Opal is a next generation access management orchestration platform (“platform”) that enables customers to gain comprehensive visibility around access across the enterprise, orchestrate just-in-time access, design intelligent access policies, and automate user access reviews.
Customers can choose to deploy our platform on a Opal-hosted cloud, which is built on top of AWS, or can self-host (using Opal license) on-premise or on a customer’s virtual machine, an existing Kubernetes cluster, or on an AWS Application Load Balancer (ALB). This statement specifically applies to the use of Opal’s platform by our customers; and does not apply to any information Opal collects and processes through our customer’s use of our website, or that we may process for providing our customers with information about our products and services. Please visit the Privacy Policy for Opal for additional details.
We firmly believe that your data as a customer of ours belongs to you, and that protecting it is our shared responsibility since we are exposed to it by virtue of our operations. We understand that we may be subject to the privacy laws and regulations of the jurisdictions where our customers operate. Therefore, we are committed to maintaining the privacy and security of all personal information entrusted to us through our service in accordance with applicable laws and regulations and industry best practices, including the General Data Protection Regulation (GDPR) and California Consumer Protection Act (CCPA).
We’re committed to being transparent about our privacy and security practices and have developed this Statement to help you understand our approach towards data protection.
We process information that our platform ingests for our customers to leverage our service; and we collect certain information about our customers and their use of our services. We respect our customers’ privacy, which is why we collect and use personal information only for the following purposes:
Opal supports integration of our platform with customers’ identity or group directory providers. By virtue of this integration, our platform ingests personal information passed on to us, such as employee name, email address and associated metadata such as title, Manager’s name, etc. In this situation, the customer acts as the Data Controller since the customer determines the purposes of collection, use and disclosure of such information and therefore is responsible for complying with privacy legislations and regulations that require providing notice, disclosure, and/or obtaining consent. Opal acts as the Data Processor as we act on our customer’s instructions, and our operations in this regard are governed through our agreement with the customer.
We collect certain information about the platform users to establish and maintain a commercial relationship with our customers, to provide ongoing service for the performance of our contract with customers and for our own legitimate interests.
For example:
Opal is committed to helping our customers along their journey to privacy compliance. However, it is important to recognize that compliance is a shared responsibility and the path to compliance requires a shared understanding and common culture around privacy.The following section provides insight into Opal’s data management practices, as well as information our customers need to manage, protect and control their data.
Most privacy regulations provide individuals the right to access the data provided to and processed by the controller for purposes including deletion, rectification, transfer to another controller, etc. Customer data that Opal houses on the cloud platform on behalf of our customers is owned by the customers as Data Controllers. Our customers also maintain access control to their data, which means, as data controllers, they can respond to and act on requests from their data subjects (i.e. their platform users) as follows:
Our customers cannot opt out of receiving transactional emails related to their account or subscription with us. As applicable and feasible, Opal will provide support in fulfilling these requests where it relates to its transmission across our platform. For additional information on available rights, customers can visit the Privacy Policy for Opal or email us at hello@opal.dev.
We work with our customers to ensure that the privacy regulatory obligations are included in the contractual commitments through appropriate Data Processing Agreements (DPAs), including the use and management of sub-processors, timely security support and breach notifications in accordance with the relevant requirements.
For our cloud offering, we purge all data from our sBystems, including any event logs, when the customer contract is terminated in accordance with our contractual obligations. For on-premise offering, our customers have full control over their data retention policies; however our platform sets a default retention up to 10MB for application logs.
Opal’s platform is a Software-as-a-Service (SaaS) cloud-based system, with primary components built on top of AWS infrastructure, which is hosted in the United States. For transmission of customer data through the AWS infrastructure, we may either accept our customer’s DPA, if they wish to employ it for entering into an agreement with us; or our customers may also make use of Opal’s DPA that incorporates the most recent European Commission-approved Standard Contractual Clauses (SCCs) for enabling international transfers from EEA to the United States.
We use the following sub-processors to process customer data on behalf of our customers and to assist Opal with respect to the provision of the applicable service under the Opal Master Subscription Agreement:
This information can also be found on our website at Subprocessor (opal.dev).
Any customer data transferred to our sub-processors is subject to equal enforcement of the terms of the DPA we sign with our customers that guarantees their ability to implement the technical and organizational requirements of the application privacy regulations, including the GDPR.
We will notify our customers of any changes to the above list of sub-processors, and will provide an opportunity for customers to object to Opal’s appointment of a new Subprocessor based on reasonable data protection concerns.
In the unlikely event that we may be legally obligated to provide personal information to law enforcement or other government agencies in order to meet our legal and regulatory requirements (for example, if Opal is required to provide records to law enforcement in response to a valid court order), our DPAs require us to inform our customers of such third-party access requests to their data. However, Opal is of the view that the type of data stored across our infrastructure is not highly sensitive, and is mostly limited to basic account/employment and business contact-related information, which may not be of interest to law enforcement or other government agencies.
Data privacy and data security are two equally important parts of a comprehensive data protection strategy. Opal employs rigorous technical and administrative safeguards to ensure our service aligns with industry standards, such as the following:
Amazon Web Services
Hosting and cloud infrastructure
USA
Auth0
Developer user identity platform
USA
SendGrid
Email notifications
USA
If you have any questions about this Statement, the ways in which we collect and use your personal information, your choices and rights regarding such use, our privacy practices, or for complaints please contact us at security@opal.dev.