- Click to select...
Personal Data Protection Policy
As a business and an employer, it is necessary for Entrust to collect, store, and process personally identifiable information (PII) about our employees, contingent workers, customers, suppliers and other third parties with whom we engage to provide products or services on our behalf.
To learn more about how we comply with applicable laws governing data protection, you can review our Global Personal Data Protection Policy. This policy is available for download in Chinese, English, French, German, Japanese, Portuguese, and Spanish. If you have any question about Entrust’s Personal Data Protection Policy, please contact [email protected].
Web Privacy Statement
Entrust values and respects your privacy. We believe you should understand how data you share with us is used and protected when you visit our websites. For details, please review our Web Privacy Statement.
The Web Privacy Statement is available for download in Chinese, English, French, German, and Spanish. If you have any questions about Entrust’s Web Privacy Statement, please contact [email protected].
Data Protection Officer (DPO)
If you have questions about Entrust’s Privacy Information Management System, please contact:
Attention: Jenny Carmichael, VP of Compliance
1187 Park Place
Shakopee, MN 55379
Data Processing Addenda (DPAs)
At Entrust, we make it simple for our customers, vendors, and partners to sign and submit our Data Processing Agreement (DPA). Our DPA helps us to meet ongoing requirements under the GDPR and other applicable data privacy legislation.
The Customer DPA is for engagements where Entrust will be acting as a processor for a Customer that will be purchasing, accessing, and/or licensing Entrust products, services and/or platforms.
The Partner DPA is for engagements where Entrust will be acting as a processor and controller for a third party entering into partnership with Entrust for product supply, evaluation, and training.
The Vendor DPA is for engagements where Entrust will be acting as the controller for a third party supplier from whom Entrust will purchase, have access to, and/or license vendor products, services and/or platforms.
Entrust’s DPAs are pre-signed. You may enter into a DPA with Entrust by following these instructions:
- Download the DPA you wish to enter into;
- Complete and sign the information block with your entity’s full legal name, the signer’s position, the entity’s address, and signatory information; and
- Submit the completed and signed DPA to Entrust via email to [email protected]
If you have any questions about the DPA, please see our FAQs.
In light of the Schrems II ruling of the Court of Justice for the European Union and the recommendations from the European Data Protection Board, Entrust has drafted the following documents to help our customers conduct data transfer impact assessments in connection with their use of Entrust products.
The white paper describes the legal regimes applicable to Entrust in the United States, the safeguards Entrust puts in place regarding transfers of customer personal data from the European Economic Area (EEA), and Entrust’s ability to comply with its obligations as a data importer under the Standard Contractual Clauses (SCCs). Entrust’s Response to Government Requests for Customer Data informs Entrust customers of the steps Entrust will follow in the event we receive such a request.
Data Subject Request (DSR) Form
To submit a Data Subject Request, please use our online form or use one of the other methods described below.
Depending upon the applicable data protection law in your country of residency, and in some cases, your state or province of residence, you may have the right to ask us for information about our processing activities with respect to your personal data, including for information relating to personal data about you that we control and process; to correct, delete, or restrict any active processing of your personal data; and to obtain a copy of your personal data.
Additionally, you may have the right to object to the processing of your personal data in some circumstances. Your right to object to processing of your personal data may be limited in certain circumstances.
We may need to request additional information from you to verify your identity or understand the scope of your request, although you will not be required to create an account with us to submit a request or have it fulfilled. Likewise, if you engage an agent to make the request on your behalf, we may need additional information to verify your agent’s identity and authority to make such a request on your behalf.
If we have collected and processed your personal data on the basis of your consent, then you can withdraw your consent at any time by contacting [email protected].
If you would like to submit a Data Subject Request, please use the link to the DSR form below. If you would like to make your request via telephone, or if special accommodations are required, please leave a message at 1-888-563-9240 and our privacy team will promptly be in touch. If you would like to make your request via email, please send your email to [email protected] with the subject line “Data Subject Request” and clearly state the request(s) you’d like to make.
To opt out of receiving marketing communications from Entrust, please click here.
For more information about our procedure for responding to your request to access your personal data, please view Entrust’s Data Subject Request Procedure.
California Privacy Rights
California residents have certain rights with respect to personal information collected by businesses. If you are a California resident, you may exercise the following rights regarding your personal information, subject to certain exceptions and limitations:
- The right to know the categories and specific pieces of personal information we collect, use, disclose, and sell about you; the categories of sources from which we collected personal information about you; our purposes for collecting or selling personal information about you; the categories of personal information about you that we have either sold or disclosed for a business purpose; and the categories of third parties with which we have shared personal information.
- The right to request that we delete the personal information we have collected from you.
- The right to opt out of our sale(s) of your personal information.
- The right not to receive discriminatory treatment for the exercise of the privacy rights conferred by the CCPA.
If you would like to submit a Data Subject Request, please use the link to the DSR form below. If you would like to make a data deletion or access request via telephone, or if special accommodations are required, please leave a message at 1-888-563-9240 and our privacy team will promptly be in touch.
Note that we may need to request additional information from you to verify your identity or understand the scope of your request, although you will not be required to create an account with us to submit a request or have it fulfilled. We will require you to provide, at a minimum full name and email address.
You may designate an authorized agent to make a CCPA request on your behalf by completing this form. We may still require you to provide, at a minimum, full name and email address.
At Entrust, we make it simple for our IDaaS customers to sign and submit our Business Associate Agreement (BAA). Our BAA helps us to meet ongoing requirements under the Health Insurance Portability and Accountability Act (HIPAA).
Entrust’s BAA is pre-signed. You may enter into a BAA with Entrust by following these instructions:
- Download the BAA;
- Complete and sign the form fields; and
- Submit the completed and signed BAA to Entrust via email to [email protected].
If you have any questions about the BAA, please see our FAQs.
Data Privacy FAQs
Please find below answers to commonly asked questions about Entrust’s data privacy program. Additional information can be found under the Data Privacy tab in the Legal & Compliance section of www.entrust.com.
Privacy Laws and Regulations
With global operations and customers located around the world, Entrust continually evaluates its program against current and emerging data privacy regulations. While we monitor all applicable global data privacy laws, Entrust’s program is built around compliance with the EU General Data Protection Regulation (GDPR) to ensure we comply with the most stringent set of data privacy requirements regardless of where we are processing personal data. To comply with the GDPR and other applicable data privacy regulations, Entrust does the following:
- Oversees global company policies and notices around data protection;
- Completes impact assessments for higher risk personal data processing;
- Utilizes appropriate data transfer mechanisms for cross-border transfers of personal data;
- Regularly trains colleagues on data privacy requirements;
- Periodically conducts internal audits of data protection policies and procedures;
- Investigates, remediates and provides appropriate notice to data subjects and/or regulators in the event of a security incident;
- Holds sub-processors to the same data management, security, and privacy practices and standards to which Entrust holds itself;
- Responds to data subject requests and assists customers in responding to these requests as needed;
- Ensures our products and services include adequate and appropriate technical safeguards and security controls;
- Incorporates data privacy considerations at the outset of product design and enhancement.
You can find more detail in our Global Personal Data Protection Policy.
Are Entrust products compliant with HIPAA?
To date, Entrust has only formally evaluated IDaaS against HIPAA requirements. This product may be used to process protected health information (PHI) (e.g., for use authenticating patients in patient portals). To enter into a BAA with Entrust for this particular use case, visit the Data Privacy page and select the “HIPAA-Covered Services” tab.
Cross-Border Transfers of Personal Data
How does Entrust handle personal data transfers outside the European Economic Area (EEA)?
Under the GDPR, Entrust may transfer personal data to countries outside the EEA where there is an adequate level of protection in that country or where Entrust has put appropriate measures in place to ensure data protection. Companies within the Entrust group (i.e., all corporate entities and subsidiaries) must enter into Entrust’s Intra-Group Data Transfer Agreement in order to ensure appropriate safeguards for the transfer of personal data outside the EEA, but within the Entrust group. Third party vendors who process personal data for or on behalf of Entrust (regardless of whether Entrust is acting as a data controller or data processor) must enter into a Data Processing Addendum (DPA) with Entrust to ensure appropriate safeguards for the transfer of personal data outside the EEA. The DPA contains language to ensure the third party has appropriate technical and organizational measures in place to comply with the GDPR and to ensure the protection of data subject rights and includes the most current version of the European Commission’s standard contractual clauses (SCCs).
To access Entrust’s standard DPA templates, visit the Data Privacy page and select the “Data Processing Agreements (DPAs)” tab.
How has Entrust responded to the Schrems II ruling?
On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield framework, but upheld the validity of the SCCs as a cross-border transfer mechanism for personal data leaving the EEA. While the SCCs remain valid, organizations that currently rely on them must consider whether, with regard to the nature of the personal data, the purpose and context of the processing, and the country of destination, there is an “adequate level of protection” for the personal data as required by European Union (EU) law. Where that is not the case, organizations should consider what additional safeguards may be implemented to ensure there is an “adequate level of protection.
Entrust has never relied on the EU-US Privacy Shield framework and has always relied on the SCCs to transfer personal data outside of the EEA. Our standard DPA templates include the most recent version of the SCCs which went into effect on June 27, 2021. Entrust is currently working on a resource for customers to assist them in performing a Transfer Risk Assessment (TRA) for personal data transfers to locations outside of the EEA and without an adequacy determination, a requirement under Schrems II and the new SCCs.
How does Entrust respond to law enforcement requests for customer personal data?
To date, Entrust has never received a request from law enforcement for customer personal data. While Entrust will comply with mandatory, legal requests for information, we are also committed to complying with data privacy laws. As such, we will take appropriate measures to ensure that affected customers are notified as soon as possible, and we will disclose the minimum amount necessary to satisfy the requirements of the order. For customers with specific information about the potential reach of U.S. law enforcement under FISA, E.O. 12.333 or the ECPA to their personal data processed by Entrust, please contact [email protected].
Personal Data Processing
Is Entrust a data processor or a data controller?
Entrust acts as both a data processor and a data controller with respect to customer personal data. When customers use Entrust services and products that process customer personal data, Entrust acts as a data processor. When Entrust processes customer personal data and determines the purpose and means of processing with respect to that data (e.g., customer account information, customer service and support ticketing information) Entrust acts as a data controller.
How do I know if Entrust processes my personal data?
To review specifics related to navigation across our websites, please visit our Web Privacy Statement.
To review specifics related to our products and services, please visit our Product Privacy Notices.
Does Entrust use any sub-processors to process my personal data?
You can find an accurate and detailed list of Entrust’s sub-processors broken down by product here.
How do I execute a DPA with Entrust?
Entrust makes it simple for our customers, vendors, and partners to sign and submit our DPA by making available pre-signed DPAs through a self-service platform accessible by customers and vendors. We strongly recommend proceeding with our standard DPAs as they have been carefully crafted and reviewed by internal and external privacy counsel and are designed specifically to address Entrust’s business. The deviations that we will be able to make to our standard DPAs are extremely limited; however, we hope that you will find our DPAs thoughtful, thorough, and fair.
The Customer DPA is for engagements where Entrust will be acting as the data processor for a Customer purchasing, accessing, and/or licensing Entrust products or services.
The Vendor DPA is for engagements where Entrust will be acting as the data controller and purchasing, accessing and/or licensing products or services from a third party who will act as a data processor.
How does Entrust secure my personal data?
When processing personal data, Entrust takes adequate measures to ensure personal data remains secure and protected against unauthorized or unlawful processing, accidental loss, destruction or damage. Entrust does this by maintaining an ISO 27001-certified security program.
ISO 27001 is one of the most widely recognized and internationally accepted information security standards. It identifies requirements for a comprehensive Information Security Management System (ISMS), and defines how organizations should manage and handle information in a secure manner, including appropriate security controls.
Our entire organization is certified to ISO 27001:2015. In order to achieve the certification, Entrust's compliance program was validated by an independent audit firm after demonstrating an ongoing and systematic approach to managing and protecting company and customer data. This certification guarantees that Entrust meets an exacting framework of policies and procedures that includes legal, physical and technical controls involved in the organization’s risk management system.
To learn more about our ISO 27001 certification, please click here.
Additionally, where Entrust engages third parties to process personal data on its behalf, such parties do so based on written instructions, are under a duty of confidentiality and are obligated to implement appropriate technical and organizational measures to protect personal data on par with the ISO 27001 requirements.
How does Entrust ensure its employees have proper privacy education and training?
Entrust provides colleagues with data privacy training at the time of onboarding and annually thereafter through online Code of Ethics and Information Security Awareness trainings. More targeted training and communication on data privacy topics is delivered as needed throughout the year. Entrust also maintains a robust data privacy page with resources and information available to all colleagues.
How would Entrust respond to a data breach or security incident?
Entrust makes every effort to ensure personal data remains protected; however, in the unlikely event of a security breach or security incident involving personal data, Entrust has a detailed security incident response plan that will be activated to ensure swift action is taken, including appropriate remediation and notification to affected data subjects and regulators as required by law.
How does Entrust handle data subject requests?
Entrust respects the rights of individual data subjects to request access to and/or correction and deletion of their personal data processed by Entrust. To submit a data subject request, we ask that you complete our DSR form to ensure we have all of the information required to appropriately investigate and respond to your request. Alternatively, you may call 1-888-563-9240 to submit your request.
Note that we may need to request additional information from you to verify your identity or understand the scope of your request, although you will not be required to create an account with us to submit a request or have it fulfilled. We will require you to provide, at a minimum, full name and email address.
If you live in California, you may designate an authorized agent to make a request on your behalf by completing this form. We may still require you to provide, at a minimum, full name and email address.
For more information, please review Entrust’s DSR Procedure.
Contacts and Resources
Does Entrust have a Data Protection Officer (DPO)?
If you have questions about Entrust’s privacy program, please contact:
Attention: Jenny Carmichael, Compliance Director
1187 Park Place
Shakopee, MN 55379
How can I stay up to date on Entrust’s privacy program?
The best place to find accurate and current information about our program is to visit the Data Privacy section of www.entrust.com. To share thoughts or feedback related to our program, please email [email protected]. Additional important links:
With global operations and customers located around the world, Entrust continually evaluates its program against current and emerging data privacy regulations. Taking our commitment to protecting personal data one step further, Entrust is ISO 27701 certified.
ISO 27701 is the first global privacy standard that focuses on the protection of personally identifiable information (PII). ISO 27701 extends the requirements of ISO 27001 to include data privacy, and provides a framework for implementing, maintaining, and continuously improving a Privacy Information Management System (PIMS). While there is not a specific EU GDPR certification, ISO 27701 clauses directly map to GDPR articles and also take into account other national and regional data protection laws.
In order to achieve the certification, Entrust's compliance was validated by an independent audit firm after demonstrating an ongoing and systematic approach to managing and protecting company and customer data. Entrust will continue to be audited annually to ensure ongoing compliance.
Please find our ISO 27701 certificate below.