Privacy Program and Certified Practices
Privacy Program: Janrain has implemented a privacy program as a framework to help us maintain compliance with the laws applicable to our business and to meet our privacy-related contractual commitments. The program also is aimed at building and retaining the trust of our customers, website users, employees, and partners based on respect for their privacy concerns and our protection of information with reasonable security safeguards.
Contractual Protections: Our contracts include confidentiality provisions that prohibit us from disclosing customer confidential information, including customer data, except under certain circumstances, such as when required by law. We also agree to restrict our access to customer data to the extent necessary to provide our services and in connection with a customer support issue or where required by law. We require all or our employees and contractors to sign confidentiality agreements to protect customer information, including hosted personal data.
Privacy Statement: Our privacy statement describes our practices regarding the personal information we collect on and through our websites which link to the privacy statement. Our privacy statement also describes – under the heading “Customer Data” – our role and practices in connection with personal information we may host on behalf of our customers.
Privacy Shield: Janrain participates in the EU-US Privacy Shield Framework regarding the collection, use, and retention of personal data from European Union member countries. We have certified with the Department of Commerce that we adhere to the Privacy Shield Principles. To learn more about the Privacy Shield Principles, click here. TRUSTe has certified our privacy practices against the Privacy Shield principles and the TRUSTe privacy certification program standards.
Janrain’s General Counsel and VP of Privacy is responsible for Janrain’s privacy program, including compliance with applicable privacy and data-protection laws. Janrain has a cross-functional team, including company officers, with responsibility for security matters and a standing Information Security Management Committee which oversees its ISO 27001:2013-based security program. Additionally, all Janrain personnel are required to follow Janrain’s confidentiality, privacy, and information security policies.
Training and Awareness
Janrain provides training about confidentiality, privacy, and information security for all new employees as part of its new hire onboarding training. We communicate with all personnel about privacy and information security awareness through regular newsletters. We also address privacy topics of interest to our customers in company blog posts and special customer communications.
Individuals may submit personal data to our customers through the use of the website registration and login services we provide to our customers. This personal data is submitted with notice to, and the consent of, the individual user via identity providers’ permission screens, or voluntarily provided by the user at registration. In addition, email opt-out/opt-in options are configurable as part of our user registration flows.
FICAM: Janrain leverages identity providers (IDPs) who support the Provider Authentication Policy Extension (PAPE) to offer turnkey authentication that is compliant with the Federal Identity, Credential, and Access Management (FICAM) framework of the Federal Chief Information Officers Council.
- Supported IDPs: Google, PayPal, and VeriSign.
- When FICAM support is requested by a website at user login, all API calls to IDPs request that FICAM policies are applied to the authentication and returned user data.
- User data can be filtered to remove personally identifiable information stored in the user’s social or commerce identity before completing the authentication transaction.
HIPAA: Authentication with IDPs supporting PAPE and FICAM support also acts as an enabling technology for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by filtering out personally identifiable information (PII) data as described above. OAuth 2.0 data access scoping further protects PII by restricting access to particular data fields by unauthorized persons. Data is encrypted in transit and customers may order encryption of data at rest.
COPPA: To facilitate COPPA compliance by a customer, Janrain offers a specialized version of its registration solution for child registration, which includes a workflow that eliminates the collection of personally identifiable information for users under 13 years of age.