General Provisions
As a rule, Foregenix does not collect or retain personal data except for what data is strictly necessary in order to provide our services in a secure manner. For example, if you are a customer we will most likely request (and store) an email address as your user identifier in our portals and possibly other contact details such as a phone where we can reach you in case of emergency, a billing address for invoices and other similar data. Such data is stored in the most secure way, accessible on a strict need to know basis by authorised personnel for the sole purpose of providing our services. For legal reasons we must retain most such data for relatively long periods, but will never share it with a third party unless required by law, neither use it for any other purpose without your written approval. Please refer to the privacy addenda and consent forms of each service you might use, for additional clauses and provisions that might apply to it.
Access Logs
All our websites record and retain access and error logs for security, accountability and identification of potential issues. A log includes always an Internet Protocol address, the URL that was accessed and the HTTP status code returned by us. Depending on the exact use case the log might include other online identifiers such as usernames, web browser versions, geolocation information. We might produce aggregated results from the logs such as total bandwidth consumed over a given period in order to properly size our infrastructure, or web browser versions used by our visitors for compatibility considerations. We use the logs as input to real-time processing systems which will alert us about security breach attempts and/or other issues with our services. For security and accountability reasons, logs are kept in online, searchable form for a minimum period of 3 months and in archived form for a minimum period of 1 year. Regardless of online status, logs are stored in encrypted form and access to them is possible by authorised personnel only, in a heavily audited and hardened environment. We will never attempt to match the logs to a specific individual, unless instructed by the individual in order to debug and resolve an issue they might be facing while using our website (for example inability to log on). We will never share our raw logs with a third party, unless required by law.
Cookies
All our websites use session cookies and permanent cookies. Session cookies identify visitors within a session, so that users do not have to enter their login details or other similar information (such as having passed the “prove you are not a robot” challenge) with every request. Permanent cookies identify users across sessions, i.e. allowing the server to remember things about you on your next visit. We use cookies to enhance your user experience, to provide you with our services and to obtain analytics which help us improve our website and tailor it to your needs. You can disable cookies but this might have a negative impact on your user experience and some services might not work as expected, or at all. Please see the section “This Website” for a detailed listing of the cookies used by www.foregenix.com and their purpose and expiration.
Data Processor
Foregenix does not engage in personal data processing as the term is defined by the GDPR. However, in many cases we provide our clients with various direct and indirect ways of uploading or storing data to our systems as part of our services and have very very little control over the content that is uploaded. Therefore, it is possible that personal data might find its way into our systems by accident, by deliberate abuse or attached to a client request the fulfilment of which would constitute personal data processing in terms of the GDPR. Should such an incident come in our attention, we shall take action which depending on the exact circumstances might include reporting the incident to the authorities. In any event, we will never process the data.
This website
This website (support.foregenix.com) is our customer support portal and is addressed to Foregenix customers, although some sections such as the Frequently Asked Questions could be of interest to the general public. Our main lawful basis for collecting the data described below is contractual obligation, that is we collect exactly what data we need in order to be able to support our customers.
You can request a machine-readable export of your personal data. You can request a correction to your data. Finally you can request that we delete your personal data, if this data was submitted to us without your knowledge or consent, or by accident. All such requests will be honoured in one working month, subject to you providing us with sufficient proof of evidence.
Types of data collected
When an individual sends an email message to support.foregenix.com, the ticketing system automatically stores their email address and creates a user account with this exact email address as its unique identifier. This is the minimum amount of data that Foregenix Support must have at its disposal for interacting with a customer. In addition, account data might be augmented with the following pieces of personal information, if submitted to us:
- Name
- Company affiliation
- Location (especially timezone)
- Billing address
- Phone number(s) (landline and mobile)
- Alternative contact methods
Every new user of the system consents to (at least) their email being stored and their account being created in the manner specified above, and ascertains that the data submitted to us is theirs or belong to a subject that has consented to the data being submitted to us. Any individual who has sent an email to support@foregenix.com in error, or whose personal details were shared with us without their consent can email us and request that their details are removed from the system. Any existing user of the system can open a ticket with subject “Export my data” and obtain a copy of the personal details that we retain for them in two working days.
Personal data of third parties
Foregenix will never knowingly process personal data on behalf of its customers in terms of the GDPR. However, we have very little control over what our customers send to our ticketing system and the requests that they make, so it is possible that a ticket is opened that includes personal data and a request that, should we fulfil it, would constitute processing in terms of the GDPR. We will refuse to engage in any kind of processing. We will retain the data as evidence and report the incident to the local data protection authority unless we have good reason to believe it was an error done in good faith.
Use of the information
All information is used by Foregenix Support strictly for providing our services. Typically, this involves responding to tickets opened by the customers themselves, but Foregenix might also initiate communication where obliged by contract. For example we will actively notify our customers if we discover their website has been breached.
In addition to such situations where Foregenix has a contractual obligation to initiate communication, Foregenix will occasionally reach out to customers by its own initiative in order to notify them about important service changes, billing issues, contract renewal, changes of policy and security issues that we have good reason to believe might affect them based on our knowledge of their environment. For example, if a critical high impact vulnerability is discovered for a web application platform, we might send an email to all our customers that we know or have good reason to believe are using this platform and urge them to upgrade. This category of Foregenix-initiated communication is considered part of our service.
For legal reasons the ticketing system keeps a detailed record (including contents and header) of every email sent or received, as well as any other non-email based activity pertaining to a ticket such as reopening a ticket from the Web UI. All data within the ticketing system is treated as confidential. It is stored in encrypted form in a hardened environment and is accessible by authorised personnel only, subject to continuous monitoring and confidentiality agreements.
We will never share with a third party any of the data described above, unless required by law.