Effective as of February 28, 2022
For our Data Processing Addendum (DPA), please click here.
In providing cyber security services (“Services”), Kasada collects, uses and discloses personal information as Kasada performs Services for its customers. We also collect, use and disclose personal information when a visitor accesses our Websites. In all cases, Kasada adopts the approach of collecting as little personal information possible to minimize the risks to customers, users and Website visitors.
We handle personal information that we collect in accordance with the Australian Privacy Principles (APP) under the Privacy Act 1988 (Cth) (“Australian Privacy Act”) and comply with the Australian Spam Act 2003 (Cth) which regulates the sending of emails for marketing purposes.
We also make available and post a separate “Data Collection Notice” that is compliant with the Australian Privacy Act https://www.kasada.io/data-collection-notice/.
In addition, we comply with other international data privacy standards such as the European Union’s General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”).
- Privacy policies should be human readable and easy to find.
- We believe that data collection, storage, and processing should be simplified as much as possible to enhance security, ensure consistency, and make our practices easy for users to understand.
- Data collection practices should always meet the reasonable expectations of users.
- We only collect the least amount of personal data and information possible.
- We are complying with key data protection laws and privacy standards such as the Australian Privacy Principles (APP) under the Australian Privacy Act, GDPR and CCPA.
- We do not sell your personal data or information.
- Any personal data or information we collect is protected using best practice security measures.
3.1 Who We Are
3.2 What We Do
Kasada provides Services to our customers that defend web, mobile, and API channels against automated threats. Our Services help ensure only human traffic can make it to our customers infrastructure, protecting them from a wide range of adverse effects from malicious automation.
Kasada is committed to respecting your privacy. In providing cyber security Services, we collect, use, store and disclose personal information.
3.4 The Types of Personal Information We Collect and How We Use It
We collect any personal information that you give us.
For example, we collect personal information about you when you:
- sign up or register via our contact or other forms on our Websites;
- provide details for an account in order to access the Support Portal or when you request technical support;
- participate in any interactive features on our Website,
- fill out a form;
- give us feedback, ideas or submissions about any of our Services;
- communicate with us via third party social media sites,
- register for white papers, web seminars, and other events hosted by us, or
- otherwise communicate with us via the Websites, through the Support Portal, or any other means.
We only collect the personal information that we reasonably need to run our business. This information allows us to identify who an individual is for the purposes of our business, share personal information when asked of us, contact the individual in the ordinary course of business and transact with individuals. You can interact with us anonymously if it is practical and lawful under the circumstances.
Also, you can change your data collection settings on our Website and opt-out from any permissions or consents you previously gave us by using the opt-out facilities provided in our communications (e.g. an unsubscribe link) or by sending a request to us at firstname.lastname@example.org. Provided we can verify your identity and if no other lawful basis for our continued processing or data collection exists, we will promptly modify our data collection practices to conform to the very latest consent you give us.
The table below describes the kinds of personal information that we typically collect.
|Category Of Personal Information
|Examples of The Kinds of Personal Information in This Category
|Information about our customer users, including general geographic location, date of birth, nationality, details of licenses and registrations, associations, employment details and other information that allows us to identify who individuals are.
|Email address, telephone and fax number, residential, business and postal address and other information that allows us to contact an individual.
|Communications with individuals
|Emails, letters, documents, records of conversations with individuals and other instructions or correspondence that individuals direct to us.
|Device ID, device type, geolocation information, computer and connection information, statistics on page views, traffic to and from the Kasada Websites, IP addresses and standard web log information.
|Details of products and services provided to visitors, including any additional information necessary to deliver those products and services and respond to enquiries.
|Website usage information
|Any additional information relating to visitors provided directly through our Website or indirectly through use of the Website, online presence or through other websites or accounts from which you permit Kasada to collect information.
We do not generally collect financial, health, medical and other sensitive information about individuals including special categories of personal data defined under Article 9 of GDPR (e.g. data about racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation).
3.5 How We Collect Personal Information
We mainly collect personal information directly from individuals that use and access our Website or our customers’ websites. For example, we collect personal information directly when individuals:
- access our customers’ websites;
- use, access or register on our Website;
- communicate with us through correspondence, chats, email, or when you share information with us from other social media applications, services or websites; or
- interact with our Websites, Services, content and advertising.
Sometimes we need to collect personal information from other sources such as public records, mailing lists, our contractors and staff, and our business partners. For example, when individuals apply for a job or position with Kasada, we may collect certain information from recruiters, previous employers and others who may be able to provide information to assist in decisions regarding employment or contracting.
3.6 How We Use and Share Personal Information
We use and share personal information in order to provide our Services, and to support the provision of our Services (including through the Support Portal), for example, by:
- operating our Services and products;
- enabling individuals the ability to access and use our Website;
- operating, protecting, improving, optimising and supporting the Kasada Websites, and our products, Services, business and our users’ experience (such as by performing analytics and conducting research);
- sending marketing and promotional messages and other information which you have agreed to receive and that may be of interest to you;
- complying with our legal obligations, resolving disputes, and enforcing our agreements with third parties including our customers; and
- considering employment applications.
In addition, we may share personal information with your consent or at your direction, including if we notify you through any of our Websites or Services that the information you provide will be shared in a particular manner, and you choose to provide such information.
As part of our global business operations, we may share personal information between our group companies, affiliates and related entities in Australia, the United States, the United Kingdom and other geographic locations.
3.7 Why We Process Personal Information
By processing personal information for our Services and our business that underpins them, we help our customers to pursue their legitimate interests related to fraud defence and application security. We also process personal information for our own legitimate interests in maintaining our business relationships with our customers and with our Website visitors.
3.8 Automated Decision-Making
When processing personal information for our Services, we process collected data using automated decision-making tools. We collect and inspect device information from our customers’ website users to identify and block malicious bots. You have the right to object to how we process your personal information – see “Getting in Touch with Us” below.
3.9 Direct Marketing
We use personal information to send direct marketing communications and information about our products and services. These marketing activities may take the form of emails, SMS, mail or other forms of communication.
You can opt-out of receiving marketing materials by using the opt-out facilities provided in our communications (e.g. an unsubscribe link) or by sending a request to email@example.com.
3.10 Sharing Personal Information with Third Parties
We use services provided by third parties, and we may share your personal information with those third parties where necessary in order to provide our Services to you and to manage our business including our Website. Before we do this, we always take reasonable steps (including entering into data processing agreements with our service providers and sub-processors) to ensure that privacy and security practices of these third parties meet our standards and all applicable laws.
Sometimes we may need to transfer personal information outside of Australia and/or the United States, including to our servers and to third party service providers located in the UK, Germany, Singapore or other geographic locations. Before we disclose your personal information to a third party outside the country where you live, we take reasonable steps to make sure that the overseas recipient will handle the personal information in accordance with all applicable privacy laws.
We may also transfer personal information we have about you in the event we sell or transfer all or a portion of our business or assets (including in the event of a reorganization, spin-off, dissolution or liquidation).
We do not sell your personal information.
3.11 How We Protect Personal Information
Kasada may store personal information in electronic and/or hard copy form.
We take reasonable steps to ensure the security of the personal information we handle, and to ensure that the information is protected from misuse and loss, and from unauthorised access, modification or disclosure.
Kasada maintains information security policies, procedures, and controls governing the processing, storage, transmission, and security of personal information processed by our Websites and Services. Kasada has also implemented and will maintain appropriate technical security measures, internal controls, and information security routines designed to protect personal information processed by our Websites and Services against unauthorized access, acquisition, use, disclosure, or destruction. We and our subprocessors have further implemented and will maintain appropriate physical security measures designed to protect the tangible items that comprise our physical computer systems and networks that store and process personal information through our Website and Services, including our servers and devices. Kasada has additionally implemented and will maintain appropriate organizational security measures designed to protect personal information processed by our Websites and Services against unauthorized access, acquisition, use, disclosure, or destruction.
We inform our employees about relevant security procedures and their respective roles, including an annual mandatory training that addresses such employees’ rights to access personal information (if any), and informing our employees of their obligations and the consequences of violating such obligations.
Some of the specific measures we have adopted to secure personal information include:
- holding personal information in secure databases and spreadsheets which can be accessed only by authorised personnel and in paper files which are stored in locked cabinets
- when practical, encrypting data when it is in transit and at rest to a standard which is appropriate under the circumstances
- reviewing the privacy and security practices of the third parties with whom we share data
- only sharing personal information with third parties if it is necessary in the course of our business, and in a manner compliant with applicable laws.
3.12 Links to Third-Party Sites
3.13 Using the Kasada Website and Cookies
Kasada may collect personal information about visitors using and accessing this Website.
While Kasada does not use browsing information to identify visitors personally, we may record certain information about your use of this Website, such as which pages you visit, the time and date of your visit and the internet protocol (IP) address assigned to your computer.
Kasada may also use “cookies” or other similar tracking technologies on this website that help track website usage and remember visitor preferences. You can disable cookies through your internet browser but Kasada Websites may not work as intended for you if you do so.
Cookies are pieces of information that are stored by your browser on the hard drive or memory of your computer or other Internet access devices. Cookies may enable us to personalize your experience on the Website, maintain a persistent session, passively collect demographic information about your computer, and monitor advertisements and other activities. The Websites may use different kinds of cookies and other types of local storage (such as browser-based or plugin-based local storage). For further information, visit allaboutcookies.org.
4. CCPA Practices
These additional disclosures for California consumers apply only to individuals who reside in California. The California Consumer Privacy Act of 2018 (“CCPA”) provides additional rights to know, delete and opt out, and requires business collecting or disclosing “personal information” to provide notice of rights California residents have and can exercise.
California Notice of Collection. Within the last twelve (12) months, we have collected personal information as a “Service Provider” corresponding to the following categories of information enumerated in the CCPA.
- Identifiers including your IP address
- For users of the Support Portal, Identifiers, including name, address, email address, account name, and an ID number assigned to your account.
- Analytics and Advertising, including engagements with our Website and Services.
- Internet activity, including history of visiting and interacting with our Website and Services, browser type, browser language and other information collected automatically.
- Geolocation data, including location enabled services such as WiFi and GPS.
For more information on what we collect, please review Section 3.4 above (“The Types of Personal Information We Collect and How We Use It”). We collect and use these categories of personal information for the business purposes described in Section 3.6 above (“How We Use and Share Personal Information”).
We do not sell information as the term “sell” is traditionally understood. However, to the extent “sale” under the CCPA is interpreted to include advertising technology activities such as those disclosed in Section 3.9 entitled “Direct Marketing” and Section 3.10 entitled “Sharing Personal Information with Third Parties”, we will comply with applicable law as to such activities.
Kasada discloses the following categories of personal information for commercial purposes to its service providers and partners:
- Commercial Information
- User Records
- Demographic Data
- Location Data
- Internet activity
We use and partner with different types of entities to assist with our daily operations and manage the Website and the Services (including the Kasada Support Portal). Please review Sections 3.6, 3.10 and 3.12 above for more detail about the parties with whom we share information.
Right to Know and Delete. If you are a California resident, you have the right to know certain information about our data practices in the preceding 12 months. In particular, you have the right to request the following from us:
- The categories of personal information we have collected about you;
- The categories of sources from which the personal information was collected;
- The categories of personal information about you that we disclosed for a business purpose or sold;
- The categories of third parties to whom the personal information was disclosed for a business person or sold;
- The business or commercial purpose for collecting or selling the personal information; and
- The specific pieces of personal information we have collected about you.
In addition, you have the right to delete the personal information we have collected from you. However, this is not an absolute right and we may have legal grounds for keeping such data.
To exercise any of these rights, please submit a request to firstname.lastname@example.org. In the request, please specify which right you are seeking to exercise and the scope of the request. We will confirm receipt of your request within 10 days. We may require specific information from you to help us verify your identity and process your request. If we are unable to verify your identity, we may deny your requests to know or delete.
We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Authorized Agent. You can designate an authorized agent to submit requests on your behalf. However, we will require written proof of the agent’s permission to do so and verify your identity directly.
Right to Non-Discrimination. You have the right to non-discriminatory treatment by Kasada should you exercise any of your rights.
5. GDPR Practices
Data Sub-processor. If you are a Kasada Website or Services customer, Kasada and certain third party service providers act as your data processors. Kasada primarily processes and stores your personal data, on servers located and operated within Australia, the European Union and the United States. If you reside or are located outside of the U.S., we may transfer to and store your personal data in, systems located in the United States in order to provide and operate our Services platform. If your personal data that is being processed by Kasada is subject to GDPR, we shall maintain appropriate safeguards and an adequate level of protection of the personal data transferred outside the EEA, either by us or our third party service providers. We comply with the data processing and international data transfer requirements of GDPR, and in particular we enter into data processing addenda (DPA) with our customers and sub-processors that include the latest Standard Contractual Clauses approved by the European Commission.
Under Article 6 of GDPR, the lawful bases we typically apply to the processing personal data are specified in i) Article 6(1)(a) (where we process personal data with the consent of the data subject); ii) Article 6(1)(b) (pursuant to a contract with a third party, including with our customers); or iii) Article 6(1)(f) (where the processing is necessary for the purposes of the legitimate interests pursued by our customers, who are the controllers, or by a third party).
Data Controller. In limited circumstances, where Kasada processes your personal data as a data controller, you are entitled to exercise certain privacy rights under specific circumstances. These rights include:
- Right of access
- Right to rectification
- Right to erasure (e.g. the right to be forgotten)
- Right of restriction of processing
- Right to data portability
- Right to object
- Automated individual decision-making, including profiling
If you make a request, we have one month to respond to you. If you wish to exercise any of your privacy rights under GDPR, or if you need further information regarding those privacy rights, please contact us at email@example.com.
Or write to us: 333 George Street, Level 13, Sydney, NSW 2000, Australia.
6. Getting in Touch with Us
You can contact us to:
- ask us for a copy of your personal information (we may charge a reasonable fee for access to your personal information)
- ask us to update or correct your personal information free of charge
- make a complaint about how we have handled your personal information;
- exercise any of your rights under applicable laws like CCPA or GDPR.
In some cases, you can also ask us to delete your personal information, ask us not to restrict how we process your personal information, or object to how we process your personal information.
We will handle all requests in accordance with the privacy laws that apply to your personal information.
To make a request or a privacy complaint, you can contact our Privacy Officer at firstname.lastname@example.org.
If you make a request or a privacy complaint, we will try to resolve the matter as quickly as we can, and we will keep you informed throughout the process. If you aren’t satisfied with the way we handle your personal information, you can make a complaint to the relevant authority:
Kasada’s Privacy Officer is responsible for the administration of this Policy. You can contact the Kasada Privacy Officer at email@example.com, or by post, at 333 George Street, Level 13, Sydney, NSW 2000, Australia.
Our designated Representative in the European Union (EU) under Article 27 of GDPR is: Rickert Rechtsanwaltsgesellschaft mbH – Kasada -, Colmantstra e 15, 53115 Bonn, Germany. Email: firstname.lastname@example.org.