Information you directly volunteer to us in the 12 months prior to the request, in a structured, commonly used and machine-readable format.
- Request erasure of your Personal Information by us.
- We will not discriminate against you if you exercise any of your privacy rights as a California Consumer. Unless permitted by the CCPA, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
- California residents may exercise their rights subject to the following terms:
- You may only request a copy of your data twice within a 12-month period.
- The request must:
- Provide sufficient information to allow us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative.
- Describe your request with sufficient details to allow us to properly understand, evaluate, and respond to it.
- We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use Personal Information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request. We will only use Personal Information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.
- Only you or a person authorized to act on your behalf may make a consumer request related to your Personal Information.
- You can designate an authorized agent to make a request under the CCPA on your behalf if:
- The authorized agent is a natural person or a business entity registered with the Secretary of State of California; and
- You sign a written declaration that you authorize the authorized agent to act on your behalf.
- If you use an authorized agent to submit a request to exercise your right to know or your right to request deletion, please mail a certified copy of your written declaration authorizing the authorized agent to act on your behalf using the contact information below.
- If you provide an authorized agent with power of attorney pursuant to Probate Code sections 4000 to 4465, it may not be necessary to perform these steps and we will respond to any request from such authorized agent in accordance with the CCPA.
However, please note that these rights are not absolute, and may be subject to our own legitimate interests and regulatory requirements.
- Users Outside the EU and California - Some of the aforementioned rights are applicable in certain jurisdictions outside the EU and California as well. Users residing outside the EU and California are welcome to contact us for any questions or requests at the details below.
- Data Subjects may send the request to the address below or through our support portal.
2.10 Protecting your Information
- Skybox follows appropriate data collection, storage and processing practices and suitable security measures in order to protect against unauthorized access, alteration, disclosure or destruction of your Personal Information, username, password, transaction information, and all other data stored on our Site.
- While Skybox strives to protect your Personal Information, we cannot ensure or warrant the security and privacy of your Personal Information or other content you transmit using the Service, and you do so at your own risk.
- We will retain your Personal Information for as long as necessary to provide our Service, and as necessary to comply with our legal obligations, resolve disputes, and enforce our policies. Retention periods will be determined taking into account the type of information that is collected and the purpose for which it is collected, bearing in mind the requirements applicable to the situation and the need to destroy outdated, unused information at the earliest reasonable time. Under applicable regulations, we will keep records containing client Personal Information, account opening documents, communications and anything else as required by applicable laws and regulations.
- The most current version will always be posted on our website (as reflected in the "Last Updated" heading).
2.14 Contact Information
- Residents of the European Union may also contact us through our EU representative –EDPO (European Data Protection Office) by:
- using EDPO’s online request form: https://edpo.com/gdpr-data-request.
- writing to EDPO at: Avenue Huart Hamoir 71, 1030 Brussels, Belgium
- Residents of the UK may also contact us through our UK entity which serves as our UK representative at:
- Tower Bridge House, St Katharine’s Way, London, United Kingdom, E1W 1DD.