Webgroup Media, LLC (henceforth “WGM”, “our”, “us”, and “we”) is a commercial open source company founded in April 2001. Our developers started the Cerb project in January 2002 and have improved and maintained the software ever since. In connection with our business, we operate the cerb.ai project website, as well as Cerb Cloud, a subscription-based “software as a service” offering, on the cerb.me, cerb.cloud, and cerb.email domains.
It is our policy to respect your privacy regarding any information we may collect while operating our websites and services. We do not sell any personally identifiable information or data stored in Cerb Cloud to third-parties. We do not directly share your information with third-parties without explicit permission except to comply with the law or to provide necessary infrastructure in connection with the services you request; however, there is some passive risk of exposure to third-party access inherent in web-based services that is outlined in detail below. We do our best to mitigate and minimize these risks on your behalf.
- Data Protection Addendum
- What Personal Data is Collected by WGM?
- Protection of Certain Personally Identifying Information
- Security and Safeguards
- Resolving Complaints
- Business Transfers
Data Protection Addendum
If you require a signed Data Protection Addendum (DPA) for GDPR compliance, you may download ours here. This document formalizes the contract between data exporter and data importer, as well as describing the rights of data subjects. Please review the terms and return a signed copy to email@example.com.
What Personal Data is Collected by WGM?
We develop and sell Cerb, a software application (as-a-service and on-premises) for sharing team inboxes, building collaborative workspaces, managing customer relationships, and automating business workflows.
We maintain profiles on our customers and their organizations based on past interactions (e.g. email address, gender, date of birth, IP addresses, public social media photos, organizational affiliation and job title, email support history, and order history).
With Cerb Cloud, we act as a data processor for companies around the world. Due to the customizable design of Cerb, our clients (as data controllers) may store any kind of personal data about their own clients (as data subjects). Depending on the nature of our clients’ organization, or the type of email they receive (e.g. newsletters, receipts, test results), this may include sensitive personal data – race/ethnicity, political opinions, religion, health, sexuality, etc.
Aside from what processing is necessary to provide the service (e.g. web server access logs, storage, aggregate usage info), we do not directly process personal information within our clients’ databases.
Like most website operators, we collect non-personally identifying information of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request. Our purpose in collecting non-personally identifying information is to better understand how visitors use our website. From time to time, we may release non-personally identifying information in the aggregate; e.g., by publishing a report on trends in the usage of our software or websites.
We also collect “potentially personally identifying” information like Internet Protocol (IP) addresses for website visitors and workers. We only disclose IP addresses under the same circumstances that we use and disclose personally identifying information as described below.
We do not display third-party advertising on our websites or in our applications.
Gathering of Personally Identifying Information
Certain visitors to our websites choose to interact in ways that require us to gather personally identifying information. The amount and type of information that we gather depends on the nature of the interaction. For example, we ask workers who sign up for Cerb Cloud to provide an email address. Those who choose to engage in financial transactions with us (e.g. by purchasing products and services) are asked to provide additional information, including as necessary the personal and financial information required to process those transactions. In each case, we collect such information only insofar as is necessary or appropriate to fulfill the purpose of the visitor’s interaction. We do not disclose personally identifying information other than as described below. Visitors can always refuse to supply personally identifying information, with the caveat that it may prevent them from purchasing licenses or engaging in certain services.
We display a list of clients and testimonials on our websites. We do not disclose the names of licensed organizations, or their representatives, without explicit permission, except in the event that a client freely discloses their identity through postings on public forums or social media networks.
We may collect statistics about the behavior of visitors to our websites or users of our Cerb Cloud service. For instance, we may gather metrics about individual Cerb instances like the number of workers, addresses, conversations, messages, and attachments; the composition of file attachments, such as distributions of sizes or file types; or the amount of activity over a given time period. This information is used to improve the usability and performance of products and services provided by us, as well as to curtail abuse.
We may display this aggregate, anonymous information publicly or provide it to others. However, we do not disclose personally identifying information other than as described below.
Protection of Certain Personally Identifying Information
We disclose personally identifying information only to those of our employees, contractors and affiliated organizations that (i) need to know that information in order to process it on our behalf or to provide products and services available through our websites, and (ii) that have agreed not to disclose it to others. Some of those employees, contractors, and affiliated organizations may be located outside of your home country; and by using our websites and services you consent to the transfer of such information to them.
We will not rent or sell personally identifying information to anyone. Other than to our employees, contractors and affiliated organizations, as described above, we disclose personally identifying information only in response to a subpoena, court order, or other governmental request, or when we believe in good faith that disclosure is reasonably necessary to protect our property or rights, or those of third parties, or of the public at large.
If you are a registered user of Cerb and have supplied your email address, we may occasionally send you an email to tell you about new features or to solicit your feedback. We primarily use our social network profiles to communicate this type of information, and we expect to keep email broadcasts to a minimum. If you send us a request (e.g. via a support email or one of our feedback mechanisms), we reserve the right to anonymously republish it in order to help us clarify or respond to your request, or to help us support other users. We take all measures reasonably necessary to protect against the unauthorized access, use, alteration, or destruction, of potentially personally identifying information.
Security and Safeguards
We take reasonable precautions to protect your data and personally identifying information.
We do not have physical access to any of our servers or online storage mediums. See the section about “Third-Party Data Centers” for the upstream security policies of Amazon Web Services and Linode. These servers are protected within state-of-the-art data centers.
We perform 24/7/365 monitoring of our network and service infrastructure. This includes server load, process information, account access, service utilization, network activity, and logs.
Web-based communication with our servers is protected through 256-bit encryption via Secure Socket Layer (SSL) technology when URLs are prefixed with “https://”. This feature is required and automatically enforced for all Cerb Cloud subscriptions. It is the responsibility of clients and their representatives to ensure the use of SSL elsewhere.
We do not store credit card information on our servers. For one-time transactions we do not save credit card or bank account numbers anywhere, although we do store email-based receipts that include contact information, payment type, transaction IDs, and authorization codes.
For recurring transactions, payment information is stored with vendors who adhere to the Payment Card Industry Data Security Standards (PCI DSS). We contract with FreshBooks for sending invoices and collecting payments, and they protect and encrypt financial information in accordance with regulations.
We also process credit card transactions through our merchant account at Authorize.net.
Depending on a client’s preferred payment method, these transactions may alternatively take place through other vendors like PayPal, or wire transfers to Wells Fargo Bank. We do not have access to client credit card numbers or bank account information through any of these vendors.
Our technicians securely access our servers using Secure Shell (SSH) encryption. Logins are authenticated with RSA keys rather than simple passwords. Two-factor authentication is used with vendors and services that support it. We do not provide direct client access (e.g. SSH, Telnet, FTP) to machines housing Cerb Cloud data for multiple tenants. Instances with a need for direct access are hosted on isolated private servers.
We have disabled non-secure features in our PHP environment (e.g. process control, shell command execution, remote file includes) to protect against arbitrary code execution. To protect against cross-site scripting (XSS), we “escape” all user-provided data that is displayed in a web browser. Cerb also contains security mechanisms to combat cross-site request forgery (CSRF), and other common attack vectors.
Disclosure of Security Breaches
We will notify you as soon as possible if a security breach results in the potential disclosure of any personally identifiable information or data related to your account. At the conclusion of a security investigation, we will provide you with a report about the nature of any compromised data (e.g. email addresses, worker account passwords) and the actions taken to prevent future intrusions.
Third-Party Data Centers, Cloud Computing, and Virtualization
We remotely provision, administer, and maintain servers in various data centers throughout the world and do not maintain a physical presence in any of them. Cerb Cloud, and other related services like our project website, are provided from virtual servers in cloud computing and storage environments at Amazon Web Services, Linode, and GitHub. In virtual environments, many users from various organizations share a pool of resources like computational power and storage capacity, although provisioned resources are isolated from one another to a similar degree as leased machines in a datacenter.
Due to the remote nature of cloud computing, authorized technicians from our vendors and service providers may have temporary access to our servers in order to perform physical maintenance and upgrades, or to provide hands-on assistance with troubleshooting issues like RAID degradation and hardware failures.
In such events we defer to upstream privacy policies:
Cerb has two main components for storing customer data: (i) the database, and (ii) the /storage/ filesystem (which contains immutable objects like email attachments). Data is distributed among many servers in our Cerb Cloud network within Amazon Web Services.
If you communicate with us, or use Cerb Cloud services provided by us, your information will be routinely copied for the express purpose of maintaining backups for continuity and disaster recovery.
Disposal of Data and Backups
Upon cancellation, we remove all live client data from the Cerb Cloud network and send a final backup to Amazon S3. We will attempt to make arrangements for this backup to be transferred to the client before permanently destroying our final copy. Without an explicit request for their immediate removal, backups may be persisted for several years.
We will comply with any written, and duly authenticated, client requests for the immediate destruction of all account data and backups.
We are subject to the jurisdiction of the Federal Trade Commission.
If you have concerns about the way WGM is handling your personal data, please let us know immediately. You may email us directly at firstname.lastname@example.org with the subject line “Privacy Shield Concerns.” We will respond within 45 days at the latest.
Dispute Resolution Process
In the unlikely event that a dispute arises between you and WGM regarding our handling of your User Personal Information, we will do our best to resolve it. If we cannot, we have selected JAMS, an independent dispute resolution provider, to handle unresolved Privacy Shield complaints. If we are unable to resolve your concerns after a good faith effort to address them, you may contact JAMS and submit a Privacy Shield claim.
JAMS is a US-based private alternate dispute resolution provider, and we have contracted with JAMS to provide an independent recourse mechanism for any of our users for privacy concerns at no cost to you. You do not need to appear in court; you may conduct this dispute resolution process via telephone or video conference. If you are not based in the EU or EEA, but you would still like to use the JAMS arbitration process to resolve your dispute, please let us know and we will provide access to you.
Under certain limited circumstances, European Union individuals may invoke binding Privacy Shield arbitration as a last resort if all other forms of dispute resolution have been unsuccessful. To learn more about this method of resolution and its availability to you, please read more about Privacy Shield.
If WGM or substantially all of its assets were acquired, or in the event that we go out of business or enter bankruptcy, user information would be one of the assets that is transferred or acquired by a third party. You acknowledge that such transfers may occur, and that any acquirer of WGM may continue to use your personal information as set forth in this policy.