Privacy Policy

Effective Date: January 1, 2024 | Last Updated: January 1, 2024

1. SCOPE AND APPLICATION

This Privacy Policy applies to all information collected through:

• The Endpoint Solutions MDM/DLP platform and all associated services
• The Endpoint Agent software installed on managed devices
• Our website located at endpoint.solutions
• Any mobile applications we provide
• Email, text, and other electronic communications
• Interactions with our customer support and sales teams
• Third-party integrations authorized by your organization

This Privacy Policy does NOT apply to information collected by third parties, including any websites, services, or applications that may link to or be accessible from our services.

2. INFORMATION WE COLLECT

2.1 Device Information

When the Endpoint Agent is installed on a device, we automatically collect:

• Hardware Information: Device model, manufacturer, processor type, memory capacity, storage capacity, battery status, hardware UUID, serial numbers, IMEI/MEID
• Software Information: Operating system version, installed applications and their versions, running processes, system configurations, firewall status, encryption status
• Network Information: IP addresses (both local and public), MAC addresses, network adapter information, WiFi SSIDs, VPN configurations, proxy settings
• Security Information: Antivirus status, patch levels, security certificates, compliance status, jailbreak/root detection
• Location Information: GPS coordinates, WiFi triangulation data, IP-based location (when authorized by your organization)

2.2 User Activity Information

Depending on your organization's configuration, we may collect:

• Screen Captures: Periodic screenshots of device screens during designated work hours
• Application Usage: Active window titles, application focus time, idle time, productivity metrics
• File Activity: File access logs, modification timestamps, file transfers, USB device connections
• Web Activity: URLs visited, browser history (if configured), download logs
• Communication Metadata: Email domains contacted, messaging application usage (not content)
• Keystroke Dynamics: Typing patterns for anomaly detection (not actual keystrokes)

2.3 Data Loss Prevention (DLP) Information

Our DLP engine analyzes and collects:

• Content Classification: Detection of sensitive data patterns (SSN, credit cards, PII, PHI, proprietary information)
• Data Movement: File copying, sharing, uploading, emailing of classified content
• OCR Processing: Text extracted from images and documents for classification
• Clipboard Monitoring: Detection of sensitive data in clipboard operations
• Print Activity: Document printing logs and destinations

2.4 Organization Account Information

We collect information from authorized administrators including:

• Company name, address, industry, size
• Administrator names, email addresses, phone numbers, job titles
• Billing information, payment methods, transaction history
• Service configuration, policies, rules, and preferences
• Support tickets, communications, feedback

3. HOW WE USE INFORMATION

We use the collected information for the following purposes:

3.1 Service Provision

• Providing MDM, DLP, and EDR functionality as configured by your organization
• Enforcing security policies and compliance requirements
• Detecting and preventing data breaches and security incidents
• Generating compliance reports and audit logs
• Enabling remote device management capabilities

3.2 Security and Compliance

• Identifying and responding to security threats
• Investigating policy violations and anomalous behavior
• Meeting regulatory compliance requirements (GDPR, CCPA, HIPAA, etc.)
• Conducting security audits and assessments
• Preventing unauthorized access and data exfiltration

3.3 Service Improvement

• Analyzing usage patterns to improve our services
• Developing new features and capabilities
• Optimizing performance and reliability
• Training machine learning models for threat detection
• Conducting research and development

4. INFORMATION SHARING AND DISCLOSURE

We do not sell, rent, or trade your information. We may share information in the following circumstances:

4.1 With Your Organization

All information collected from devices enrolled in your organization's Endpoint Solutions deployment is owned by and accessible to your organization's authorized administrators.

4.2 Service Providers

We may share information with third-party service providers who assist us in:

• Cloud infrastructure and hosting (AWS, Azure, Google Cloud)
• Data storage and backup services
• Analytics and monitoring services
• Customer support platforms
• Payment processing

All service providers are contractually obligated to maintain confidentiality and security of the information.

4.3 Legal Requirements

We may disclose information if required to do so by law or in response to valid legal process, including:

• Court orders, subpoenas, or other legal demands
• Government or regulatory investigations
• National security or law enforcement requirements
• To protect our rights, property, or safety
• To investigate potential violations of our Terms of Service

4.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, or other sale of all or a portion of our assets, information may be transferred as part of that transaction.

5. DATA RETENTION

We retain information for different periods depending on the type:

• Active Device Data: Retained for the duration of the device enrollment plus 90 days
• Security Incident Data: Retained for 7 years for compliance and legal purposes
• Screenshot Data: Retained for 30-90 days based on organization configuration
• Audit Logs: Retained for 3 years or as required by applicable regulations
• Backup Data: Retained for 1 year after service termination

Your organization may request different retention periods subject to legal and contractual requirements.

6. DATA SECURITY

We implement comprehensive security measures including:

• Encryption: AES-256 encryption at rest, TLS 1.3 in transit
• Access Controls: Role-based access control, multi-factor authentication, privileged access management
• Infrastructure Security: SOC 2 Type II certified data centers, network segmentation, DDoS protection
• Monitoring: 24/7 security monitoring, intrusion detection, anomaly detection
• Compliance: ISO 27001, SOC 2 Type II, GDPR compliant infrastructure
• Incident Response: Dedicated security team, incident response procedures, breach notification protocols

7. INTERNATIONAL DATA TRANSFERS

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from your country.

We ensure appropriate safeguards are in place for international transfers including:

• Standard Contractual Clauses approved by the European Commission
• Privacy Shield certification (where applicable)
• Binding Corporate Rules for intra-group transfers
• Adequacy decisions by relevant data protection authorities

8. YOUR RIGHTS AND CHOICES

8.1 For Individuals in the European Economic Area (EEA)

Under GDPR, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data (subject to legal obligations)
• Restriction: Request restriction of processing
• Portability: Receive your data in a structured format
• Object: Object to certain processing activities
• Withdraw Consent: Where processing is based on consent

8.2 For California Residents

Under CCPA, you have the right to:

• Know what personal information we collect, use, and share
• Request deletion of your personal information
• Opt-out of the sale of personal information (we do not sell personal information)
• Non-discrimination for exercising your rights

8.3 Exercising Your Rights

To exercise any of these rights, please contact your organization's administrator or email us at privacy@endpoint.solutions. We may need to verify your identity before processing your request.

9. CHILDREN'S PRIVACY

Our services are not directed to individuals under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete such information.

10. COOKIES AND TRACKING TECHNOLOGIES

We use various tracking technologies including:

• Essential Cookies: Required for service functionality
• Analytics Cookies: To understand usage patterns
• Performance Cookies: To improve service performance
• Security Cookies: To detect and prevent security threats

You can control cookies through your browser settings, though disabling cookies may impact service functionality.

11. THIRD-PARTY INTEGRATIONS

Our platform may integrate with third-party services including:

• SIEM platforms (Splunk, QRadar, Sentinel)
• Identity providers (Okta, Azure AD, Google Workspace)
• Ticketing systems (ServiceNow, Jira)
• Cloud storage providers (Box, Dropbox, OneDrive)

These integrations are subject to the third party's privacy policies. We are not responsible for the privacy practices of these third parties.

12. AUTOMATED DECISION-MAKING

We use automated systems for:

• Threat detection and risk scoring
• Anomaly detection in user behavior
• Data classification and DLP policy enforcement
• Compliance violation detection

Significant decisions affecting individuals are subject to human review upon request.

13. PRIVACY POLICY UPDATES

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting the new Privacy Policy on our website
• Updating the "Last Updated" date
• Sending email notification to organization administrators
• Providing in-app notifications where appropriate

Continued use of our services after changes constitutes acceptance of the updated Privacy Policy.

14. LEGAL BASIS FOR PROCESSING

We process personal information based on:

• Contract: To fulfill our contractual obligations to your organization
• Legitimate Interests: For security, fraud prevention, and service improvement
• Legal Obligation: To comply with applicable laws and regulations
• Consent: Where explicitly provided by you or your organization
• Vital Interests: To protect against imminent harm or security threats

15. DATA PROTECTION OFFICER

We have appointed a Data Protection Officer (DPO) who can be contacted at:

Data Protection Officer
Endpoint Solutions, Inc.
Email: dpo@endpoint.solutions
Phone: Available to enterprise customers via support portal
Address: 100 Enterprise Way, Suite 500
San Francisco, CA 94105

16. JURISDICTION-SPECIFIC PROVISIONS

16.1 European Union

EU residents may lodge complaints with their local supervisory authority. Our lead supervisory authority is the Irish Data Protection Commission.

16.2 United Kingdom

UK residents may lodge complaints with the Information Commissioner's Office (ICO).

16.3 Canada

Canadian residents have rights under PIPEDA and applicable provincial laws.

16.4 Australia

Australian residents have rights under the Privacy Act 1988 and Australian Privacy Principles.

17. CONTACT INFORMATION

For questions about this Privacy Policy or our privacy practices, contact us at: