Privacy Policy for Customer Portal Users – November 2, 2020

Privacy Policy for Users of the Arctic Wolf Solutions and Customer Portal

Last Updated Date:
11/02/2020

Purpose

Arctic Wolf Networks, Inc. (“AWN,” “Arctic Wolf,” “we,” “us,” “our,” or the “Company”) and its affiliates are committed to protecting the privacy of the information (“Customer Information” as defined below) provided by you and your authorized resources (“Users”, “you”, “your”) while using the Arctic Wolf Customer Portal (the “Customer Portal”) and the Arctic Wolf SOC-as-a-service or other products and services (collectively, “Solutions”). For purposes of clarity, MSP Partners (“MSP,” “MSPs”) using the Customer Portal and Solutions on behalf of its end-users are considered Users for the purposes of this Privacy Policy.
This Privacy Policy describes the Customer Information (as defined below) we collect through the Solutions and Customer Portal and the manner in which the Customer Information is used to deliver and support the Solutions.

Terms of Use

If you have any dispute over the privacy of your information, the dispute is subject to this Privacy Policy and, as applicable, the Master Solutions Agreement or Master Partner Agreement made between us, including any provisions related to the limitation of liability and application of choice of law.

Scope

This Privacy Policy covers the Customer Information collected by us from Users of the Customer Portal and Solutions and the access to and submission of Customer Information for the purpose of:
  • Opening tickets
  • Adding comments to existing tickets
  • Adding attachment(s) to tickets
  • Being authenticated to use the Solutions
  • Uploading credentials for application event monitoring
  • Obtaining configuration information, reports, and metrics related to the operation of the Solutions within your environment

Customer Information

Each User is responsible for the quality, integrity, reliability, and appropriateness of Customer Information submitted in the Customer Portal and Solutions and must comply with terms contained in the applicable Arctic Wolf Master Solutions Agreement or, in the case of an MSP, by the terms of the applicable Arctic Wolf Master Partner Agreement. The information we may collect from you while using the Customer Portal and Solutions (the “Customer Information”) includes:

Customer Information Obtained via the Customer Portal

The types of Customer Information we collect about Users of the Customer Portal includes:

1) Corporate or Employee Information
Customer Portal Users experiencing issues relating to the Solutions may submit support tickets via the Customer Portal. In the course of your creation of support tickets and our provision of support services, you may provide corporate or employee information that assists us with the definition and resolution of issues.

2) Uploaded Credentials
Customer Portal Users may upload their credentials (such as names, email addresses, phone numbers, usernames, passwords, IP addresses, geolocation data, and device ID identifiers).

Customer Information Obtained via the Solutions

When using the Solutions, the Solutions may collect, and/or you may choose to submit to us, the following:

1) System Data
The Solutions, depending on their set up and deployment in your environment, may collect log data from various sources, including your:
  • data center,
  • applications,
  • infrastructure in the cloud,
  • on-premises infrastructure, and
  • remote endpoints.
In addition, the Solutions may perform inspection of network traffic, scan internal and external-facing devices, and collect configuration data, vulnerability data, system-level inventory, and event data.

2) Uploaded Credentials
Solutions Users may be required to upload their credentials (such as names, email addresses, phone numbers, usernames, passwords, IP addresses, geolocation data, and device ID identifiers).

How We Use the Information

We use Customer Information for the following purposes:

1) Support Ticket Management and Resolution
Support tickets are the primary medium that Users and the Concierge Security™ engineers (CSEs) use to communicate issues or requests over the use and improvement of the Solutions. Both parties can comment and provide more information in a support ticket until the issue/request is resolved. The CSEs use a ticketing system to communicate security alerts to Users allowing the Users to respond and see the status of the alert until it is closed.

2) Provision of the Solutions
System Data and uploaded credentials are integral to the functionality of our Solutions. This Information is used to provision the Solutions to you and to monitor and detect security and threat incidents within your network of connected applications and systems. Uploaded credentials can be viewed and managed by Users, including your MSP, and—to a limited extent—may be accessed and viewed by Arctic Wolf employees for support ticket issue resolution. Based on your environment and configuration, Users can upload credentials in the Solutions and/or Customer Portal to:
  • configure the Solutions, and to monitor cloud infrastructure resources to detect access and misuse of a User’s networks, resources, and application instances;
  • monitor SaaS applications to detect malicious activities and potential data exposures in cloud-based applications; and
  • monitor security events related to user single sign-on and malicious endpoint activity for security providers.
3) Communication With You
Arctic Wolf may use your Customer Information for business purposes of communicating with you about Solutions in which you may be interested, updating you about changes to our terms and conditions, sending you general information about Arctic Wolf and its business, or other similar types of business purposes.

4) Improve the Customer Portal and Solutions
Arctic Wolf may aggregate and anonymize your Customer Information to create our own intellectual property. Such aggregated/anonymized data is owned by us and may be used to improve the Solutions, as well as for any other business purpose.

How We May Share the Information

We do not share, distribute, use, disclose, review, transfer, or reference any Customer Information except as set forth herein, as expressly permitted in writing by the User, as needed by an MSP to perform services for its end users, or as required or permitted by law. Additional information about our confidentiality and security practices with respect to Customer Information is available on our Information Security Overview page.
We may share Customer Information only in the manner described below. We do not control, however, how you or your third party service providers, collect, uses, shares or discloses Customer Information.
We may share or disclose Customer Information in the following ways:
  • When changing our business structure
    In the event of a proposed or completed merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of our assets, similar transactions or proceedings, or steps in contemplation of such activities, Customer Information held by us may be among the assets transferred to the buyer or acquirer;
  • When conducting our business operations
    We may use third party service providers and tools to provide services on our behalf, including billing, customer ticketing and collaboration, internal support ticketing, access and identity management, cloud hosting, customer relations management, marketing and advertising, Solution improvement projects, etc. Our service providers are only provided with information they need to perform their designated functions and are not authorized to use or disclose personal information for their own marketing or other purposes. Our service providers may be located in the U.S., Canada or other foreign jurisdictions;
  • To comply with laws
    We and our affiliates or service providers in the U.S. or other jurisdictions may disclose Customer Information to comply with applicable legal or regulatory requirements (which may include lawful access by U.S. or foreign courts, law enforcement or other government authorities) and to respond to lawful requests by public authorities, including to meet national security, law enforcement requirements, court orders and legal processes;
  • To protect rights and safety
    To protect and defend the brand, rights, property and safety of Arctic Wolf Networks, Inc. and its affiliates, Arctic Wolf customers, including enforcing contracts or policies, or in connection with investigating and preventing fraud.
If Users have any questions about its Customer Information or rights with respect to the foregoing, please contact us at dataprotection@arcticwolf.com or open a ticket via your Customer Portal.

Security

The security of Customer Information is important to us. We maintain appropriate administrative, physical, and technical safeguards to help protect the confidentiality and integrity of Customer Information, during transmission and once it is received. However, we cannot guarantee that hackers or unauthorized personnel will not gain access to Customer Information, despite our best efforts. No method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while we strive to use commercially acceptable means to protect Customer Information, we cannot guarantee its absolute security. Customer Portal Users are responsible for protecting themselves against unauthorized access to passwords, private keys and computers, and unauthorized disclosure, alteration, and destruction of Customer Information. To learn more about our Security practices, please refer to Information Security Overview.

Location of Data

All Customer Information uploaded to the Customer Portal and the Solutions may be stored within the Amazon Web Services environment, or such other third party cloud service provider(s) selected by us, within the U.S., however, Customer Information may be accessed by employees, including non-US citizens, outside of the U.S.

International Transfer of Data

Your personal information may be processed outside your jurisdiction, and in countries that are not subject to an adequacy decision by the European Commission or your local legislature and/or regulator, and that may not provide for the same level of data protection as your jurisdiction, such as the European Economic Area. We ensure that the recipient of your personal information offers an adequate level of data protection, for example, by entering into the appropriate back-to-back agreements and, if required, standard contractual clauses for the transfer of personal information as approved by the European Commission (as described in Article 46 of the General Data Protection Regulation), or we will ask you for your prior consent to such international data transfers.

Supplemental Privacy Policy Terms

Canada

  • Consent
    By using our Customer Portal or Solutions, or otherwise interacting with us, you consent to the collection, use and disclosure of Customer Information in accordance with the terms of and for the purposes set out in this Privacy Policy. Arctic Wolf may seek consent to use and disclose Customer Information after it has been collected in those cases where we wish to use the information for a new or different purpose, where consent as not already been obtained for such use or disclosure.
    If you submit personal information about an individual (i.e., your employees, personnel, account administrators, authorized resources, etc.) in connection with the use of Arctic Wolf’s Customer Portal or Solutions, you represent that you have obtained the requisite consent and/or provided appropriate notifications, as required under applicable privacy laws, including such consent and/or notifications as may be required for the transfer of personal information outside of Canada.
  • Privacy Rights
    Subject to limited exceptions under applicable law, Users may have the right to access, update and correct inaccuracies on their Customer Information. To exercise these rights, please submit a request by emailing dataprotection@arcticwolf.com or you may also call (888) 286-6726. Please be as specific as possible in relation to the Customer Information you wish to access. Once Arctic Wolf receives your request, Arctic Wolf will review it, determine whether Arctic Wolf can verify your identity, and process the request accordingly. If Arctic Wolf needs additional information to verify your identity, Arctic Wolf will let you know.

    Please be advised that ifArctic Wolf acts as data processor/service provider to process personal information, we do so on behalf of our Customer or Authorized Partner under the terms of a Master Solution Agreement, Master Partner Agreement or similar agreement, and the information you have requested therefore is under the control of such Customer or Authorized Partner. Accordingly, we will direct your request for access or related inquiry to our Customer or Authorize Partner, as applicable, and will assist our Customer or Authorized Partner to respond to your request as per our Customer’s or Authorized Partner’s instructions and in accordance with the terms of our agreement.

    Subject to legal and contractual restrictions, you may wish to withdraw your consent to our further collection, use and disclosure of your personal information upon request. Again, when we act as data processor/service provider to our Customer or Authorized Partner and process your personal information on behalf of such party, we will direct your inquiry to our Customer or Authorized Partner and will assist them in the response to your request as per our Customer’s or Authorized Partner’s instructions and in accordance with the terms of our agreement.

    If you have any questions or complaints about our handling of Customer Information including personal information, or rights with respect to the foregoing, please contact us at dataprotection@arcticwolf.com, and we will address your complaint, and otherwise further advise you of any rights you may have to complain to the relevant privacy commissioner(s).

California Consumer Privacy Act

The California Consumer Privacy Act (“CCPA”), which is effective as of January 1, 2020, regulates how Arctic Wolf handles personal information of California residents and gives California residents certain rights with respect to their personal information.
Arctic Wolf is both a “business” and a “service provider” under the CCPA. The following supplemental privacy policy applies to information Arctic Wolf collects in its role as a business. If you would like more information about how your personal information is processed by such other companies, including companies that engage Arctic Wolf as a service provider, please contact those companies directly.
This provision is effective as of January 1, 2020, shall apply only to residents of California, and may be subject to change. The general privacy policy shall continue to apply to the extent that it applies to you as a resident of California; however, if you are a resident of California, Arctic Wolf also is required to disclose certain uses and disclosures in a certain format, as well as to inform you of certain rights you may have. Any capitalized terms used in this supplemental privacy policy shall have the same meaning as in the general privacy policy.

Information Arctic Wolf May Collect:
We may collect the following categories of information:
  • Corporate or employee information that you may provide to Arctic Wolf
  • Uploaded Credentials – such as names, email addresses, phone numbers, usernames, passwords, IP addresses, geolocation data and device ID identifiers
  • System Log Data that may include personal information you elect to provide to us
For each category of information, Arctic Wolf collects the information from a variety of sources, including directly from you, from your devices, and/or from your third party providers. Arctic Wolf collects the information to:
  • provide you with support on the Solutions,
  • deliver the Solutions to you,
  • protect Arctic Wolf (including the Solutions) and its customers,
  • communicate with you regarding our Solutions and terms and conditions,
  • conduct internal marketing activities, and
  • improve our Solutions.
Arctic Wolf may share personal information with Third Parties as the term is defined under the CCPA.
Additional Disclosures:
Arctic Wolf does not sell personal information of any individual, including personal information of minors under 16 years of age.
Arctic Wolf engages certain trusted third parties to perform functions and provide services to us, including auditing, marketing, hosting and maintenance, error monitoring, debugging, performance monitoring, and other short term uses. We may share your Customer Information with these third parties, but only to the extent necessary to perform these functions and provide such services. We require these third parties to maintain the privacy and security of the Customer Information they process on our behalf.
Arctic Wolf has disclosed the following categories of personal information for business purposes and valuable consideration in the 12 months prior to this Privacy Policy’s last update:
Identifiers (names, email addresses, phone numbers, mailing address) YES
Commercial Information (Solution information) YES
Geolocation Data NO
Do Not Sell My Personal Information:
Arctic Wolf does not sell your personal information as defined under CCPA.

Your Rights:
You may have certain rights with respect to your personal information, including:
  • The right to access, including the right to know the categories and specific pieces of personal information Arctic Wolf collects;
  • The right to deletion of your personal information, subject to certain limitations under applicable law;
  • The right to request disclosure of information collected;
  • The right to disclosure of information disclosed for valuable consideration; and
  • The right not to be discriminated against for exercising certain rights under California law.
To exercise these rights, please submit a request by emailing dataprotection@arcticwolf.com or you may also call (888) 286-6726. Please be as specific as possible in relation to the personal information you wish to access. Once Arctic Wolf receives your request, Arctic Wolf will review it, determine whether Arctic Wolf can verify your identity, and process the request accordingly. If Arctic Wolf needs additional information to verify your identity, Arctic Wolf will let you know. Arctic Wolf will respond to your request within 45 days of receipt or notify you if Arctic Wolf requires additional time.
If you would prefer, you may designate an authorized agent to make a request on your behalf.

Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy at any time. Updates to the Privacy Policy will be posted on the Arctic Wolf Website with an indication of when it has been updated. We encourage you to periodically review this Privacy Policy for any changes.

Additional Information

Questions regarding this privacy policy or about the manner in which we or our service providers treat your Customer Information can be directed to us by sending an email to dataprotection@arcticwolf.com or by regular mail addressed to:

Arctic Wolf Networks, Inc.
Attn: Information Security and Data Protection Officer
P.O. Box 46390
Eden Prairie, MN 55344
U.S.A.