What personal information does Osano collect and how is it processed?
Our platform processes personal information solely to deliver our services. The applications in our platform process personal information differently but all applications use only the minimum necessary to perform the services and help our customers create a record of the processing.
Osano collects the login credentials for the individuals who are customer authorized users. This is limited to their name, work email, password and telephone number. This information is transferred to the United States if submitted from another country and is necessary to confirm secure access to the customer’s account within our platform, to communicate with the authorized users and provide customer support. This information is deleted if our relationship with the customer terminates or if the customer removes the authorized user from its account.
In order to show a customer’s website visitor the correct cookie banner and to record that visitor’s cookie preferences, Osano collects the visitor’s IP address and the device’s unique identifier. This information is encrypted in transit and at rest and de-identified by Osano in AWS (Dublin, Ireland) as part of the consent records. Because this information is hashed and de-identified, no personal information is stored by Osano and only the customer can reverse the hashing to link the information to an individual. The hashed and de-identified information is stored by Osano in AWS (US). No personal information collected from the EU or the UK is transferred to the US.
With respect to individuals who submit a Data Subject Access Request the only personal information we see is what is required to verify their account with you, such as name, email, IP address, unique identifier, and any other information you choose to be required. Customers may configure the DSAR request form as they wish. Osano uses this information to authenticate the request and this information is transferred and processed in the US.
This information is encrypted in-flight and is stored until the request is validated and completed. Upon completion or rejection of the request, Osano deletes the personal information from your admin application and only retains the assigned unique number used to identify the request within the Osano platform. Because this information is hashed and de-identified, no personal information is stored by Osano and only the customer can reverse the hashing to link the information to an individual. The hashed and de-identified information is stored by Osano in AWS (US).
Data Discovery aims to help customers identify and classify personal information so that the customer may properly respond to DSARs and better understand what data the customer has and where it can be found.
Our Data Discovery application helps customers locate personal information within various integrations used by the customer and suggests classifications of such data. This application searches for pre-identified fields of information that are likely to contain personal information and if found, it will tag the field and suggest a classification for that information. These fields containing personal information are collected by Osano, encrypted in transit and at rest and stored in AWS (Dublin, Ireland). This information is collected when the application syncs with an integration the customer has enabled and pulls a sample of data to help ensure proper classification.
In addition, customers may initiate a user search which will direct the application to search through the customer’s identified integrations and provide any corresponding information back to the customer.
Depending on the data held by a customer, Data Discovery may have access to/process sensitive personal information in order to complete the query. The personal information processed by Data Discovery is used only to deliver the services and is retained for 7 calendar days. Osano does not transfer personal information collected from the EU to the US unless the customer requests support from Osano personnel located in the US. After 7 calendar days, the personal information discovered by Data Discovery is automatically deleted although a customer may manually delete the data at any time.