Data Processing on behalf of Subscriber Organizations

Scope of this document

Callsign helps Subscriber Organizations (customers) - those who purchase our authentication products and services - to protect their customer and/or colleague facing systems and services against fraudulent activity and authenticate users to these systems and services.

This document has been created purely to be helpful for our customers who have contracted for our services and solutions and explains how Callsign processes personal data for them. This only applies to products and services hosted and managed by Callsign. In this capacity Callsign operates as a data processor on behalf of the Subscriber Organization, who is the data controller.

Subscriber Organizations are responsible for their own data protection compliance and must carry out their own assessment of the processing, but they may find this document useful when doing so.

Out of Scope of this document

This document does not include products or services sold by Callsign but instead it relates to those products installed, managed and processed by the Subscriber Organization either directly on their own infrastructure or by using Callsign cloud environment. It also does not include the Callsign Mobile App hosted on Marketplace stores for which Callsign is a joint controller alongside Subscriber organisations who use this app for Employee Authentication purposes. To learn more, please see the Callsign Privacy Notices.

Who is Callsign?

"Callsign Limited" is registered at Chancery House, 53-64 Chancery Lane, London, WC2A 1QSL with this company number 07277719 and is a subsidiary of “Callsign Inc.” which is registered at 4 Palo Alto Square, 3000 El Camino Real, Building 4, Suite 200, Palo Alto 94306, California.

How to contact Callsign

If you have any questions regarding our processing notice or use of your personal information, please contact us using the below methods:

Address: Callsign, Chancery House, 53-64 Chancery Lane, London, WC2A 1QSL
Email: dpo@callsign.com

Where we are acting on behalf of the Subscriber Organization, we will redirect your request directly to our customer. To do this we may require you to additionally verify your identity prior to proceeding.

What types of information do we collect?

Onboarding Data

Onboarding an Organization to Callsign services requires the Subscriber Organization to register their customer base with Callsign. This can be done via registering unique identifiers with Callsign to represent their individual users and customers across Callsign Products. This can include the following depending on the products and services that Subscriber Organization utilizes:-

(mandatory) A unique identifier for the user. This can be a newly created alias unique to and used specifically for Callsign profiles. Alternatively, this could be a variety of PII - e.g., natural legal name, email address or username - used internally by the Subscriber Organization and shared with Callsign; and,
(Optional) Date of birth; and/or,
(Optional) Email address (where another unique identifier is used); and/or,
(Optional) Telephone number(s)

Callsign Product Specific Data

Service Usage data

Source(s) of Data	Group of Personal Data	Group of Personal Data	Details	Products
Provided by a Subscriber Organization Colleagues during Onboarding or Registration	Service Usage Data	Colleague Registration Data	Data related to the registration of Operational Colleague(s) to the front-end application portals that allow configuration of fraud controls and view of insights and analytics.	All products
	Service Usage Data	Usage Data	Audit data about how and when a Subscriber Organization’s Operational Colleagues use these managerial and service portals.	Policy Manager Identity Manager Enterprise Manager
Provided by Subscriber Organization during Onboarding or Subscribers during Registration	Service Usage Data	Registration & Onboarding Data	(mandatory) A unique identifier for the user. This can be a newly created alias unique to and used specifically for Callsign profiles. Alternatively, this could be a variety of PII – e.g. natural legal name, email address or username – used internally by the Subscriber Organization and shared with Callsign; and, Date of birth; and/or, Email address (where another unique identifier is used); and/or, Telephone number(s)	Identity Manager
Provided via Subscribers interaction with the service		Authentication Data	Data related to how a Subscriber Organization’s customer authenticates themselves. This varies client by client based on the authentication methods they want to support for their users.	Authentication Manager & Engine Policy Manager & Engine

Analytics data

Source(s) of Data	Group of Personal Data	Group of Personal Data	Details	Products
A Subscriber Organization’s Customers via web or mobile applications embedding Callsign SDKs	Analytics Data	Device	Data related to how a Subscriber Orgs customers access protected online assets e.g. browsers, webpages and apps. This includes device details associated with interactions on a Subscribers website or mobile app or mobile device attributes associated with carrier, MNO and telecoms communications. This will also include browser information and the details of the computer machine for accessing websites.	Collected via… Web SDK iOS SDK Android SDK Windows SDK Number Insight Processed by… Intelligence Engine Identity Manager Message Delivery Call Challenge Can be referenced & stored by… Policy Manager & Policy Engine (where purchased) Intelligence Engine
		Location	Data related to where Subscribers access a Subscriber Orgs online asset (e.g. website) from their mobile phone or the address where they connect a computer to the internet.	Collected via… Web SDK iOS SDK Android SDK Windows SDK Processed by… Intelligence Engine Can be referenced & stored by… Policy Manager & Policy Engine (where purchased)
		Behavioral (special category data)	Data about how Subscribers interact with a Subscriber Organization website or app. We also collect information about how you interact on your device to access Subscriber Organization website or app. This is a special data category.	Collected via… Web SDK iOS SDK Android SDK Windows SDK Processed and stored by... Intelligence Engine

Why do we collect this information?

Group of Personal Data

What Callsign use the personal information for

Service Usage Data

To deliver our management information portals and configuration services for our products.

To assist Subscriber Organization’s to appropriately authenticate their users (colleagues or customers).

Analytics Data

To assist Subscriber Organizations in processing data for the purposes of detecting, investigating, reporting and preventing misuse of their services.

To assist in managing Client Organizations risk.

To assist Subscriber Organizations in meeting regulatory standards on strong customer authentication

Automated Processing of Information

Subscriber Organizations may use some Callsign Products or services to create and manage their security policies. These policies can make dynamic authentication decisions by considering risk data from other Callsign products, as well as Subscriber Organization data and customer preferences that might be provided directly.

These policies are defined by the Subscriber Organization – commonly Fraud & Security Operations specialists – and usually in line with the balance of business risk and customer experience considerations. As a result, the policies written may differ from Organization to Organization. Therefore, the scope and scale of automated decisioning is defined by Organizations and not Callsign.

Should you have an issue with automated decision making or wish to challenge an outcome from a Subscriber Organization you believe is using our services please contact them directly. In the event you do contact Callsign we will forward your request onto the Subscriber Organization. To do this we may require you to additionally verify your identity prior to proceeding.

Who we give information to:

We may give personal data to:

Any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, who support our processing of personal data under this policy.
Third-party organizations that process data on our behalf in order to improve or enhance our products or services.

We may also disclose personal data to third parties:

In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets subject to the terms of this privacy policy.
If Callsign or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.
If we are under a duty to disclose or share personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of supply terms and other agreements; or to protect the rights, property, or safety of Callsign, our customers, or others. This includes exchanging information with other companies and organizations for the purposes of fraud protection and credit risk reduction and to prevent cybercrime.

Storage, security and retention of Personal Data

How is personal information protected?

Callsign holds personal data and will not disclose personal data to anyone outside of the organization, except where necessary for the purposes stated in this Processing notice. Callsign will ensure that the appropriate safeguards are in place to ensure that in these instances, data is held in accordance with the General Data Protection Regulation.

Callsign Product:

Callsign offers Subscriber Organizations many geographical options for running our products and services. This is offered to best meet the needs of our Subscriber base and ensure the highest level of performance of our services by hosting capabilities in close geographical proximity to their own customers.

As of 01 January 2022, Callsign, processes and stores data in the following locations:

Ireland,
US,
Hong Kong,
Singapore,
Bahrain, and
Cape town.

We ensure the security of the data we store by adopting appropriate data, application, transport and network security measures.

Data Processing

Callsign looks to minimize the amount of data we process on behalf of Subscriber Organizations. To do this we only collect the data that we believe to be important and tested and therefore useful in the identification of fraudulent behavior. We do this through internal research and empirical application in controlled internal environments. This means that data we collect, and process is validated and verified as useful for the identification of security and fraud and if it will add value to the protection of our Subscriber Organizations.

How long does Callsign keep personal information?

Callsign will retain data for the length required by contractual obligations imposed by Subscriber Organizations to ensure we provide the information required to provide our service and fulfil our customer transactions. We may keep data for longer than necessary to provide our services where if we cannot delete it for legal, regulatory or technical reasons. If we do, we will make sure that the customer’s data is protected and only use it for those purposes for which it was originally obtained.

Data Privacy

Callsign treats data privacy as paramount. This section outlines our obligations and recommendations to our Subscriber Organizations who use the Callsign product(s).

Notifying Customers

Subscriber Organizations should ensure mechanisms are in place to adhere to the requirement of lawful processing of customer data by Callsign.

This includes but is not exclusive to:

ensuring that there is a lawful basis for the processing of the customer personal data;

ensuring that data subjects are given the information set out in articles 13 and 14 of the GDPR (usually in the form of a privacy notice); and

The above document should cater for all applicable Callsign Products and Services an Organization subscribes to - where Callsign hosts the service - and cover the following as applicable: -

the collection of personal data via our data collection capabilities embedded within an Subscriber Organization's website(s) or mobile app(s);

the sending of personal data by a Subscriber Organization to us for data enrichment and authentication purposes; and,

the processing of this data via Callsign products and services along with conducting analysis and research to improve and develop the services on behalf of subscriber organizations.

Notifying Colleagues

Applications which are used by a Subscriber Organization’s employees (e.g., typically Operational Staff or analysts to monitor, define and review our services) should be justified by the Subscriber Organizations under the applicable legislative grounds.

Data Subjects' Rights

At any point while we are in possession of or processing personal data the data subjects have the following rights under certain circumstances:

At any point while we are in possession of or processing personal data the data subjects have the following rights under certain circumstances:
Right to be informed – individuals have the right to be informed by the controller about how their data is used.
Right of access – individuals have the right to request a copy of the information that the controller holds about you.
Right of rectification – individuals have a right to correct data that the controller holds about them that is inaccurate or incomplete.
Right to be forgotten – in certain circumstances individuals can ask for the data the controller holds about them to be erased.
Right to restriction of processing – where certain conditions apply individuals have a right to restrict the processing.
Right of portability – individuals have the right to have the data the controller holds about them transferred to another organization.
Right to object – individuals have the right to object to certain types of processing such as direct marketing.
Right to object to automated processing, including profiling – individuals also have the right to be subject to the legal effects of automated processing or profiling.
Right to withdraw consent: Where the processing of personal information by the controller is based on consent, individuals have the right to withdraw that consent without detriment at any time by contacting the controller.
Right to complain: individuals have the right to raise any concerns with the Information Commissioner’s Office (ICO), which can be done so here.

Where we are acting on behalf of the Subscriber Organization, we will redirect any request directly to our customer.

Contacting Callsign about data processing questions or concerns

If you have any questions or any queries, requests or complaints in regard to the use of personal data on behalf of Subscriber Organizations then please contact Callsign by sending an email to the following address (indicating “PRIVACY REQUEST” in the message line): dpo@callsign.com or by sending a letter to:

Callsign, Chancery House, 53-64 Chancery Lane, London, WC2A 1QSL

We have also appointed IT Governance Europe Limited to act as our EU representative. If you have any queries in relation general privacy matters, please email our Representative at eurep@itgovernance.eu. Please ensure to include our company name in any correspondence you send to our Representative.

If you contact Callsign by e-mail or letter, we may keep a record of your correspondence or comments. We may ask for your name, e-mail address and contact information in order to send you a reply.

Data processing document changes

This document was last changed on 04/12/2023. Callsign may change, modify, add or remove portions of this document at any time, and any changes will become effective immediately upon being posted unless stated otherwise.

Request a demo

General enquiries, support and press

Thank you for your request