Our Commitment to Data Protection

Background

Product Overview and Scope

Opal is a next generation access management orchestration platform (“platform”) that enables  customers to gain comprehensive visibility around access  across the enterprise, orchestrate just-in-time access, design intelligent access policies, and automate user access reviews.

Customers can choose to deploy our platform on a Opal-hosted cloud, which is built on top of AWS, or can self-host (using Opal license) on-premise or on a customer’s virtual machine, an existing Kubernetes cluster, or on an AWS Application Load Balancer (ALB). This statement specifically applies to the use of Opal’s platform by our customers; and does not apply to any information Opal collects and processes through our customer’s use of our website, or that we may process for providing our customers with information about our products and services. Please visit the Privacy Policy for Opal for additional details.

Purpose of this statement

We firmly believe that your data as a customer of ours belongs to you, and that protecting it is our shared responsibility since we are exposed to it by virtue of our operations. We understand that we may be subject to the privacy laws and regulations of the jurisdictions where our customers operate. Therefore, we are committed to maintaining the privacy and security of all personal information entrusted to us through our service in accordance with applicable laws and regulations and industry best practices, including the General Data Protection Regulation (GDPR) and California Consumer Protection Act (CCPA).

We’re committed to being transparent about our privacy and security practices and have developed this Statement to help you understand our approach towards data protection. 

Overview of the personal data we collect and process

We process information that our platform ingests for our customers to leverage our service; and we collect certain information about our customers and their use of our services. We respect our customers’ privacy, which is why we collect and use personal information only for the following purposes:

1. Information we process on your behalf to use our service

Opal supports integration of our platform with customers’ identity or group directory providers. By virtue of this integration, our platform ingests personal information passed on to us, such as employee name, email address and associated metadata such as title, Manager’s name, etc. In this situation, the customer acts as the Data Controller since the customer determines the purposes of collection, use and disclosure of such information and therefore is responsible for complying with privacy legislations and regulations that require providing notice, disclosure, and/or obtaining consent. Opal acts as the Data Processor as we act on our customer’s instructions, and our operations in this regard are governed through our agreement with the customer.

2. Information about platform users

We collect certain information about the platform users to establish and maintain a commercial relationship with our customers, to provide ongoing service for the performance of our contract with customers and for our own legitimate interests.

For example:

• Registration data: When customers sign-up for our service as an administrator for their account using app.opal.dev, we collect some basic account information such as name and email address to set up their account on our platform.
• Payment/billing data: We collect payment/billing information from our customers when they register for our paid service to process their purchase and payments. For example, we may ask customers to provide a billing address, or a billing contact for their account. 
  
• Technical support:  We may record communications that we receive from your technical users over email and Slack channel to provide them with support and to respond to their inquiries. We may also collect some personal information to confirm your users’ identity when they contact Opal to verify that someone else is not trying to access their account without authorization.
  
• Usage data: We collect usage information (primarily metadata) about our customers’ use of our service, such as usage metrics and screen recordings for debugging or to develop and enhance our service offering. Customers have the capability to disable the screen recording feature within the product.
  
• Monitoring data: We collect monitoring and operational data in the form of traffic and event/system logs and exceptions  (using AWS CloudWatch, CloudTrail, Sentry and SumoLogic) to monitor our cloud infrastructure and AWS account activity to protect both our customers and our business. Customers have an option to export the events to their S3 bucket or other tools, if they wish to store event/log information.
  

Our privacy and security compliance

Opal is committed to helping our customers along their journey to privacy compliance. However, it is important to recognize that compliance is a shared responsibility and the path to compliance requires a shared understanding and common culture around privacy.The following section provides insight into Opal’s data management  practices, as well as information our customers need to manage, protect and control their data.

Data subject rights

Most privacy regulations provide individuals the right to access the data provided to and processed by the controller for purposes including deletion, rectification, transfer to another controller, etc. Customer data that Opal houses on the cloud platform on behalf of our customers is owned by the customers as Data Controllers. Our customers also maintain access control to their data, which means, as data controllers, they can respond to and act on requests from their data subjects (i.e. their platform users) as follows:

• Access/correct and/or delete users (upon termination) via their identity or group directory providers, which act as source systems for customer data ingested by Opal.
• Delete their organization (and subsequently any data within Opal) through self-serve capability provided on the Opal’s settings page of the admin profile.
• Export users’ profile data through the admin profile.

Our customers cannot opt out of receiving transactional emails related to their account or subscription with us. As applicable and feasible, Opal will provide support in fulfilling these requests where it relates to its transmission across our platform. For additional information on available rights, customers can visit the Privacy Policy for Opal  or email us at hello@opal.dev. 

Contractual commitments

We work with our customers to ensure that the privacy regulatory obligations are included in the contractual commitments through appropriate Data Processing Agreements (DPAs), including the use and management of sub-processors, timely security support and breach notifications in accordance with the relevant  requirements.

Data retention

For our cloud offering, we purge all data from our sBystems, including any event logs, when the customer contract is terminated in accordance with our contractual obligations. For on-premise offering, our customers have full control over their data retention policies; however our platform sets a default retention up to 10MB for application logs.

Sub-processors and international data transfers

Opal’s platform is a Software-as-a-Service (SaaS) cloud-based system, with primary components built on top of AWS infrastructure, which is hosted in the United States. For transmission of customer data through the AWS infrastructure, we may either accept our customer’s DPA, if they wish to employ it for entering into an agreement with us; or our customers may also make use of Opal’s DPA that incorporates the most recent European Commission-approved Standard Contractual Clauses (SCCs) for enabling international transfers from EEA to the United States.

We use the following sub-processors to process customer data on behalf of our customers and to assist Opal with respect to the provision of the applicable service under the Opal Master Subscription Agreement:
‍

This information can also be found on our website at Subprocessor (opal.dev).

Any customer data transferred to our sub-processors is subject to equal enforcement of the terms of the DPA we sign with our customers that guarantees their ability to implement the technical and organizational requirements of the application privacy regulations, including the  GDPR.

We will notify our customers of any changes to the above list of sub-processors, and will provide an opportunity for customers to object to Opal’s appointment of a new Subprocessor based on reasonable data protection concerns.

Disclosure requests

In the unlikely event that we may be legally obligated to provide personal information to law enforcement or other government agencies in order to meet our legal and regulatory requirements (for example, if Opal is required to provide records to law enforcement in response to a valid court order), our DPAs require us to inform our customers of such third-party access requests to their data. However, Opal is of the view that the type of data stored across our infrastructure is not highly sensitive, and is mostly limited to basic account/employment and business contact-related information, which may not be of interest to law enforcement or other government agencies.

Security measures

Data privacy and data security are two equally important parts of a comprehensive data protection strategy. Opal employs rigorous technical and administrative safeguards to ensure our service aligns with industry standards, such as the following:

• General information security program overview: We have established  information security policies and procedures and regularly review them to ensure they are up to date.  Opal is SOC-2 Type 2 certified. SOC 2 is a widely known information security auditing procedure created by the American Institute of Certified Public Accountants.  
• Personnel security: All team members are required to sign and adhere to an industry standard confidentiality agreement prior to their first day of work. Our team members are required to go through employee security awareness training covering industry standard practices and information security topics such as phishing and password management.
• Authentication and access control: Access to production data is gated by two-factor authentication and is restricted to a defined group of users. Access is valid for a predetermined period of time, post which access is automatically removed and users are required to re-request access with management approval.  In addition, our users may also have event-bound elevated access to provision production access based on on-call rotations, which is automatically revoked when on-call rotation ends. We undertake user access reviews for systems with longstanding access on a periodic basis.
• Encryption: All network traffic over public networks to the production infrastructure is sent over TLS 1.2+, or VPN connections. Data stored at rest within our cloud offering, including database backups, is encrypted using AWS Key Management System (KMS).
• Monitoring and audit logging: Our platform provides capability to set up automated alerts for when customer’s users switch roles, change teams, leave the organization, etc. so that customers can monitor for any risky access. The platform also enables customers to create a searchable audit log for all access change events. In addition, internally, all actions by Opal employees are also logged in the product by Opal and can be attributed to user emails.
• Backup: We perform daily database backups for our cloud offering, which are encrypted at rest using AWS KMS.
• Secure software development: All code is tested for security vulnerabilities in using 3rd party automated testing tools before releasing into production. Every release to production is also required to be peer-reviewed by an additional developer. 
• Incident or breach response: An intrusion prevention and detection tool is implemented to monitor network traffic to the production environment. We will notify our customers in accordance with our contractual obligations laid out in our DPA, if a security/privacy event impacts their data. An incident response plan is documented that outlines the process of identifying, prioritizing, communicating, assigning, and tracking incidents.
• Vulnerability management and testing: Opal maintains a vulnerability management program to detect and remediate system vulnerabilities; monthly internal vulnerability scans are undertaken. In addition, Opal performs an independent third-party penetration at least annually to ensure that the security posture of our services is tested and validated.

Contact