Legal and Privacy Information

Idera’s GDPR Commitment

Idera, Inc., together with its subsidiaries CopperEgg Corporation, Uptime Software, Inc. and Precise Software Solutions, Inc. (collectively, “Idera”) is committed to the General Data Protection Regulation (“GDPR”), which will go into effect on May 25, 2018. The GDPR regulation contains the most significant changes to European data privacy legislation in the last 20 years. It is designed to give European Union (“EU”) citizens more control over their data and seeks to unify a number of existing privacy and security laws under one comprehensive law. The GDPR applies to all companies that do business with EU citizens or process data of EU citizens regardless of the location of the company that is processing such data. To that end, the GDPR applies to Idera.

Our customers can trust that Idera has made GDPR a priority and has devoted significant and strategic resources toward our efforts to adhere to GDPR.

Like many other global software companies, Idera is in the process of rolling out its company-wide GDPR policy program starting on May 25, 2018. Idera appreciates that its customers have requirements under the GDPR, which are directly impacted by their use of Idera’s products and services, and Idera is committed to helping its customers fulfill their requirements under the GDPR and local law.

Idera will keep you inform through its website about its commitment to the GDPR requirements; however, should you have any questions or concerns, please do not hesitate to contact our legal department at legal@idera.com.

Frequently Asked Questions about GDPR Compliance1

Idera, Inc., together with its subsidiaries, CopperEgg Corporation, Uptime Software, Inc., AquaFold, Inc, Embarcadero Technologies, Inc., Sencha, Inc., Precise Software Solutions, Inc., Embarcadero Technologies Europe Ltd., Gurock Software GmbH and Ranorex GmbH (collectively, the “Company”) prepare this document to help you clarify some common confusions around the General Data Protection Regulation (“GDPR”). The Company recognizes the importance of the evolving legal and regulatory landscape around information security and data privacy and remains firmly committed to GDPR readiness.

  • Does my data need to be stored in Europe?

    No. The GDPR does not contain any obligation to store information in Europe. However, transfers of European personal data outside the European Economic Area (EEA) generally require that a valid transfer mechanism be in place to protect the data once it leaves the EEA. The GDPR does not invalidate or override the EU Model Clauses or the EU-U.S. and Swiss-U.S. Privacy Shield Framework, which are both legally valid mechanisms to ensure the legal transfer of personal data into and out of the EEA. The Company ensures that its customers can comply by offering its customers a data processing agreement (“DPA”) that incorporates the Model Clauses as approved by the European Commission.

  • Is it required for me as a customer to have a DPA with the Company?

    For customers of the traditional software model (all Idera entities except Gurock and CopperEgg) e.g. customer that uses a traditional perpetual product that is not hosted by any Idera subsidiary. These customers do not need to sign a DPA with the Company because Idera and its subsidiaries (except Gurock and CopperEgg) are not processing EEA personal data on behalf of their customers. We have prepared the Company Privacy and Security Statement, available here, which explains our technical and organizational security measures to protect your data. In addition, if you want to learn more about how the Company collects, processes and uses your personal information, please review our Privacy Statement here.

    For customers of our SaaS solution, e.g. Gurock and CopperEgg customers, that are located in the EEA must sign a DPA with Gurock or CopperEgg. The DPA will reflect our agreement that will govern the processing of personal data. Putting another way, it is an agreement that CopperEgg and Gurock as a SaaS platform can process personal data on your behalf.

  • Does the GDPR apply to company that is established outside the European Union?

    Yes. The GDPR applies to all companies regardless of where it is located to the extent the company process personal data in the context of (A) offering goods and services (whether paid or not) to people in the EEA; or (B) monitoring the behavior of people in the EEA, for example by placing cookies on the devices of EEA individuals.

  • Is it required to have consent from individuals to process their personal data?

    Consent is only one of the legal bases a company can use for the processing of personal data. For example, the company can process personal data (A) when necessary for the performance of a contract to which the data subject (the individual whose data is processed) is a party; (B) when there is a legal obligation to do so (such as the submission of employee data to a tax authority); and (C) sometimes even on the basis of legitimate interests, such as commercial and marketing goals. The legitimate interest must, however, outweigh any detriment to the privacy of the data subject.

  • What is the difference of ‘data controller’ and ‘data processor’?

    Data Controller is the owner of their information and decides how that information should be used. Data Processor is an entity who processes the personal data of the Data Controller and carries out instructions of the Data Controller with regard to this data. Generally speaking, when the Company collects data from a customer in order to create an account, the Company will be the Data Controller. However, under limited circumstances, for example, for the SaaS solutions – solely for Gurock and CopperEgg’s customers – the Company will be the Data Processor because the customers of Gurock and CopperEgg will be the Controllers of their content, including any associated personal information they place or generate in Gurock or CopperEgg systems. Formal definitions from the GDPR full text may be found at http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf

  • As an owner of the data (e.g. data subject) located in the EEA, do I have the absolute right to be forgotten? Putting another way, is the Company obligated to delete all my personal data upon my request?

    No. The right to erasure (or right to be forgotten) is not absolute. The Company may refuse to honor the request if continued processing is necessary for compliance with a legal obligation which requires processing by Union or Member State law to which the Company is subject. In addition, the Company can refuse to honor the request for the establishment, exercise or defense of legal claims. Therefore, several relevant factors have to be taken into account when considering a request for deletion of personal data by the data subject. Note, however, that data subjects have an absolute right to prevent their personal data from being processed for direct marketing purposes.

  • Does the GDPR require encryption of all personal data?

    No. The GDPR does not mandate specific security measures. Instead, the GDPR requires organizations to take technical and organizational security measures which are appropriate to the risks presented. Encryption at rest and pseudonymization may be appropriate depending on the circumstances, but they are not mandated by the GDPR in every instance. The following are kinds of security actions considered “appropriate to the risk” (1) the pseudonymization and encryption of personal data (as mentioned); (2) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (3) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (4) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

1NOTE: The above information is provided by the Company for informational purposes only and is not intended to serve as legal advice. You should contact your attorney to obtain advice with respect to any particular GDPR question, issue or problem.

Frequently Asked Questions about GDPR Compliance2 *Applicable only for CopperEgg customers

Idera, Inc., together with its subsidiaries, CopperEgg Corporation, Uptime Software, Inc., AquaFold, Inc, Embarcadero Technologies, Inc., Sencha, Inc., Precise Software Solutions, Inc., Embarcadero Technologies Europe Ltd., Gurock Software GmbH and Ranorex GmbH (collectively, the “Company”) prepare this document to help you clarify some common confusions around the General Data Protection Regulation (“GDPR”). The Company recognizes the importance of the evolving legal and regulatory landscape around information security and data privacy and remains firmly committed to GDPR readiness.

  • Does my data need to be stored in Europe?

    No. The GDPR does not contain any obligation to store information in Europe. However, transfers of European personal data outside the European Economic Area (EEA) generally require that a valid transfer mechanism be in place to protect the data once it leaves the EEA. The GDPR does not invalidate or override the EU Model Clauses or the EU-U.S. and Swiss-U.S. Privacy Shield Framework, which are both legally valid mechanisms to ensure the legal transfer of personal data into and out of the EEA. The Company ensures that its customers can comply by offering its customers a data processing agreement (“DPA”) that incorporates the Model Clauses as approved by the European Commission.

  • What is a DPA or Data Processing Agreement?

    The DPA is an agreement that will govern the processing of personal data that customer uploads or otherwise provides to CopperEgg in connection with the services and the processing of any personal data that CopperEgg uploads or otherwise provides to customer in connection with the services. The DPA is incorporated into the main Agreement that customer has in place with CopperEgg. CopperEgg will process personal data in accordance with its obligations pursuant to the CopperEgg DPA.

  • Is it required for me as a customer of CopperEgg to have a DPA with CopperEgg?

    If you have determined that you qualify as a data controller under the GDPR (please see the definition of data controller and data processor below), and need a data processing agreement in place with vendors that process personal data on your behalf, we want to help make things easy for you. Our GDPR compliant DPA is attached and ready for your acceptance (e.g. electronic signature) here. By agreeing to enter into our DPA you are ensuring that adequate safeguards are in place with respect to the protection of such personal data as required by EU Data Protection Laws.

  • What happens if I don’t have a current agreement with CopperEgg?

    The DPA is an addendum to and is incorporated into reference in the main Agreement between CopperEgg and its customers. The customer entity signing the DPA must be the same as the customer entity party to the main Agreement. If the customer entity signing CopperEgg DPA is not a party to the main Agreement directly with CopperEgg, but is instead a customer indirectly of CopperEgg services, this DPA is not valid and is not legally binding. Such entity should contact the CopperEgg customer to discuss whether any amendment to its agreement with such CopperEgg customer may be required.

  • Does the GDPR apply to company that is established outside the European Union?

    Yes. The GDPR applies to all companies regardless of where it is located to the extent the company process personal data in the context of (A) offering goods and services (whether paid or not) to people in the EEA; or (B) monitoring the behavior of people in the EEA, for example by placing cookies on the devices of EEA individuals.

  • Is it required to have consent from individuals to process their personal data?

    Consent is only one of the legal bases a company can use for the processing of personal data. For example, the company can process personal data (A) when necessary for the performance of a contract to which the data subject (the individual whose data is processed) is a party; (B) when there is a legal obligation to do so (such as the submission of employee data to a tax authority); and (C) sometimes even on the basis of legitimate interests, such as commercial and marketing goals. The legitimate interest must, however, outweigh any detriment to the privacy of the data subject.

  • What is the difference of ‘data controller’ and ‘data processor’?

    Data Controller is the owner of their information and decides how that information should be used (e.g. CopperEgg customer). Data Processor is an entity who processes the personal data of the Data Controller and carries out instructions of the Data Controller with regard to this data (e.g CopperEgg). Formal definitions from the GDPR full text may be found at http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf

  • Does the GDPR require encryption of all personal data?

    No. The GDPR does not mandate specific security measures. Instead, the GDPR requires organizations to take technical and organizational security measures which are appropriate to the risks presented. Encryption at rest and pseudonymization may be appropriate depending on the circumstances, but they are not mandated by the GDPR in every instance. The following are kinds of security actions considered “appropriate to the risk” (1) the pseudonymization and encryption of personal data (as mentioned); (2) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (3) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (4) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

2NOTE: The above information is provided by the Company for informational purposes only and is not intended to serve as legal advice. You should contact your attorney to obtain advice with respect to any particular GDPR question, issue or problem.

Idera Privacy and Security Statement

Idera Inc., together with its US subsidiaries, Uptime Software, Inc., AquaFold, Inc, Embarcadero Technologies, Inc., CooperEgg Corporation, Sencha, Inc. and Precise Software Solutions, Inc. (collectively, “Company”), is committed to respecting and protecting the privacy of its customers, partners and website visitors (collectively “You” or “Your”). For more information about our Privacy Statement, please click here.

The security of your personal information is very important to the Company. We use robust security measures, which encompass both technical and organizational security controls, to prevent data loss, information leaks, or other unauthorized data processing operations. The Company incorporates encryption, incident management, network and system integrity, and availability and resilience requirements into its security program.

In addition, the Company uses standard security protocols mechanisms to exchange the transmission of sensitive data such as credit card details. When you enter sensitive personal information such as your credit card number on our site, we encrypt it using secure socket layer (SSL) technology.

In the event that your personal information is acquired, or is reasonably believed to have been acquired, by an unauthorized person and applicable law requires notification, the Company will notify you by e-mail or mail. The Company will give you notice promptly, consistent with the reasonable needs of law enforcement and/or the Company to determine the scope of the breach and to investigate and restore the integrity of the data system.

If you have additional questions about privacy, please contact us at compliance@idera.com.