Data Processing on behalf of Subscriber Organizations

Contents

  1. Scope of this notice
  2. What types of information do we collect
  3. Callsign Product Specific Data
  4. Why do we collect this information?
  5. Automated Processing of Information
  6. Who we give information to
  7. Storage, security and retention of Personal Data
  8. Data Privacy
  9. Data processing notice changes

Scope of this notice

Callsign helps Subscriber Organizations - those who purchase our authentication products and services - to protect their customer and/or colleague facing systems and services against fraudulent activity and authenticate users to these systems and services.

This notice has been created purely to be helpful for our customers and explains how Callsign processes data for our Subscriber Organizations who have contracted for our services and solutions. This only applies to products and services hosted and managed by Callsign. In this capacity Callsign operates as a data processor on behalf of the Subscriber Organization who is the data controller.

Subscriber Organizations are responsible for their own data protection compliance and must carry out their own assessment of the processing, but they may find this notice useful when doing so.

Out of Scope of this Notice

This notice does not include products or services sold by Callsign but instead it relates to those products installed, managed and processed by the Subscriber Organization directly on their own infrastructure. It also does not include the Callsign Mobile App hosted on Marketplace stores for which Callsign is a joint data controller alongside Subscriber Organizations who use the Mobile App for Employee Authentication purposes or, the Callsign websites. To learn more, please see the Callsign Privacy Notices.

Who is Callsign?

"Callsign Limited" is registered at 150 Cheapside, London, EC2V 6ET with this company number 07277719 and "Callsign Inc." is registered 2225 East Bayshore Road, Palo Alto, California, 94303, USA.

The Callsign Data Processing Notice applies to Callsign Inc. (“Callsign” or “we”). The individual or organization that subscribes to the Service or uses our websites will be referred to as the “Subscriber Organization”.

How to contact Callsign

If you have any questions regarding our processing notice or use of your personal information, please contact us using the below methods:

Address: Callsign Inc., 150 Cheapside, London, EC2V 6ET
Email: gdpr@callsign.com
Website: https://support.callsign.com

Where we are acting on behalf of the Subscriber Organization, we will redirect your request directly to our customer. To do this we may require you to additionally verify your identity prior to proceeding.

What types of information do we collect?

Onboarding Data

Onboarding an Organization to Callsign services requires the Subscriber Organization to register their customer base with Callsign. This can be done via registering unique identifiers with Callsign to represent their individual users and customers across Callsign Products. This can include the following depending on the products and services that Subscriber Organization utilizes:

  • (mandatory) A unique identifier for the user. This can be a newly created alias unique to and used specifically for Callsign profiles. Alternatively, this could be a variety of PII - e.g. natural legal name, email address or username - used internally by the Subscriber Organization and shared with Callsign; and,
  • (Optional) Date of birth; and/or,
  • (Optional) Email address (where another unique identifier is used); and/or,
  • (Optional) Telephone number(s)

Callsign Product Specific Data

Service Usage data

Source(s) of Data Group of Personal Data Group of Personal Data Details Products
A Subscriber Organization’s Colleagues Service Usage Data Profile Onboarding (mandatory) A unique identifier for the user. This can be a newly created alias unique to and used specifically for Callsign profiles. Alternatively, this could be a variety of PII – e.g. natural legal name, email address or username – used internally by the Subscriber Organization and shared with Callsign; and,
Date of birth; and/or, Email address (where another unique identifier is used); and/or,Telephone number(s)
Internal Onboarding
Usage Data Audit data about how and when a Subscriber Organization’s Operational Colleagues use these managerial and service portals. Policy Manager & Policy Engine
Intelligence Engine
Authentication Manager & Authentication Engine
Number Insight Service
Message Delivery Service
Call Challenge Service
Employee Dashboard
A Subscriber Organization’s Customers Service Usage Data Authentication Data Data related to how a Subscriber Organization’s customer authenticates themselves. This varies client by client based on the authentication methods they want to support for their users. Authentication Manager & Engine
Policy Manager & Engine
Message Delivery Service
Call Challenge Service

Analytics data

Source(s) of Data Group of Personal Data Group of Personal Data Details Products
A Subscriber Organization’s Customers via web or mobile applications embedding Callsign SDKs Analytics Data Technical Device Data related to how a Subscriber Organization’s customer accesses their protected assets. This includes device details like IP addresses and other device fingerprint data useful for identifying a device. Intelligence Engine
Policy Manager & Engine
Telecommunications data Included is mobile or landline device attributes associated with the carrier and telecoms communication details. Number Insight Service
Message Delivery Service
Call Challenge Service
Locational Data related to a Subscriber Organization’s customer location during their attempt to access a Callsign protected asset (e.g. website) from their mobile phone or the address where they connect a computer to the internet. Intelligence Engine
Policy Manager & Engine
Behavioral (special category data) Data about how a Subscriber Organization’s customers or colleagues interact with a protected asset. This is special category data. Intelligence Engine
Transactional Data about a Subscriber Organization customer’s transactions including monetary transaction amounts and bank account information. Intelligence Engine
Policy Manager & Policy Engine
Message Delivery Service
Call Challenge Service

Why do we collect this information?

Group of Personal Data What Callsign use the personal information for The lawful basis for the processing
Service Usage Data To deliver our management information portals and configuration services for our products.
To assist Subscriber Organization’s to appropriately authenticate their users (colleagues or customers).
The controller's compliance with a legal obligation. This will be based upon the nature of their business and use of our technology product services within it.
The controller's legitimate interests being the detection, investigation, reporting and prevention and misuse of their services or applications.
The controller's legitimate interests of digital forensics in the case of a security breach.
Group of Personal Data
Service Usage Data
Analytics Data
To assist Subscriber Organizations in processing data for the purposes of detecting, investigating, reporting and preventing misuse of their services.
To assist in managing Client Organizations risk.
To assist Subscriber Organizations in meeting regulatory standards on strong customer authentication
The controller's legitimate interests in developing and improving the statistical analysis of fraud and informing security risks to Subscriber Organizations.
The legitimate interests in return improving our service capability for verifying legitimate users and identifying fraudulent or at-risk users on behalf of Subscriber Organizations.

Automated Processing of Information

Subscriber Organizations may use some Callsign Products or services to create and manage their security policies. These policies can make dynamic authentication decisions by considering risk data from other Callsign products, as well as Subscriber Organization data and customer preferences that might be provided directly.

These policies are defined by the Subscriber Organization – commonly Fraud & Security Operations specialists – and usually in line with the balance of business risk and customer experience considerations. As a result, the policies written may differ from Organization to Organization. Therefore, the scope and scale of automated decisioning is defined by Organizations and not Callsign.

Should you have an issue with automated decision making or wish to challenge an outcome from a Subscriber Organization you believe is using our services please contact them directly. In the event you do contact Callsign we will forward your request onto the Subscriber Organization. To do this we may require you to additionally verify your identity prior to proceeding.

Who we give information to:

We may give personal data to:

  • Any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, who support our processing of personal data under this policy.
  • hird-party organizations that process data on our behalf in order to improve or enhance our products or services.

We may also disclose personal data to third parties:

  • In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets subject to the terms of this privacy policy.
  • If Callsign or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
  • If we are under a duty to disclose or share personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of supply terms and other agreements; or to protect the rights, property, or safety of Callsign, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction and to prevent cybercrime.

Storage, security and retention of Personal Data

How is personal information protected?

Callsign holds personal data and will not disclose personal data to anyone outside of the organization, except where necessary for the purposes stated in this Processing notice. Callsign will ensure that the appropriate safeguards are in place to ensure that in these instances, data is held in accordance with the General Data Protection Regulation.

Callsign Product:

Callsign offers Subscriber Organizations many geographical options for running our products and services. This is offered to best meet the needs of our Subscriber base and ensure the highest level of performance of our services by hosting capabilities in close geographical proximity to their own customers.

As of 01 January 2019 Callsign, processes and stores data in the following locations:

  • Data Centre 1: Ireland
  • Data Centre 2: Germany

We ensure the security the data we store by adopting appropriate data, application, transport and network security measures.

Data Processing

Callsign looks to minimize the amount of data we process on behalf of Subscriber Organizations. To do this we only collect the data that we believe to be important and tested and therefore useful in the identification of fraudulent behavior. We do this through internal research and empirical application in controlled internal environments. This means that data we collect, and process is validated and verified as useful for the identification of security and fraud and if it will add value to the protection of our Subscriber Organizations.

Location of Processing

Callsign processes data in Ireland, Germany and the UK. We make steps to ensure the security of the data we process in whatever location we process it in.

How long does Callsign keep personal information?

Callsign will retain data for the length required by contractual obligations imposed by Subscriber Organizations to ensure we provide the information required to provide our service and fulfil our customer transactions. We may keep data for longer than necessary to provide our services where if we cannot delete it for legal, regulatory or technical reasons. If we do, we will make sure that the customer’s data is protected and only use it for those purposes for which it was originally obtained.

Data Privacy

Callsign treats data privacy as paramount. This section outlines our obligations and recommendations to our Subscriber Organizations who use the Callsign product(s).

Notifying Customers

Subscriber Organizations should ensure mechanisms are in place to adhere to the requirement of lawful processing of customer data by Callsign.

This includes but is not exclusive to:

  • ensuring that there is a lawful basis for the processing of the customer personal data;
  • ensuring that data subjects are given the information set out in articles 13 and 14 of the GDPR (usually in the form of a privacy notice); and
  • advising of the purpose of usage being for fraud prevention and therefore the lawful basis is that the processing is necessary to pursue a legitimate interest, that is not overridden by the rights of the customer.

The above notice should cater for all applicable Callsign Products and Services an Organization subscribes to - where Callsign hosts the service - and cover the following as applicable:

  • the collection of personal data via our data collection capabilities embedded within an Subscriber Organization's website(s) or mobile app(s); and,
  • the sending of personal data by a Subscriber Organization to us for data enrichment and authentication purposes; and,
  • the processing of this data via Callsign products and services.

Notifying Colleagues

Applications which are used by a Subscriber Organization’s employees (e.g. typically Operational Staff or analysts to monitor, define and review our services) should be justified by the Subscriber Organizations under the applicable legislative grounds.

Data Subjects' Rights

At any point while we are in possession of or processing personal data the data subjects have the following rights under certain circumstances:

  • Right to be informed – individuals have the right to be informed by the controller about how their data is used.
  • Right of access – individuals have the right to request a copy of the information that the controller holds about you.
  • Right of rectification – individuals have a right to correct data that the controller holds about them that is inaccurate or incomplete.
  • Right to be forgotten – in certain circumstances individuals can ask for the data the controller holds about them to be erased.
  • Right to restriction of processing – where certain conditions apply individuals have a right to restrict the processing.
  • Right of portability – individuals have the right to have the data the controller holds about them transferred to another organization.
  • Right to object – individuals have the right to object to certain types of processing such as direct marketing.
  • Right to object to automated processing, including profiling – individuals also have the right to be subject to the legal effects of automated processing or profiling.
  • Right to withdraw consent: Where the processing of personal information by the controller is based on consent, individuals have the right to withdraw that consent without detriment at any time by contacting the controller.
  • Right to complain: individuals have the right to raise any concerns with the Information Commissioner’s Office (ICO), which can be done so here.

Where we are acting on behalf of the Subscriber Organization, we will redirect any request directly to our customer.

Contacting Callsign about data processing questions or concerns

If you have any questions or any queries, requests or complaints in regard to the use of personal data on behalf of Subscriber Organizations then please contact Callsign by sending an email to the following address (indicating “PRIVACY REQUEST” in the message line): gdpr@callsign.com or by sending a letter to:

Callsign Inc.,
150 Cheapside
London
EC2V 6ET

If you contact Callsign by e-mail or letter, we may keep a record of your correspondence or comments. We may ask for your name, e-mail address and contact information in order to send you a reply.

Data processing notice changes

This Data Processing Notice was last changed on 14/03/2019. Callsign may change, modify, add or remove portions of this Data Processing Notice at any time, and any changes will become effective immediately upon being posted unless stated otherwise.