Last Updated: May 25, 2018
WHO WE ARE
When you purchase a certificate, you are contracting with Sectigo Limited, a limited company formed under the laws of England and Wales with registered number 04058690 and registered offices at 26 Office Village, Exchange Quay, Trafford Road, 3rd Floor, Salford, Manchester, M5 3EQ, United Kingdom.
Attn: Data Protection Officer
Unit 7 & 9
Listerhills, Science Park, Campus Road,
Bradford, BD7 1HR
Sectigo values your privacy.
- What information we collect.
- How we collect your information.
- How we use your information.
- What information we share.
- What security measures we have in place to protect your information.
- What rights and choices you have in relation to your information.
This is important to us, so we hope you take the time to read and review it carefully.
- “Account” refers to a CCM account, an E-PKI account, an S3 account, or any other account at a Sectigo website for which you sign up and log in.
- “Baseline Requirements” refers the most recent version of the CA/B Forum’s Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates, accessible here: https://cabforum.org/baseline-requirements-documents/.
- “CA/B Forum” means the Certificate Authority and Browser Forum, a consensus-driven forum of certificate authorities (like us) and browsers that promulgates industry guidelines governing the issuance and management of X.509 v.3 digital certificates, and whose website is https://cabforum.org/.
- “Cookies Policy” refers to the most recent version of our Cookies Policy, accessible here: Sectigo.
- “CPS” refers the most recent version of our Certification Practices Statement, accessible here: Sectigo legal.
- “EV Code-Signing Guidelines” means the most recent version of the CA/B Forum’s Guidelines for The Issuance And Management of Extended Validation Code Signing Certificates, accessible here: https://cabforum.org/ev-code-signing-certificate-guidelines/.
- “EV Guidelines” refers to the most recent version of the CA/B Forum’s Guidelines for the Issuance and Management of Extended Validation Certificates, accessible here: https://cabforum.org/extended-validation/.
WHAT INFORMATION WE COLLECT
INFORMATION YOU GIVE TO US
Sectigo collects personal information in accordance with industry standards mandated by the CA/B Forum (such as the Baseline Requirements and EV Guidelines) when you purchase or use Sectigo products or services or otherwise interact with Sectigo. In most instances, you provide the information directly to Sectigo, such as when you create an Account, sign up for a newsletter, subscribe to Sectigo’s services, use a Sectigo website, download a Sectigo product, or request further information from Sectigo.
When You Purchase Services or Download a Product
When you purchase Sectigo services or download a product, you will provide certain personal information. This information may include personal contact information, such as name, company name, address, phone number, and email address; billing information, such as billing name and address, credit card number, and the number of employees within the organization; or other similar information that may be necessary for us to provide you with products and services. The information that you provide shall be used for such things as setting up or administering your Account, responding to your inquiries, providing you with product updates or improvements, and managing other daily business needs, such as, for example, payment processing, account and contract management, website administration, troubleshooting, security and fraud prevention, corporate governance, reporting and legal compliance and business continuity. If Sectigo would like to process that information for any other purposes, we will first provide you with sufficient information describing such additional use.
When You Order a Certificate
When you order a certificate, you will be required to provide certain information depending on the certificate type (e.g. DV, OV, EV, SMIME, etc.). The exact informational requirements are listed in the CPS for your review. Certain of the submitted details will be displayed within the certificate, and, as a result, will be publicly available.
You have choices about your information, but if you choose not to provide necessary information when purchasing a product or service, or ordering a certificate, (for example, information necessary to validate a certificate), then you may not be able to get that product, service, or certificate.
INFORMATION WE COLLECT FROM YOUR USE
To enable a better experience on our websites and provide you with better functionality and features in our products and services, we collect information about your interactions with Sectigo, like the products and services that you use and how you use them. We may use technologies like cookies, browser analysis tools, or server logs to receive error reports or usage data from software running on your device or our website and applications. We may also obtain data from third parties to enhance our files and better understand our customers.
For more information on cookies and how we use them, see our Cookies Policy.
Sectigo's websites use Google Analytics, which is a web analytics service provided by Google, Inc. ("Google"), to evaluate your use of the Sectigo website. Google Analytics place a third-party cookie on your computer that is then used to compile reports of visitor traffic and internet usage. Google Analytics does not have a database of individual profiles for each visitor and only collects aggregate data.
For information on how Google Analytics uses data please visit “How Google uses data when you use our partners sites or apps”, located at www.google.com/policies/privacy/partners/.
Sectigo uses log files comprising of non-personally identifiable information to analyze trends, administer the site, track movements throughout the site, calculate the number of document and file downloads, and gather broad demographic information for aggregate use.
This information may include your IP address or other proxy servers you use to connect to the Internet, device and application identification numbers, your browser type, your Internet service provider (or mobile carrier), the pages and files you viewed, your operating system and system settings, and the location and time zone associated with your usage. Based on certain Internet standards, we may also collect information about the website you were visiting before and the website you visit after you leave the Sectigo website.
INFORMATION WE COLLECT AND RECEIVE FROM THIRD PARTIES
Information We Collect and Receive from Our Resellers and Webhosts
Sectigo has hundreds of resellers and webhosts that offer you our products and services for purchase directly from them. Sectigo enters into agreements with its resellers and webhosts containing adequate privacy safeguards and protections. When you provide information directly to these resellers or webhosts, you are providing your information subject to the privacy policies and practices of those resellers. You should make sure to review and understand those policies and practices prior to sharing your information.
For more information on Sectigo’s resellers and webhosts, please contact us.
Information We Collect and Receive from Third-Party Sources
For Sectigo to properly validate some types of certificates (such as EV Certificates) in accordance with industry standards, it is necessary for Sectigo to supplement information that Sectigo receives from you or a reseller with information that it gathers from third-party sources.
As such, Sectigo may verify the information you provide us with information from independent third-party sources. The types of certificates, allowable third-party sources, and other relevant information are detailed with specificity in the CPS, the Baseline Requirements, the EV Guidelines, and the EV Code-Signing Guidelines. Information collected from these third-party sources will be used by Sectigo to validate the ordered Certificate. This is an integral aspect of the services provided by Sectigo and is required of Sectigo to validate a certificate.
Sectigo also collects and receives certificate information from publicly available certificate transparency (CT) logs. Generally, certificates and CT logs do not contain personal information. CT logs were created in the public’s interest to support public oversight and scrutiny of the SSL certificate system. The purpose of the CT log is to provide an open auditing and monitoring system to protect users and to prevent mistaken or malicious issuance of certificates.
CHILDREN’S ONLINE PRIVACY PROTECTION ACT STATEMENT
Sectigo websites, products and services are not directed to children under the age of 16 and Sectigo does not knowingly collect personal data from children under the age of 16. If Sectigo becomes aware that a child under the age of 16 has provided personal data, Sectigo will take steps to delete such information from Sectigo’s files as soon as possible.
HOW WE USE YOUR INFORMATION
Understanding how important your privacy is to you, we limit the use of your information and want you to be clear on how your information will be used. Below is an overview, identifying the information collected, the purpose for which it is collected, the initial legal basis for processing such information, and the period for which we will retain that information.
We are providing the below information about our retention periods to show you that your information is being processed with transparency. Our retention periods, however, are not fixed for all types of information and will vary for reasons such as whether the information is still necessary for the original purpose of the processing, to fulfill (or assert) our or your legal obligations (or rights), and/or to comply with applicable laws or industry requirements. As such, we reserve the right to revise such retention periods where we determine that the information is still, or is no longer, necessary for the purposes for which the information was processed.
|Information Collected||Purpose of Collection||Legal Basis||Necessary Retention Period|
|Information you give us to setup and administer your (or your organization’s) Account (see list in section “INFORMATION YOU GIVE TO US” above).||To provide you (or your organization) with the products and services requested and to properly administer your (or your organization’s) Account, including for renewals, billing, and contract management purposes.||Our collection and use will be based on the terms and conditions of your subscriber agreement with us.||Duration of the subscriber agreement governing the Account and a period thereafter as may be necessary to assert our legal rights.|
|Information that you provide us to issue a certificate (see list in section “INFORMATION YOU GIVE TO US” above).||To validate and issue the certificate you ordered, and to comply with industry standards and other requirements.||Our collection, use, and retention of such information is for the legitimate interests of Sectigo and third parties, including compliance with our legal obligations and industry standards (such as the CA/B Forum’s Baseline Requirements, EV Guidelines, and EV Code Signing Guidelines), network and informational security purposes, audit purposes, and fraud prevention purposes.||Duration of the subscriber agreement governing the certificate, and for seven (7) years after the expiration or revocation of all certificates thereunder.|
|Information that we collect about you from our resellers (see list in section “Information we Collect and Receive from Our Resellers and Webhosts” above).||If you ordered a certificate, to validate and issue the certificate, and to comply with industry standards and other requirements. If you order any other product or service, to provide you with the products and services that you requested and to properly administer your Account, including for renewals, billing, and contract management purposes.||Our collection, use, and retention of such information is for the legitimate interests of Sectigo and third parties, including compliance with our legal obligations and industry standards (such as the CA/B Forum’s Baseline Requirements, EV Guidelines, and EV Code Signing Guidelines), network and informational security purposes, audit purposes, and fraud prevention purposes.||Duration of the subscriber agreement governing the certificate, and for seven (7) years after the expiration or revocation of all certificates thereunder.|
|Information that we collect about you from our third-party sources (see list in section “Information We Collect and Receive from Third-Party Sources”, above).||To validate and issue the certificate you ordered, and to comply with industry standards and other requirements.||Our collection, use, and retention of such information is for the legitimate interests of Sectigo and third parties, including compliance with our legal obligations and industry standards (such as the CA/B Forum’s Baseline Requirements, EV Guidelines, and EV Code Signing Guidelines), network and informational security purposes, audit purposes, and fraud prevention purposes.||Duration of the subscriber agreement governing the certificate, and for seven (7) years after the expiration or revocation of all certificates thereunder.|
|Information contained in an issued Certificate, including information published in CT logs (generally this does not contain personal information).||To ensure (i) certificates are not used for fraud, phishing, or other malicious uses, (ii) the authenticity of issued certificates, and (iii) the integrity of issued certificates for network and informational security purposes.||There is no retention period and the information is available on the Internet indefinitely.|
|Information we collect from your use of Sectigo’s websites, products and services.||For security and fraud prevention, corporate governance, and for audit, legal and regulatory reporting purposes.||Sectigo has a legitimate interest in using this information to protect Sectigo’s systems, your information and the information of other Sectigo customers.||Exact durations are listed in the Cookies Policy.|
|Your name, email address and contact information that you provide to us when sending us an inquiry form or other communication.||Respond to you when you contact Sectigo about our products or services.||When you submit an inquire, our ability to respond to you will be based on your consent that we will obtain prior to sending you any communications.||Until you withdraw your consent.|
|Your name, email address and contact information that you provide to us in relation to events and other Sectigo news.||Plan, host and provide you with information about Sectigo surveys, events, or other public forums.||When we provide you with this information it will be based on your consent to receive this information, which we will obtain prior to sending you any communications.||Until you withdraw your consent.|
|Your name, email address and contact information that you provide to us in relation to marketing and promotional activities.||Provide marketing and promotional communications about offers, news or announcements relating to the Sectigo products and services.||When we provide you with this information it will be based on your consent to receive this information, which we will obtain prior to sending you any communications.||Until you withdraw your consent.|
SHARING OF INFORMATION COLLECTED
We do understand and value the sensitive nature of your information, and as such, the information provided to Sectigo will be protected by Sectigo and not sold or rented to any unrelated third parties without your consent.
There are instances, however, when Sectigo may disclose your information for such limited purposes as:
- To our resellers or webhosts when you place your order through that reseller or webhost.
- To our service providers or processors who are obligated under law and contract to protect your information and only use your information in accordance with our instructions.
- As may be necessary for audit, compliance, or corporate governance functions.
- When legally obligated to do so by law or in response to a subpoena or court order in the United Kingdom or other countries where we operate.
- If disclosure is necessary to effectuate the sale or transfer of business assets.
- If disclosure is required to protect the rights of Sectigo, Sectigo's customers, or the users of Sectigo's products or services.
We may also share aggregate demographic data that does not contain any personally identifiable information.
Forums, Bulletin Boards, Testimonials, Chat Rooms, and Surveys
Comodo CA may provide you with communication tools such as public forums, bulletin boards, testimonials, or chat rooms. Information that you post will be accessible to anyone with Internet access and may be collected, used, and read by third parties, including other users. You should always use caution when posting any of your information on a public forum as you have no privacy rights in public postings. Comodo CA is not responsible for any information submitted by you through these public services.
Occasionally, Comodo CA may also request information from you via surveys. Participation in these customer surveys is absolutely voluntary. If you do choose to participate, however, the survey information you provide will be used by Comodo CA to improve its website and the Comodo CA’s products and services.
THIRD-PARTIES AND EXTERNAL LINKS
If you access the products, services or websites of Comodo CA’s service providers, partners or other third-parties, you should review those respective privacy policies as well to understand what information is collected and how it is used by them.
Comodo CA develops, implements, and maintains a comprehensive security program designed to protect its networks and to safeguard the information it collects and stores. Comodo CA protects information both online and off-line. Below are some of the many measures that Comodo CA implements:
- Transmission of information, including any payment information, is encrypted and protected using TLS/SSL technology.
- Stored customer information is kept in a secure environment where access is restricted to employees who need the information to perform a specific job (for example, billing administration or the development team).
- Employees are required to use password-protected screen-savers and keep their computers up-to-date.
- Implementing detection and prevention controls to guard against viruses and malicious software.
- Security procedures are audited in accordance with the AICPA/CICA WebTrust for Certification Authorities Principles and Criteria, the results of which are available upon request.
You can find more information and details on how Comodo CA protects your information in the CPS.
INTERNATIONAL TRANSFER OF INFORMATION
If your data is transferred to a server outside of Europe, we will ensure that it is protected and transferred in a manner consistent with legal requirements and applicable laws. Information can be transferred outside Europe in a number of ways. Examples include: the country to which we send your information may be approved by the European Commission, the recipient may have signed a contract based on the “model contractual clauses” approved by the European Commission, obliging them to protect your information, or where the recipient is located in the US, it may be a certified member of the EU-US Privacy Shield framework. In other circumstances, the law may permit us to otherwise transfer your information outside Europe. In all cases, any transfer of your information will be compliant with applicable data protection law.
You can obtain more details of the protection given to your information when it is transferred outside Europe (including a sample of the model contractual clauses) by contacting us at the mailing address or email address below.
YOUR RIGHTS TO YOUR INFORMATION
The law affords you certain rights when it comes to your information and we want to make sure you understand those rights. You have the right to:
- Request access to your information
- Request corrections to your information
- Request that your information be erased
- Request that the processing of your information be restricted
- Object to the processing of your information
- Request return of your information
Although you have these rights, please understand that these rights are not absolute. There may be instances where we may not be able to comply with your request or objection based on our legitimate interests.
If your information or certificate specific information needs to be updated, you can request that certain changes be made by logging into your Account. For any other requests, you can also contact us via email at firstname.lastname@example.org.
YOUR CHOICES AND COMMUNICATION PREFERENCES
You always have rights to the collection, use, or disclosure of your information. Remember, however, in certain cases, if you do restrict or object to the use of your information, then certain products or services that require that information may not be provided to you.
You can also limit the communications that we send to you. Customers may occasionally receive information on products, services, and special deals from Comodo CA or may receive informational newsletters. Customers are given the opportunity to 'opt-in' to receiving these promotional communications at the time their information is collected. You may “opt-out” of receiving these promotional communications using the opt-out link provided in each promotional email or by emailing email@example.com.
Even if you opt-out of promotional communications, we will still need to contact you with important administrative and transactional information about your Account and your use of the Comodo CA products and services. For example, we may contact you about new release or feature updates or with important security information about the products or services.
PROCESSING AND CUSTOMER CONSENT
CERTIFICATE REVOCATION & EXPIRY
Access to all issued certificates is provided through Comodo CA’s public repository. Because of the nature of the services provided, there may be circumstances under which a certificate is revoked. Furthermore, certificates have a finite lifetime and will expire.
Despite the finite nature of certificates, Comodo CA still provides public access to both revoked and expired certificates for network and informational security purposes, audit purposes, and fraud prevention purposes. Such certificates are flagged as revoked or expired within the repository.
HAVE QUESTIONS OR WANT TO CONTACT US?
MANCHESTER, UK OFFICES
Comodo CA Limited
26 Office Village, Exchange Quay, Trafford Road
BRADFORD, UK OFFICES
Comodo CA Limited
Unit 7 & 9
Listerhills, Science Park, Campus Road,
Bradford, BD7 1HR
Comodo CA, Inc.
5 Becker Farm Road
Roseland, NJ 07068
Comodo CA (Canada) Ltd.
300 March Road
Kanata, ON K2K 2E2