1. Notice to end users
Our Services are intended for use by organizations (businesses) and are provided on the basis of the Terms. In addition, NordLayer receives information (including some personal data of End Users) from Customers’ while operating the Services. If your organization (e.g., employer or other entity that entered into the agreement with us) provides you with access to our Services (e.g., create an account or connect to the Services by other means), you are identified as an end user (“End User”) and your use of our Services is subject to your organization's policies if any. Please note that in such a case your organization (our Customer) is the data controller of your personal data.
The following information about the End User is provided to us when the Customer uses our Services:
Account information. On behalf of our Customers, we process: End Users’ names, email, professional information (position, represented entity’s information) account registration, login information, subscription information, device information (e.g., device name, IP address, OS, advertising id), application diagnostics, connection timestamps, server the user was connected to, access to shared servers (unless disabled by the Customer). Please note, that NordLayer receives this information as a data processor from the Customer and processes this personal data on behalf of the Customer instruction (which in this case acts as a data controller) and in order to ensure proper Service provision, e.g., to send you important updates and announcements related to the use of our Services.
Device Posture related features. We may process additional data about the End Users’ device (e.g., serial number, unique ID, removal of software restrictions, file path) and NordLayer application version. This data is processed only if the Customer enables device posture related features within the organization or for a specific End User at its own discretion.
When the End Users use NordLayer Services with the account provided by an organization (our Customer), that organization can:
Control and administer the End User’s NordLayer account, including controlling privacy-related settings and/or features.
Access and process the End User’s personal data, such as name (provided during account activation) and email address.
See shared and virtual private gateway connection timestamps, the hostname of the connected device, the server End User has been connected to and the origin IP address that has been connected from.
Control and administer what device data will be gathered with device posture related features.
2.Processing Of Personal Data - Nordlayer As Data Controller
We collect (directly from you, third parties or your interactions, use, and experiences with our Services/Website) and use the information for the following purposes:
Information related to the conclusion and performance of the Agreement
Personal information. In order to conclude and perform a business agreement with the Customer we may process Customer’s representatives’ contact information (full name, telephone number, and/or email address) and professional information (position, represented entity’s information).
Payment related information
Payment data. If you have provided payment information to us, such as basic billing information belonging to a natural person (date of purchase, IP address, postal (ZIP) code, billing address, credit card owner’s full name, and credit card information, its expiration date, subscription details), we will process this information (i) to verify payment’s information and prevent fraudulent payments for the Services; (ii) to collect payments to the extent that doing so is necessary to complete a transaction.
Country details. When making a purchase as a natural individual, we process the information on the country the purchase takes place. This information is necessary for VAT calculation purposes.
Access logs. To ensure Website support and security we collect access logs, such as your IP address, operating system, and browser information. This information is essential for fighting DDoS attacks, scanning, and similar hacking attempts. We also use this information to help us to better design our site, help diagnose problems with our server, and administer our Website.
Communication optimization data. We use various tools to help us optimize our email campaigns. These tools may track actions you perform with an email, such as opening it, clicking certain elements of the email or unsubscribing from further communication. We may also be able to see the user device’s operating system (e.g., Windows, Mac, iOS, Android) and country in order to optimize push and email notifications and automatically set the language.
Chatbot. If you contact us via our chatbot on our Website, in addition to processing your contact information and information provided in your message, we will be able to collect your device information and IP address. Besides, our chatbot service provider may also be able to see your IP address and geo-location information. It also collects various cookie data that enables us to track the activities of our Website visitors. We use this information to understand how visitors interact with our Website.
Live chat widget. If you contact us via the live chat widget, in addition to processing your contact information, we will also process your device information (such as the type of the operating system and browser) and IP address. This information is necessary for our support to determine the user’s country, prevent abuse, see if the user is connected to our servers, and help our support to process queries faster.
Social media. When you interact with us via social media, we may process information available on your social media profile, also your inquiry or post information, and other information you provide us with.
Other communication means. When you contact us to inquire about our Services, we process your full name, email address, entity’s information you contact on behalf of (if provided), and/or other information you provide us with.
Information related to marketing activities. We may receive certain data about you (i) directly from you, if you subscribe to marketing communications, complete surveys, or sign up for our events or webinars, publicly available material prepared by or (ii) from certain advertisers and other partners which we use for advertising purposes. Those partners help us deliver more relevant ads and promotional messages to you, which may include interest-based advertising (also known as online behavioral advertising) and account-based advertising. We may also receive your personal data from the organizers of events that you and NordLayer participate in, or promotions that we sponsor or participate in. Such data may include your contact and professional data (e.g., name, company, position, email address, preferences, and/or interests), cookie id, mobile device id, and inferences about your interests and preferences. We use this information in order to send you offers, surveys, and other marketing content (in line with applicable law) and to manage your participation in our events or seminars. You can easily opt-out of future marketing communications using the opt-out link provided in the emails sent to you.
Referrals data. Participation in referral programs maintained by NordLayer requires referrers to submit personal data (e.g., full name, e-mail address, phone number, relationship with the referred party) about themselves and a referred party so that we could (i) reach out to the referred party; (ii) contact referrers with regards to their participation in referral programs and/or provision of rewards. It is the referrer’s responsibility to abide by applicable privacy laws when disclosing third parties’ personal data to NordLayer, including informing third parties that they are providing referred parties’ personal data to NordLayer and how it will be used and processed. Referred parties may unsubscribe from any future communication at any time. If you believe that one of your contacts has provided us with your personal data and you would like it to be removed from our database, please contact us as provided below (Section “Contact Us”).
3. Grounds For Processing Of Personal Data
NordLayer processes personal data to a limited scope and based on the following legal grounds:
To fulfill contractual obligations. The information provided might be required for the performance of a contract, i.e., (i) to provide Services and customer support; (ii) to process your purchase transactions; (iii) to ensure the secure, reliable, and robust performance of our Services and Website.
To ensure legal obligation. We might be required to use your information as per legal requirements, e.g., to keep and process records for tax purposes and accounting.
Your consent. We might use your information where you have given your consent to us, i.e., (i) to send marketing communication (unless applicable law permits us to contact you without prior consent); (ii) to communicate with you and manage your participation in our contests, offers, referrals, or promotions. Please note that although we may also process your personal data for marketing purposes when applicable law permits us to contact you without your separate consent, if you choose not to receive marketing communication from us (i.e., if you opt-out), we will honor your request.
Legitimate interest. We sometimes may process your personal data under the legitimate interest, i.e., (i) to properly administer business communication with you; (ii) to detect, prevent, or otherwise address fraud, abuse, security, or technical issues with our Services and Websites; (iii) to protect against harm to the rights, property, and safety of NordLayer, our Customers, End Users, or third parties; (iv) to improve or maintain our Services and provide new products and features; (v) to receive knowledge of how our Website and application are being used.
4. Sharing Your Personal Data
Service providers. We use third-party service providers to help us with various operations, such as IT, servers, marketing, customer support, data storage, website customization, website analytics, accounting, legal, agency, and others. As a result, some of these service providers may process your personal data.
Partners. Sometimes our partners, for example, distributors, resellers, managed service providers, and app store partners might also process your personal data. In such cases, the procedures established by them (e.g., terms of service and privacy policies) will apply to such relationships.
We also partner with third parties to display advertising on our Website or to manage our advertising on other sites. These partners help us deliver more relevant ads and promotional messages to you, which may include behavioral, contextual, and generic advertising. We and our advertising partners may process certain personal data to help us understand your preferences so that we can deliver advertisements that are more relevant to you.
Your personal data may be processed in any country in which we engage service providers and partners. When you use our Services and Website, you understand and acknowledge that your personal data may be transferred outside of the country where you reside.
Other NordLayer group companies. We share your personal data with other NordLayer group companies to carry out our daily business operations and to enable us to maintain and provide our Services to you. In accordance with applicable law, we may also share your contact information with NordLayer group companies for the marketing of their products’ purposes (you have a right to object to such transfer at any time).
Protection of our rights. We may disclose your data to establish or exercise our legal rights or defend against any legal claims or other complaints. We may also share such information if we believe it is necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, and violations of our Terms.
Business transfers. We may share your personal data in those cases where we sell or negotiate to sell our business or go through a corporate merger, acquisition, consolidation, asset sale, reorganization, or similar event. In these situations, NordLayer will continue to ensure the confidentiality of your personal data.
Requests from law enforcement institutions. Any request for data should follow an appropriate official legal process recognized by the laws of incorporation (e.g., mutual legal assistance treaty, letters rogatory). We carefully review each request to make sure it satisfies laws applicable to our company, laws of requesting country, international norms, and our internal policies.
5. Choices Related To Your Personal Data
Delete: request us to erase your personal data;
Access: know and access personal data NordLayer has collected about you;
Rectify: rectify, correct, update, or complement inaccurate/incomplete personal data NordLayer has about you;
Object: object to the processing of your personal data which is done on the basis of our legitimate interests (e.g., for marketing purposes);
Portability: request us to provide you with a copy of your personal data in a structured, commonly used, and machine-readable format or to transmit (if technically feasible) your personal data to another controller (only where our processing is based on your consent, and carried out by automated means);
Restrict: restrict the processing of your personal data (when there is a legal basis for that);
Withdraw consent: withdraw your consent where processing is based on the consent you have previously provided;
Lodge a complaint: exercise your rights by contacting us directly or, if all else fails, by lodging a complaint with a supervisory authority.
Rectification. If you’d like to edit your information (e.g., change your email address), please contact our support team at [email protected].
Access/Deletion. If you wish to delete your personal data that we process or request to provide you with a copy of your personal data, please contact us at [email protected].
Opt-out. If you wish to unsubscribe from our marketing communication, you can opt-out at any time by clicking the “unsubscribe” link at the bottom of each email or contacting us at [email protected].
If you do not agree with the processing of your personal data by NordLayer, please do not use our Services and Website. You can request us to discontinue processing your personal data, in which case your data will be processed only as much as it is necessary to effect the discontinuation of your use of the Services (e.g., final settlement or deleting all personal data), or finalizing other our legal relationship with you (e.g., record keeping, accounting, processing refunds). Please note that we or our third-party service providers may be obliged to retain your certain personal data as required by law.
If you are using NordLayer Services as an End User and you want your personal data would be edited or to be no longer processed by us, you should contact the Customer that granted you access to our Services.
To raise any other questions, concerns, or complaints about our privacy practices or about our processing of your personal data, please contact us as provided below (Section “Contact Us”).
6. Data Security
We maintain tight controls over the personal data we collect. Our dedicated cyber security team has implemented appropriate physical, technical, and organizational measures to protect information about you against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access and against all other unlawful forms of processing:
Physical Measures. Our servers are located in certified data centers with appropriate physical control measures in place. We control access to our facilities with access cards. We also use security alarm systems and CCTV. We store devices with personal data information only in locked rooms or cabinets. Our printers are protected by access control measures. A clean desk policy is implemented.
Technical Measures. We use layered defense with firewalls, anti-malware protection, intrusion detection, and prevention systems. Our infrastructure is regularly updated, and regular vulnerability scans are in place to detect possible vulnerabilities. We have security event and incident management solutions to correlate and investigate signals in cyber network. Servers are hardened and automated configuration tools are used to manage them. All workplaces are managed from a centralized endpoint management tool. Data at rest and in transit are encrypted. Encryption protocols are used according to the newest security practices.
Organizational Measures. We adopted information security and data processing policies according to the best practices. We conduct external audits to prove our information and cyber security as well as data processing policies are up to the standards and best practices. We adopted a constant development culture of information and cyber security and data protection awareness among our employees (including organizing regular and ongoing training and other awareness activities). We analyze the threat landscape and attack surface and constantly update our security measures. Access to databases containing personal data is granted on a need-to-know and least-to-know principles.
We maintain tight controls to protect information about you against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing. However, no company can guarantee the absolute security of internet communications as no technology is completely bulletproof. By using the Services and Website, you expressly acknowledge that we cannot guarantee the 100% security of personal data provided to or received by us through the Services and that any information received from you through Websites or our Services is provided at your own responsibility. If you have any reason to believe that your interaction with us is no longer secure, please notify us at [email protected].
7. Data Retention
NordLayer will retain End Users’ data in accordance with the Customer’s instructions.
In cases when NordLayer acts as a data controller, it stores personal data only for as long as it is necessary for the original purpose of collection or legal requirements. We determine the appropriate retention period for personal data on the basis of the amount, nature, and sensitivity of the personal data being processed, the potential risk of harm from unauthorized use or disclosure of the personal data, if we can achieve the purposes of the processing through other means, and if the information is necessary for the execution of our legal rights, obligations and fulfilment of our other duties (for example, record and bookkeeping). When we no longer have a legal ground to keep your personal data, it will either be securely disposed of, or de-identified through appropriate anonymization means.
For more information about specific retention periods, please reach out to us at [email protected].
8. Country-Specific Provisions
For users in European Economic Area (“EEA”)
If you are a resident of EEA countries, you can exercise your rights as provided in the European Union's General Data Protection Regulation (“GDPR”) by contacting us at [email protected]. To comply with the GDPR, we have also implemented appropriate contracts for international transfers, on the basis of the standard contractual clauses approved by the European Commission and other international models as required by local law.
For users in California
If you are a California resident, you can exercise your rights as provided in the California Consumer Privacy Act (“CCPA”) by contacting us at [email protected]. As per definitions in the CCPA, please note that NordLayer does not sell, share, lease, or rent your personal information.
9. Minors’ Data
NordLayer does not knowingly collect or solicit personal data from anyone under the age of 18. If you are under 18, please do not attempt to send any personal data about yourself to us. If we acknowledge that we have collected and processed personal data from a minor under the age of 18, we will delete that data as quickly as possible.
10. Contact Us
If you have questions, requests, concerns, or complaints about how your data is being processed or personal data processing practices, please contact us via [email protected] or by writing to us at the following address:
Nord Security Inc., One Rockefeller Plaza, 11th Floor, New York, NY 10020, United States of America.
On matters related to the processing of personal data, you may also contact our representative VeraSafe in the European Economic Area using the following details:
via postal address at: VeraSafe United Kingdom Ltd., 37 Albert Embankment, London SE1 7TL, United Kingdom.
11. Other Terms
Limitation of Liability. To ensure the security of personal data, we apply various technical, physical, and organizational security measures; however, it is your responsibility to exercise caution and reasonableness when using the Services and Website. You will be personally liable if your use of the Services or Website violates any third-party privacy, any other rights or any applicable laws. Under no circumstances is NordLayer liable for the consequences of your unlawful, willful, and negligent activities, and any circumstances that may not have been reasonably controlled or foreseen (please read the Terms for more information).