Chronicle SOAR Privacy Notice

We process Customer Data and Service Data in order to provide the Services. This Privacy Notice applies solely to Service Data and does not apply to Customer Data. Customer Data (as well as any capitalized terms not defined herein) are defined and governed by our agreement(s) covering the Services; such Customer data represents the data that you and our customers provide to Chronicle SOAR for processing in the Services. For more information about how we process Customer Data, see our Data Processing Addendum.

Service Data is the personal information we collect or generate during the provision and administration of the Services excluding any Customer Data. Service Data includes:

• When you engage us to use our Service or sign-up to the Service. We collect and process your contact information and billing information when you engage us to use our Service(s) or sign-up to the Service(s). If you are a representative of a business that wishes to use, or is already using, our Service(s), we will collect your contact information such as full name, email address, and information relating to the potential or existing engagement between us and that business.
• Payments and transactions. We collect reasonable business records of charges, payments such as credit card or bank account information, and billing details and issues.
• When the Service monitors a business’ IT Systems. When the Service operates and monitors a Business’s IT systems, it collects and processes Output Data and other security-related data that may incidentally include personal data associated with security events.
• Settings and configurations. We collect your configuration and settings, including resource identifiers and attributes. This includes service and security settings for data and other resources.
• Technical and operational details of your usage of the Services. We collect Performance Information and other information about usage, operational status, software errors and crash reports, authentication credentials, quality and performance metrics, and other technical details necessary for us to operate and maintain the Services. This information may include device identifiers, identifiers from cookies or tokens, and IP addresses.
• When you visit the Website. We also collect analytics information about your use of the Website. When you visit the Website, we collect certain information about your interaction with the Website, including device identifiers, identifiers from cookies or tokens, the IP address from which you access the Services, time and date of access, type of browser used, language used, links clicked, and actions taken while using the Website or Service.
• Your direct communications. We collect records of your communications and interactions with us and our partners, for example, when you send us an inquiry, sign-up to one of our webinars or workshops, register to receive updates from us, provide feedback or contact information, ask questions or seek technical support.

Service Data is the personal information we collect or generate during the provision and administration of the Services excluding any Customer Data. Service Data includes:

• When you engage us to use our Service or sign-up to the Service. We collect and process your contact information and billing information when you engage us to use our Service(s) or sign-up to the Service(s). If you are a representative of a business that wishes to use, or is already using, our Service(s), we will collect your contact information such as full name, email address, and information relating to the potential or existing engagement between us and that business.
• Payments and transactions. We collect reasonable business records of charges, payments such as credit card or bank account information, and billing details and issues.
• When the Service monitors a business’ IT Systems. When the Service operates and monitors a Business’s IT systems, it collects and processes security-related data that may incidentally include personal data associated with security events.
• Settings and configurations. We collect your configuration and settings, including resource identifiers and attributes. This includes service and security settings for data and other resources.
• Technical and operational details of your usage of the Services. We collect information about usage, operational status, software errors and crash reports, authentication credentials, quality and performance metrics, and other technical details necessary for us to operate and maintain the Services. This information may include device identifiers, identifiers from cookies or tokens, and IP addresses.
• When you visit the Website. We also collect analytics information about your use of the Website. When you visit the Website, we collect certain information about your interaction with the Website, including device identifiers, identifiers from cookies or tokens, the IP address from which you access the Services, time and date of access, type of browser used, language used, links clicked, and actions taken while using the Website or Service.
• Your direct communications. We collect records of your communications and interactions with us and our partners, for example, when you send us an inquiry, sign-up to one of our webinars or workshops, register to receive updates from us, provide feedback or contact information, ask questions or seek technical support.

Chronicle SOAR processes Service Data for the following purposes:

• Provide the Services you request. Service Data is primarily used to deliver the Services that you and our customers request. This includes a number of processing activities that are necessary to provide the Services, including processing to bill for services usage, to ensure services are working as intended, to detect and avoid outages or other problems you might experience, and to secure your data, the services you use, respond to your inquiry, sign you up to our webinars or workshops, or sign you up to our mailing list to receive updates about our Service and related developments.
• Make recommendations to optimize use of the Services. We may process Service Data to provide you and our customers with recommendations and tips. These suggestions may include ways to better secure your account or data, options to reduce service charges or improve performance, and information about new or related products and features. We may also evaluate your response to our recommendations.
• Maintain and improve the Services. We evaluate Service Data to help us improve the performance and functionality of the Services and Website. As we optimize the Services for you, this may improve them for our customers and vice versa.
• Provide and improve other services you request. We may use Service Data to deliver and improve other services that you and our customers request, including Chronicle SOAR, Google or third-party services that are enabled via the Services, administrative consoles, APIs, or the Chronicle SOAR Marketplace.
• Assist you. We use Service Data when needed to provide technical support and professional services as requested by you and our customers, and to assess whether we have met your needs. We also use Service Data to improve our online support, and to communicate with you and our customers. This includes notifications about updates to the Services, and responding to support requests.
• Protect you, our users, the public, Chronicle SOAR and Google. We use Service Data to improve the safety and reliability of our services. This includes detecting, preventing, and responding to fraud, abuse, security risks, and technical issues that could harm our users, our customers, the public, Chronicle SOAR or Google. These activities are an important part of our commitment to secure our services.
• Comply with legal obligations. We may need to process Service Data to comply with Chronicle SOAR and Google’s legal obligations, for example, where we’re responding to a legal process or an enforceable governmental request, or to meet our financial record-keeping obligations.
• Other purposes with your consent. We may ask for your consent to process information for other purposes not covered in this Privacy Notice. You have the right to withdraw your consent at any time.

To achieve these purposes, we may use Service Data together with information we collect from other Chronicle SOAR or Google products and services. We may use algorithms to recognize patterns in Service Data. Manual collection and review of Service Data may also occur, such as when you interact directly with our billing or support teams. We may aggregate and anonymize Service Data to eliminate personal details, and we may use Service Data for internal reporting and analysis of applicable product and business operations.

We do not share Service Data with companies, organizations, or individuals outside of Chronicle SOAR or Google except in the following cases:

• With your consent. We will share Service Data outside of Chronicle SOAR or Google when we have your consent. For example, when you or our customer chooses to procure a third-party service through the Chronicle SOAR Marketplace or use a third-party application that requests access to your information, we’ll seek permission to share information with that third party.
• With your administrators and authorized resellers: When you use the Services, your administrator and resellers authorized to manage your or your organization’s account will have access to certain Service Data. For example, they may be able to:
  • View account and billing information, activity and statistics.
  • Change your account password.
  • Suspend or terminate your account access.
  • Access your account information in order to satisfy applicable law, regulation, legal process, or enforceable governmental request.
  • Restrict your ability to delete or edit your information or your privacy settings.
• For external processing. We provide information to our affiliates, partners and other trusted businesses or persons to process it for us, based on our instructions and in compliance with this Privacy Notice and other appropriate confidentiality and security measures.
• For legal reasons. We may share Service Data outside of Chronicle SOAR or Google if we have a good-faith belief that access to, or use, preservation, or disclosure of the information is reasonably necessary to:
  • Comply with applicable law, regulation, legal process, or enforceable governmental request.
  • Enforce applicable agreements, including investigation of potential violations.
  • Detect, prevent, or otherwise address fraud, security, or technical issues.
  • Protect against harm to the rights, property or safety of Chronicle SOAR, Google, our customers, users, and the public as required or permitted by law.

If Chronicle SOAR or Google is involved in a reorganization, merger, acquisition, or sale of assets, we will continue to ensure the confidentiality of your personal information and give affected users notice before personal information becomes subject to a different privacy notice.

We implement measures to reduce the risks of damage, loss of information, and unauthorized access or use of information. However, these measures do not provide absolute information security. Therefore, although efforts are made to secure personal information, it is not guaranteed, and you cannot expect that the Website or Service will be immune from information security risks.

We generally retain your information for the duration needed to support our ordinary business activities in providing the Service and Website to you and your business:

We will retain Service Data for the duration needed to support our ordinary business activities in providing the Service to you and your business. We will delete this information after it is no longer needed for ordinary business activities or after a longer period of time if business and legal requirements oblige us to retain information for specific purposes for an extended period of time.

Service Data may be stored and maintained by us and our authorized affiliates and service providers in the United States or Germany. Data protection laws vary among countries, with some providing more protection than others. Service Data may be processed on servers located outside of the country where our users and customers are located because Service Data is typically processed by centralized or regionalized operations like billing, support, and security. Regardless of where your Data is processed, we apply the same protections described in this Privacy Notice.

When transferring Service Data outside of the European Economic Area, we comply with certain legal frameworks as described below.

1. The European Commission has determined that certain countries outside of the European Economic Area (EEA) adequately protect personal data. You can review current European Commission adequacy decisions here. (To transfer data from the EEA to other countries, such as the United States, we comply with legal frameworks that establish an equivalent level of protection with EU law.)
2. Standard contract clauses. The European Commission has approved the use of standard contract clauses as a means of ensuring adequate protection when transferring data outside of the EEA. By incorporating standard contract clauses into a contract established between the parties transferring data, personal data is considered protected when transferred outside the EEA or the UK to countries which are not covered by an adequacy decision.

We rely on these standard contract clauses for data transfers.

If European Union (EU), UK or Swiss data protection law applies to the processing of information about you, you have certain rights, including the rights to access, correct, delete and export your information, as well as to object to or request that we restrict processing of your information.

For users based in the European Economic Area, UK or Switzerland, the data controller responsible for Service Data is CyArx Technologies Ltd. However, where our customer has entered into an agreement covering the Services with a different Chronicle SOAR affiliate, that affiliate will be the data controller responsible for processing Service Data in connection with billing for the Services only.

If you want to exercise your data protection rights with regard to information we process in accordance with this Privacy Notice and are not able to do so via the tools available to you or your organization’s administrator, you can always contact Chronicle SOAR at Chronicle SOAR-gtm@google.com. And you can contact your local data protection authority if you have concerns regarding your rights under local law.

In addition to the purposes and grounds described in this Privacy Notice, we may process information on the following legal grounds:

• Where necessary for the performance of a contract with you. We may process your information where necessary for us to enter into a contract with you or to comply with our contractual commitments to you.
• When we are complying with legal obligations. We’ll process your information when we have a legal obligation to do so.
• When we are pursuing legitimate interests. We may process Service Data based on our legitimate interests and those of third parties while applying appropriate safeguards that protect your privacy. This means that we process your information in the interests of providing the Services you request; making recommendations to optimize use of the Services; maintaining and improving the Services; providing and improving other services you request; assisting you; and protecting against harm to the rights, property or safety of Chronicle SOAR, Google, our users, our customers, and the public, as required or permitted by law.

The California Consumer Privacy Act (CCPA) requires specific disclosures for California residents.

This Privacy Notice is designed to help you understand how we handle your information:

We explain the categories of information we collect and the sources of that information in Section 1. INFORMATION WE COLLECT (above).

We explain how we use information in Section 2. WHY WE PROCESS DATA (above).

We explain when we may share information in Section 3. HOW WE SHARE DATA (above). Chronicle SOAR does not sell your personal information.

The CCPA also provides the right to request information about how Chronicle SOAR collects, uses, and discloses your personal information. And it gives you the right to access your information and request that Chronicle SOAR delete that information. Finally, the CCPA provides the right to not be discriminated against for exercising your privacy rights.

We provide the information and tools described in this Notice so you can exercise these rights. When you use them, we will validate your request by verifying your identity (for example, by confirming that you are signed in to your Chronicle SOAR Account). If you have questions or requests related to your rights under the CCPA, you (or your authorized agent) can also contact Chronicle SOAR at Chronicle SOAR-gtm@google.com.

The CCPA requires a description of data practices using specific categories. This table uses these categories to organize the information in this Privacy Notice.

We may update this Privacy Notice from time to time. We will not make any significant changes without notifying you in advance by posting a prominent notice on this page describing the changes or by sending you a direct communication. We encourage you to regularly review this Privacy Notice, and we will always indicate the date the last changes were published.

Previous Versions of the Policy Notice from January 4, 2022.