Socure Privacy Policy

Hello there!

Socure is committed to protecting consumer privacy, which includes the security of personal information that we hold and use. This policy covers the collection and use of information obtained through this website, which is owned and administered by Socure Inc. (“Socure” or “we”), and the personal information we collect and process at the direction of Our Customers and through their use of our services. If you have questions or complaints regarding our privacy notice or practices, please contact us. 

How and why do we have personal information? 

Socure is a business that provides a digital service to many consumer-facing businesses and companies (let’s refer to them simply as “Our Customers”). Our Customers come to Socure to verify the identify of their online applicants and related services. They provide only the personal information that is necessary for our solution to work and then we check it out. We get personal information from other sources as well in order to compare Customer-provided data against it and to create our data models. We do this work quickly and accurately so our customers can prevent fraud and so consumers can get their desired financial services. As a company, we follow all the privacy laws and we have established a comprehensive privacy program, including a global compliance and privacy officer and a chief compliance officer, to help us respect and protect the personal information of individuals.

Summary of contents and links:

• Personal Information We Receive

• How We Use Received Personal Information

• Non-Personal Information We Collect

• Access to Information

• Data Security

• Children under the age of 13

• For European individuals -- GDPR and Privacy Shield Statement

 

Personal Information We Receive

We collect personal information on consumers and businesses in a variety of ways, such as when you:

• Correspond with us by phone or email
• Request support for Socure products
• Submit consumer or business details through our website
• Use our products and services
• Engage with another business that uses our products and services 

We also collect supplemental information from other sources, including our Vendors and publicly available sources of information.

We collect personal information in the following categories: authenticating, financial, demographic, social, and device/computing personal information. The information we collect may include, without limitation, a person’s or business’ name, usernames, passwords, email addresses, phone numbers, date of birth, national ID information (such as Social Security Number, driver license information, passport information, etc.), IP addresses, employer name, geographic location (latitude and longitude), images, and other information necessary to access accounts or profiles with third-parties, including, but not limited to, social media sites.

How We Use Received Personal Information

We use the personal information received from Our Customers only in connection with the provision of products and services to Our Customers. We comply with the Privacy Policies of Our Customers, as applicable. We also use the personal information we receive from Individuals for verification purposes through our ID+ Identity Verification Solution. Our use of received personal information may include sharing the personal information with Vendors working for us to provide products or services to Our Customers, but only as necessary for the provision of those products and services. The Vendors with which we share received personal information are required to keep this information confidential and generally may not use such information for any purpose other than to help us provide requested products and services to Our Customers.

Socure takes appropriate steps to ensure that Vendors protect such personal information. Additionally, your personal information may be disclosed as required by law and when we have reason to believe that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

Socure does not sell consumer personal information, meaning we do not pass on personal information to other businesses or third parties for monetary or other valuable consideration.

In cases of onward transfer to third-parties of data of EU and Swiss individuals received pursuant to the EU–U.S. Privacy Shield and Switzerland–U.S. Privacy Shield, Socure is potentially liable. See our Privacy Shield Statement below.

Non-Personal Information We Collect

We collect information about the use of our website, about the browser type and IP address used to visit our website, and about any website from which someone may have been linked to or referred to our website, or to a site which someone may be linked to or referred to from our website. This non-personal information is aggregated for reporting on usability, performance, and effectiveness. It is used to improve the customer experience and the usability and content of our website, and of the services and products we provide.

Access to Information and Consumer Rights

Whenever we collect your personal information, we take steps to help ensure that it is accurate, complete, and up-to-date. You may request access to such personal information about yourself that Socure holds by contacting us. Additionally, if your personal information changes, or if you believe the information Socure holds is inaccurate, you may request to correct, update, amend or delete/remove inaccurate information by contacting us; except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated.

To exercise your consumer rights under laws like the California Consumer Privacy Act (which gives Californians the right to request a description or deletion of, your personal information), please contact us at 866-932-9013 or ccpa@socure.com. 

Enforcement

Socure uses a self-assessment approach to assure compliance with this privacy policy and to periodically verify the policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible and in conformity with Privacy Shield Principles. In addition to self-assessment, Socure is also subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).

We encourage interested persons, including those in the EU, to use the contact information provided with questions or concerns about their personal data. We will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of Personal Information in accordance with the Principles.

If a complaint or dispute cannot be resolved through our internal process, we agree to dispute resolution using the U.S.-based JAMS (http://www.jamsadr.com).

Finally, as a last resort and in limited situations, EU and Swiss individuals may seek redress from the Privacy Shield Panel, a binding arbitration mechanism.

In compliance with the Privacy Shield Principles, Socure commits to resolve complaints about your privacy and our collection or use of your personal information. EU and Swiss individuals with a question or concern about the use of their Personal Data should contact Socure.

Socure has further committed to refer unresolved privacy complaints to JAMS, an independent and alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact JAMS (http://www.jamsadr.com) for more information and to file a complaint. The services of JAMS are provided at no cost to you.

Information Subject to Other Policies

Socure is committed to following Privacy Shield Principles for all Personal Information within the scope of the Privacy Shield Agreement. If Socure is involved in a merger, acquisition, or sale of all or a portion of its assets, you will be notified via email and/or a prominent notice on our websites of any change in ownership or proposed uses of your personal information, as well as any choices you may have regarding your personal information.

Data Security

Socure will take responsible steps to protect information and has implemented appropriate physical, electronic, and managerial procedures to safeguard, secure and protect information from loss, misuse, unauthorized access, disclosure, alteration, destruction, and malicious or unintentional action. However, the Company cannot completely guarantee the security of Information on or transmitted via the Internet.

Certifications

Protecting our customers’ information and their users’ privacy is extremely important to us. As a SaaS company entrusted with our customers’ personally identifiable information we have set high standards for security. To ensure this security, we regularly complete: 

• Annual SOC 2 Type 2 reports
• Certification for ISO 27001 (information security management system), ISO 27017 (for implementing security controls in a cloud environment), and ISO 27018 (for protecting personal data in the cloud).
• Certification for HITRUST CRM.

In accordance with GDPR requirements, Socure will continue to adhere to established controls to protect personally identifiable information. Specifically, Socure will continue to provide security incident notifications and will continue to meet its obligations and offer contractual assurances.

Links to Non-Socure Websites

Our website may provide links to third-party websites for your convenience and information. If you access those links, you will leave our website. We do not control those websites or their privacy policies or practices, which may differ from ours. We, therefore, encourage you to review the privacy policies of companies and websites before submitting any personal information to them.

Do Not Track

Socure does not track website visitors over time and across third party websites to provide targeted advertising and therefore does not respond to Do Not Track (DNT) signals. However, some third party sites do keep track of your browsing activities when they serve you content, which enables them to tailor what they present to you. DNT is a browser setting that can prevent such tracking. If you would like to learn more, you can check out https://allaboutdnt.com/. 

CHILDREN UNDER THE AGE OF 13

Socure’s ID+ service is not intended for access or use by, and we do not knowingly collect personal information from, children under 13 years of age. If you are under 13 years of age, do not access, use or provide any information on our website, including completing the online registration process for the service, or provide any information about yourself to us, including your name, address, telephone number, email address or any other personally identifiable information. If you believe we might have any information from or about a child under 13 years of age, please contact us at: support@socure.com

Specifically for European individuals, we provide information on our privacy practices in a format that matches up with European laws and requirements.

Socure’s GDPR (General Data Protection Regulation) Statement

As required under the GDPR:

1. Identity and Contact Details of the Controller:
1. Socure, Inc., 330 Seventh Avenue, Suite 2010, New York, NY 10001
2. GDPR Issues: GDPR Compliance Team (gdpr@socure.com )
2. Purpose of processing and legal basis for processing
1. Purpose: Socure’s ID+ service uses data points such as name, physical address, phone, email address, IP address, and other information to confirm that identity being offered belongs to the person entering it, and whether that identity poses any potential fraud risk. Socure services and reports use source data aggregated from public records, general web-based information, and other commercially available data sources.
   Source data is sometimes reported or entered inaccurately, processed poorly or incorrectly, and is generally not free from defect. While Socure products and services make best efforts to validate and cross-reference data, Socure is not the source of the data, nor is it a comprehensive compilation of the data.
2. Legal Basis for Processing: Socure receives specific contractual authorization from all Customers which it receives data from.
3. Categories of Personal Data
1. Socure processes identity verification metrics such as first name, surname, email address, physical address, phone number, IP address, and geolocation, among others. Additional identity verification services may involve the following sensitive data types: date of birth, national ID/social security number (SSN), driver license number and state. Further, images of personal document types, such as driver licenses, passports, and other sensitive forms of identifying documentation may be submitted for processing.
4. Details of Transfers to Third Country and Safeguards
1. Socure only processes Customer data in the United States. All processed data is encrypted both in transit and at rest.
5. Retention Period
1. Socure Customer Data will be destroyed according to the applicable Data Classification and in accordance with any applicable contracted internal data retention period.
6. Data Subject’s Rights
1. With effect from 25 May 2018: Socure will promptly notify Customers if Socure receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, Socure will assist Customers by appropriate technical and organizational measures as required under GDPR. Customer will incur any costs arising from Socure’s provision of such assistance.
7. Withdraw Consent or Opt-Out
1. All withdrawal of consent or opt-out requests must be submitted directly to the Customer by the Consumer. Socure may inadvertently receive withdraw of consent or opt-out requests from consumers but will forward such requests to the appropriate customers.
8. Complaints
1. All Customer complaints concerning these can be sent to gdpr@socure.com. Alternatively, Socure Customers can contact their assigned Customer Success Representative.
9. Source of Personal Data
1. Socure services and reports use source data aggregated from public records, general web-based information and other commercially available data sources. Source data is sometimes reported or entered inaccurately, processed poorly or incorrectly, and is generally not free from defect. While Socure products and services make best efforts to validate and cross-reference data, Socure is not the source of the data, nor is it a comprehensive compilation of the data. Therefore, before relying on any data, Customers should insure data is independently verified.
10.  Automated Decision Making
1. Socure provides an assessment of submitted information based on internal data sources and external data sources, then responds to Customers with that assessment along with relevant findings. Socure does not provide Customer decisioning.

In addition, Socure undertakes the following measures:

Vendor Information

Socure utilizes various vendors to provide its services to customers. As such, vendor agreements (via contract or other similar legal business document) control and define how vendor information is utilized and processed. Agreements include requirements for sufficient technological and business controls to meet acceptable security and privacy standards for the provided service(s).

Third-Party Violations and Breaches

Socure adheres to these controls to ensure that appropriate legal and technical controls are in place to buffer Socure from privacy violations on behalf of a customer, a data vendor, a service provider, or other person, organization or entity. In case of a third-party breach or privacy violation outside of Socure systems, Socure will follow internal policy and procedures for Security Incidents.

Data Destruction

Socure has established a comprehensive Data Retention policy and Data Destruction procedures which all Socure employees must adhere to in handling Customer or Consumer Information. All requests for data destruction from customers and consumers will be performed in accordance with all applicable policies, regulations, certifications, and contractual obligations.

Opt-In

All data sent to or received by from Socure is data acquired via opt-in acceptance. That is, all Socure customers must provide opt-in acceptance for consumers which Socure provides identity verification processing services to.

Services that would require the use of data without opt-in specifications or controls must be disclosed to customers concerning the data privacy and provenance to reasonable ability.

EU–U.S. Privacy Shield and Switzerland–U.S. Privacy Shield Privacy Statement

Socure complies with the EU–U.S. Privacy Shield Framework and the Switzerland–U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. Socure has certified that it adheres to the Privacy Shield Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement. To learn more about the Privacy Shield program, and to view Socure's certification, please visit http://www.privacyshield.gov.

A full list of Privacy Shield participants and their assigned dispute providers can be found on the Department of Commerce website at: https://www.privacyshield.gov/list

Socure's Privacy Shield Policy, detailing additional specifics from Privacy Shield Principles in conjunction with this privacy policy, can be found here: http://www.socure.com/privacyshield.html

Questions or complaints regarding Socure’s compliance with the Privacy Shield Principles should be first directed to Socure via one of the methods listed in the Contact Us section. Socure has further committed to refer unresolved Privacy Shield complaints to JAMS (http://www.jamsadr.com), an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit JAMS for more information or to file a complaint. The services of JAMS are provided at no cost to you. EU and Swiss citizens can also, after contacting both Socure and JAMS for dispute resolution resulting in no acknowledged outcome, enter into binding arbitration to resolve a specific, individual complaint.

Acceptance of Privacy Policy

By using our website, you are accepting and agreeing to all of the privacy policies and practices described in this Privacy Policy.

Changes to This Privacy Policy

This privacy policy may be amended from time to time consistent with the requirements for Privacy Shield. We will post any revised policy on this website.

Last revision:  December 2019

Contacting Us

If you have any comments or questions about this Privacy Policy, please send them to support@socure.com or call (866) 932-9013. We aim to respond to all queries within 30 days.

Click here for Socure's Opt-Out policy.