RSA is committed to protecting the privacy and security of all personal data we collect when you access, use, or interact with us via our websites, marketing communications and personal data we process in order to provide services to our customers. We receive limited personal data from our customers.
We collect “personal data,” which means information relating to an individual who can be identified, directly or indirectly, by reference to an identifier, such as a name, identification number, location data, or an online identifier.
The types of information we collect about you depends on your use of our products, services and the ways that you interact with us, and includes information we obtain from third parties. This may include information about:
We do not intentionally collect special categories of personal data which includes sensitive information such as:
You are not required to provide, nor should you disclose this information as we do not intend to process sensitive information. However, if you do disclose, you acknowledge that you consent to our collecting and processing of these special categories of data.
The types of personal data we collect about you depends upon your use of our products and services and the ways that you interact with us.
We ask for and collect personal data from you in the following instances:
If you believe your personal data has improperly been provided to us, or if you want to exercise your rights relating to your personal data, please contact us at firstname.lastname@example.org.
We may collect your personal data from other sources such as publicly available information and third-party sources that we purchase personal data from. The third-party sources may change over time and may include:
The personal data may include identifiers, professional or employment related information, education information, commercial information, visual information, internet activity information, social media profiles, and inferences about preferences and behaviors. We may combine information from other sources with the personal data provided by you.
This data helps us keep our records updated, identify new customers, and create tailored advertising for products and services that may be of interest to you.
We use information gathering tools such as cookies, web beacons, pixels, and similar technology to automatically collect information that might contain your personal data when you use our websites and services or interact with emails we send you.
Most websites automatically collect data about you when you visit the site. This information may include:
We use this information to analyze overall trends, help us improve our websites, offer a personalized experience for website users, and secure and maintain our websites.
We also automatically collect information as part of your use of our products and services. This information may include:
We use this information to maintain the security of our websites and our products and services, provide necessary functionality, improve the performance of services, assess and improve customer and user experience, validate that you are an authorized user, review compliance with usage terms, identify future opportunities for service development, assess capacity needs and requirements, and identify customer opportunities.
Device and usage data is primarily used to identify the unique uses of our websites instead of identifying specific individuals unless identity is required for security purposes or to provide services to the individual.
Our websites, online services, interactive applications, email messages, and advertisements may use tracking technologies such as web beacons, pixels, tags, and cookies to help us tailor your experience, better understand your preferences, tell us which parts of our websites you have visited, and facilitate and measure the effectiveness of our interest-based advertisements and web services, and gather information about the use of our websites and the interactions with our emails.
Web beacons and pixels are used on our websites and in our emails to help deliver cookies, gather usage and performance data, and operate and improve our websites and marketing emails.
Cookies are alphanumeric identifiers that are stored on your device’s local storage through your web browser for recordkeeping purposes. Some cookies allow us to make it easier for you to navigate our websites and services, improve and customize your browsing experience, and infer your browsing preferences, while others are used to enable a faster log-in process or allow us to track your online activities over time and across our webpages.
We use both session-based and persistent cookies.
There are three categories of cookies: required and functional, analytics and customization, and advertising:
Besides using our Privacy Settings, you can opt out from the collection of non-essential device and usage data on your web browser. Depending on your personal preferences, you can edit your browser options by using the “Help” function in your browser toolbar. You can prevent your computer from accepting new cookies, have the browser notify you when you receive a new cookie, or disable all cookies. However, it is important to note that if you block or delete cookies that we use on our websites, you will still be able to browse certain areas of the websites, but some features may not function properly.
We may use Flash Local Storage Objects (Flash LSOs) to store your website preferences and to personalize your visit. Flash LSOs are different than browser cookies because of the amount and type of data stored. Typically, you cannot control, delete, or disable acceptance of all Flash LSOs through your web browser.
For more information about Flash LSOs and to learn how to manage your settings for Flash LSOs, go to the Adobe Flash Player Help Page.
Invisible Images are tiny graphics with a unique identifier, similar in function to cookies. In contrast to cookies, which are stored on your device’s local storage, these images are embedded invisibly on web and application pages.
We may use invisible images, which are also known as web beacons, web bugs, or pixel tags in connection with our websites and service offerings to, among other things, track the activities of website visitors and application users, help us manage content, and compile statistics about website usage.
We, and our third-party service providers, also use invisible images in HTML emails to our customers to help us track email response rates, identify when our emails are viewed, and to track whether our emails are forwarded.
We, and our third-party service providers, may use information about your visit to our websites, such as pages you visit, items you view, and your responses to our advertisements and emails. This information allows us to make the advertisements you see more relevant to you. To update your preferences, you may click “unsubscribe” in any email marketing communication that is sent to you.
It may take up to ten (10) business days for your email preferences to take effect.
You may also visit the opt out pages to opt out of many third-party advertising networks through various trade association websites such as:
However, using these opt out pages does not mean that you will no longer receive advertising through our websites or services, or on other third-party websites.
From time to time, we may give unaffiliated network advertisers information, including your personal data. These network advertisers provide advertisements on our websites, applications, and on other parties’ websites and media, such as social networking platforms.
When we work with third party advertising networks, we require them to restrict their data processing to only what is necessary to provide us with the advertising services we request.
Website users located in the United States may learn more about opting out and opt out of many third-party advertising networks through various trade association websites such as:
However, it does not mean that you will no longer receive advertising through our websites, services, or on other third-party websites.
We, and our third-party service providers, including Google, may use the information that we collect about you, whether directly from our website, from our mobile applications, through your device, or from a third party, to help us and our third-party service providers identify other devices that you use, such as a mobile phone, tablet, or other computer.
We, and our third-party service providers may also utilize the cross-device use information we learn about you to serve targeted advertising on your devices and to send you emails.
To opt out of cross device use, you may opt out of third-party advertising (see Section 3.7). However, if you opt out of these advertising cookies, your opt out will be specific to the web browser, application, or device from which you accessed the opt out. If you use multiple devices or web browsers, you will need to opt out of each device and each browser on each device that you use.
Some internet browsers offer a “Do Not Track” option that allows you to tell websites that you do not want your online activities tracked. There is currently no industry common standard, therefore, we do recognize these Do Not Track signals on our websites. We take privacy and your preferences seriously and will continue to monitor Do Not Track developments and the adoption of a standard.
However, you may disable certain tracking by clicking on “Privacy Settings” at the bottom of our website located at: RSA.com by disabling cookies on your browser (see Section 3.3), or by opting out of advertising (see Sections 3.6 and 3.7).
We are responsible for the content we publish using social media platforms, but we are not responsible for managing the social media platforms or the data they collect and process. Our websites have social media sharing plugins. These widgets may allow you to post information about your activities on our websites on outside platforms and social networks. You may also be able to like or share information we have posted on our websites or our branded social media pages. If the social media pages are hosted by the individual platforms and you click through to the site from our websites, the platform may receive information showing that you visited our websites. If you are logged into the social media site at the time you click through, the social media site may be able to link your visit to our websites with your social media profile.
If you use features of our services on your mobile device, we may collect telephony log information, including phone numbers, time and date of the calls, duration of the call, SMS routing information. We may collect device event information, such as system activity, hardware settings, and browser language. We may also collect location information through GPS, IP address, WiFi access points and cell towers, and other sensors that provide us with information on nearby devices.
We collect and process your personal data for the following purposes:
Where required by law, we will obtain your prior consent to use and process your personal data, or we will rely on another authorized legal basis, such as performing a contract or having a legitimate interest.
We may share your personal data with our business partners, which include:
We may collect, transfer, and store your personal data in the United States. We may also collect, transfer, and store your personal data in other countries. This includes countries outside the European Economic Area (EEA) and countries with laws that have not been determined to provide an adequate level of protection under the laws of the European Union (EU) or other jurisdictions.
This means that your personal data may be processed outside your jurisdiction in countries that are not subject to an adequacy decision of the European Commission on the basis of Article 45 of Regulation (EU) 2016/679 (GDPR) or regulatory authority. However, we will ensure that your personal data is subject to an adequate level of protection and security by entering into appropriate agreements, including the UK standard contractual clauses and the EU standard contractual clauses, or an alternative mechanism for the transfer of your personal data.
Our websites, products, and services are not for children. We do not knowingly collect and process personal data of children under the age of sixteen (16). If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us at email@example.com and we will take the necessary steps to delete their personal data from our systems.
We will retain your information no longer than is necessary for RSA’s purposes. We will retain your personal data for different periods of time depending on the category of personal data it is collected for. Some personal data may be deleted automatically, and some will be retained longer consistent with the original purpose for collecting it, for as long as required to fulfill our obligations, or as required by law.
When the retention period expires, we will delete your personal data. If there is any data that cannot be completely deleted for technical reasons, we will implement appropriate measures to prevent any further processing of such data.
You may have certain rights relating to your personal data, subject to data protection laws. These rights may include:
We do not currently use automated decision making on our websites or in our services.
To exercise your rights, please contact us at firstname.lastname@example.org.
Your personal data may be processed by us when we respond to these rights. We attempt to respond to all legitimate requests within thirty (30) days, unless otherwise required by law, and will contact you if we need additional information in order to honor your request or verify your identity. At times, it will take longer than thirty (30) days, considering the number and the complexity of the requests we receive. We will contact you if we need additional time to fulfill your request.
Some authorized users may update their settings and profiles by logging into their accounts.
Please be aware that your request does not guarantee complete access or comprehensive removal as the law may not permit or require removal in certain circumstances.
If your data has been submitted to us by or on behalf of a customer and you wish to exercise any rights you have over your personal data under the applicable data protection laws, please inquire directly with our customer.
We may only access your personal data based upon our customer’s instructions. If you wish to make your request to exercise your rights with us, please provide us the name of the customer who submitted your data to us. We will refer the request to that customer and provide any support they need to respond to your request within a reasonable time.
You have choices about how we reach you with marketing offers and about other uses of your information. To update your preferences, you can:
Please be aware that it may take up to 10 business days for your email preferences to take effect.
Opting out of marketing communications will not opt you out of receiving important business communications related to your current relationship with us, such as information about your products or services, event registrations, service announcements, or security information.
We take appropriate organizational, technical, and physical measures to help safeguard against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure of, or access to, the personal data we collect and process. The way we do this includes:
We follow generally accepted standards to protect your personal data. However, no method of collection, storage, or transmission is 100% secure. You are solely responsible for protecting your password, limiting access to your devices, and signing out of websites after your sessions.
We encourage you to keep any passwords you use confidential and to be careful to avoid “phishing” scams where someone may send you an email that appears to be from RSA asking for your personal information. RSA will not request your ID or password through email.
The California Consumer Privacy Act (CCPA) requires businesses to disclose whether they sell personal data, which the CCPA calls “personal information.” For the purposes of this Section 12, “personal data” includes all “personal information” as defined by the CCPA.
As a business covered by the CCPA, we do not sell personal data for monetary consideration. We may share personal data with others or allow them to collect personal data from our websites or services if they are affiliates, third parties authorized by us, or business partners who have agreed to our contractual requirements regarding retention, use, and disclosure of personal data, or if you use our products or services to interact with third parties or direct us to disclose your personal data to third parties.
The CCPA requires us to detail the categories of personal data that we disclose for certain business purposes. In the preceding twelve (12) months, we may have collected the following categories of personal data listed:
In the preceding twelve (12) months, we may have collected and processed your personal data for various business purposes, including:
In the preceding twelve (12) months, we may have shared your personal data with our affiliates, vendors, and suppliers that provide services on our behalf, and other third parties such as business partners, advertising networks, internet service providers, data analytics providers, operating systems and platforms, providers of identity verification services, regulatory bodies, and government authorities.
California’s laws grant state residents certain rights under certain circumstances in relation to their personal data:
The information may be delivered by mail or electronically. If it is provided electronically, it will be portable and in a readily usable format so you can transmit the information to another entity or person.
As part of processing your request, we will require you to provide certain personal data about you to verify your identity in accordance with CCPA requirements. This information may include your first and last name, email address, physical address, telephone number, account number, and the nature of your relationship with us.
You may also designate an authorized agent to make a request on your behalf. To comply with such a request, we will require the personal data referenced above for identification verification purposes as well as the first and last name, email address, and telephone number of your authorized agent.
Once we verify your request, we will make every attempt to respond within forty-five (45) days. If we require more time, we will inform you of the reason and the extension period in writing. If we cannot comply with your request, we will respond in writing with the reasons why.
Any disclosure will only cover the twelve (12)-month period preceding the receipt of the request.
We do not charge a fee to process or respond to your request unless there are excessive, repetitive, or manifestly unfounded requests. If we determine that your request warrants a fee, we will tell you why, in writing, along with a cost estimate before completing your request.
You may only make a personal data access request up to two (2) times in any twelve (12) month period.
If you are a California resident under the age of eighteen (18) and have registered for an account with us, you may request that we remove content or information that you have posted to our websites. This request does not ensure that we will completely remove the content or information as some of your content may have been reposted by another user.
If we make a material update, we may provide you with notice prior to the update taking effect by posting a notice on our websites or contacting you directly. We will seek your consent to these changes where required by applicable law if feasible.
In order to help reduce the risk of COVID-19 infections and keep our communities safe, all RSA employees, contingent workers, and visitors must complete a daily health survey and pass a thermal body temperature screening in order to gain access to RSA premises. The thermal vision camera measures your body temperature on an anonymous basis and RSA does not retain your body temperature. If your body temperature is equal to or above 100 degrees Fahrenheit, you will be denied entry and/or asked to leave RSA premises.
The health survey screening tool, available via an app or web portal, collects your name, email address, and certain health data you voluntarily provide. This information will be retained on your device and not shared with RSA unless you self-report that you are COVID-19 positive. In that case, the tool will notify the appropriate RSA team, and your email address will be retained for up to 30 days (subject to local laws) so RSA may contact you as it takes appropriate action to protect the health and safety of individuals at RSA physical locations. Your COVID-19 positive status will be shared with the RSA team and applicable public health authorities (as required by law). Your status will also be shared on an anonymous basis with potentially infected individuals for contact tracing purposes.
If any User believes that its copyrighted work has been copied and is accessible on the RSA websites in a way that constitutes copyright infringement, please send a notice to:
RSA Security LLC
Attn: RSA Legal
176 Middlesex Turnpike
Bedford, MA 01730
Notices must include each of the following:
RSA and its affiliates Acceptable Use Policy (“AUP”) is intended to foster responsible use of RSA’s infrastructure, networks, cloud-based offerings, systems, services, websites, facilities and products (collectively, the “RSA Infrastructure and Services”) by our customers and other users. Users consent to be bound by the terms of this AUP. RSA reserves the right to modify this AUP in its discretion at any time. Modifications will be effective when posted and users are expected to check this page from time to time to take notice of any changes we make, as they are legally binding on each User. Users’ use of the RSA websites after we make modifications constitutes acceptance of our modifications.
If RSA determines that any User has violated any portion of this AUP, RSA may terminate the User’s use of the website. RSA will suspend service for violation of the AUP on the most limited basis as RSA determines is reasonably practical under the circumstances to address the underlying violation. RSA will attempt to notify User prior to suspending service for violation of the AUP (which may be via email or any other notification). However, RSA may suspend service without notice if RSA becomes aware of a violation of this AUP or any applicable law or regulation that exposes RSA to criminal or civil liability, or that exposes RSA or any third party property to harm. Harm may include, but is not limited to, risk of having one or more IP addresses placed on blacklists. RSA may take any further action as RSA deems appropriate under the circumstances to eliminate or preclude repeat violations. RSA is not liable for any type of damages that Users or third parties may suffer resulting in whole or in part from RSA’s exercise of its rights under this AUP. This exclusion of liability does not include RSA’s liability for death or personal injury caused by its negligence, or any other liability that RSA cannot exclude or limit by law.
To learn more about the information we may process during the use of our SecurID Mobile App, click here.
To learn more about the information we may process during the use of text message-based one-time passcode (OTP) authentication, click here.
This website may contain links or frames of other websites, which may or may not be affiliated with RSA. These links and frames are available with the sole purpose of providing further benefits to users. The inclusion of these links and frames does not mean that RSA has knowledge of, agrees or is responsible for them or their content. Therefore, RSA cannot be held liable for any loss or damage suffered as a result of using such links or frames.
RSA Security LLC
Attention: Law Department – Privacy
176 Middlesex Turnpike
Bedford, MA 01730 USA
Please be aware that your request may have limitations, according to applicable law.
Effective Date: July 27, 2022.
Previous Privacy Policies:
©2022 RSA Security LLC or its affiliates. All rights reserved. RSA Conference logo, RSA and other trademarks are trademarks of RSA Security LLC or its affiliates. Other trademarks may be trademarks of their respective owners.