Webgroup Media, LLC (henceforth “WGM”, “our”, “us”, and “we”) is a commercial open source software company founded in April 2001. We develop, license, and provide support for Cerb – a web-based platform for teamwork and workflow automation.
It is our policy to respect your privacy regarding any information we may collect while operating our websites and services. We do not sell any personally identifiable information or data stored in Cerb Cloud to third-parties. We do not directly share your information with third-parties without explicit permission except to comply with the law or to provide necessary infrastructure in connection with the services you request; however, there is some passive risk of exposure to third-party access inherent in web-based services that is outlined in detail below. We do our best to mitigate and minimize these risks on your behalf.
- Privacy Shield
- What Personal Data We Collect
- Your Personal Data Rights
- Why and To Whom We Disclose Personal Data
- Your Privacy Choices
- Security and Safeguards
- Business Transfers
Webgroup Media, LLC (WGM) complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States.
We are subject to the investigatory and enforcement powers of the United States Federal Trade Commission (FTC).
Resolving Privacy Complaints
In compliance with the Privacy Shield Principles, WGM commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact us at: email@example.com
WGM has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit https://www.jamsadr.com/eu-us-privacy-shield for more information or to file a complaint. The services of JAMS are provided at no cost to you.
Under certain limited circumstances, European Union individuals may invoke binding Privacy Shield arbitration as a last resort if all other forms of dispute resolution have been unsuccessful. To learn more about this method of resolution and its availability to you, please read more about Privacy Shield.
Liability For Onward Transfers
Where WGM has transferred personal information of EU or Swiss residents to third parties, WGM shall be liable if those third parties do not process personal information in compliance with the Privacy Shield Principles. This shall not be the case where WGM establishes that it is not responsible for the damage caused by the third party.
Data Protection Addendum
If you require a signed Data Protection Addendum (DPA) for GDPR compliance, you may download ours here. This document formalizes the contract between data exporter and data importer, as well as describing the rights of data subjects. Please review the terms and return a signed copy to firstname.lastname@example.org.
What Personal Data We Collect
In connection with our business, we operate the cerb.ai project website, as well as Cerb Cloud, a subscription-based “software as a service” offering, on the
We develop and sell Cerb, a software application (as-a-service and on-premises) for sharing team inboxes, building collaborative workspaces, managing customer relationships, and automating business workflows.
We maintain profiles on our customers and their organizations based on past interactions (e.g. email address, gender, date of birth, IP addresses, public social media photos, organizational affiliation and job title, email support history, and order history).
With Cerb Cloud, we act as a data processor for companies around the world. Due to the customizable design of Cerb, our clients (as data controllers) may store any kind of personal data about their own clients (as data subjects). Depending on the nature of our clients’ organization, or the type of email they receive (e.g. newsletters, receipts, test results), this may include sensitive personal data – race/ethnicity, political opinions, religion, health, sexuality, etc.
Aside from what processing is necessary to provide the service (e.g. web server access logs, storage, aggregate usage info), we do not directly process personal information within our clients’ databases.
A cookie is a string of information that a website stores on a visitor’s computer, and that the visitor’s browser provides to the website each time the visitor returns.
Web-based software applications like Cerb require cookies to be enabled, although their use is limited to identifying distinct user sessions.
Non-personally identifying information
Like most website operators, we collect non-personally identifying information of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request.
Our purpose in collecting non-personally identifying information is to better understand how visitors use our websites and web-based applications.
Potentially personally identifying information
We also collect “potentially personally identifying” information like Internet Protocol (IP) addresses for website visitors. We only disclose IP addresses under the same circumstances that we use and disclose personally identifying information as described below.
Personally identifying information
Certain visitors to our websites choose to interact in ways that require us to gather personally identifying information. The amount and type of information that we gather depends on the nature of the interaction.
For example, we ask users who sign up for Cerb Cloud to provide an email address. Those who choose to engage in financial transactions with us (e.g. by purchasing products and services) are asked to provide additional information, including as necessary the personal and financial information required to process those transactions.
In each case, we collect such information only insofar as is necessary or appropriate to fulfill the purpose of the visitor’s interaction.
We do not disclose personally identifying information other than as described below.
Visitors can always refuse to supply personally identifying information, with the caveat that it may prevent them from purchasing licenses or engaging in certain services.
We do not display third-party advertising on our websites or in our applications. We do not willfully disclose any personal information to advertisers.
We display a list of clients and testimonials on our websites. We do not disclose the names of licensed organizations, or their representatives, without explicit permission, except in the event that a client freely discloses their identity through postings on public forums or social media networks.
We collect statistics about the behavior of visitors to our websites and users of our Cerb Cloud service.
For instance, we gather metrics about individual Cerb instances such as the number of active workers, addresses, conversations, messages, and attachments; the composition of file attachments, such as distributions of sizes or file types; or the amount of activity over a given time period.
This information is used to improve the usability and performance of products and services provided by us, as well as to curtail abuse.
We may display this aggregate, anonymous information publicly or provide it to others. However, we do not disclose personally identifying information other than as described below.
Your Personal Data Rights
We are committed to your personal data rights.
Right to be Informed
You have the right to be informed regarding the collection of personal data from you or about you, and the relevant business purposes for such collection.
Right of Access
You have the right to a copy of any personal information we have collected from you or about you, if such data exists.
This information will be transmitted electronically no later than one month from the date we receive your request.
Right to be Forgotten
You have the right to the erasure of any personal data we have collected from you or about you.
California Privacy Rights
California residents have the right to opt out of disclosing information to third parties for the purpose of allowing such third parties to directly market their products and services. We do not engage in this type of disclosure.
Why and To Whom We Disclose Personal Data
We disclose personally identifying information only to those of our employees, contractors and affiliated organizations that:
- Need to know that information in order to process it on our behalf or to provide products and services available through our websites.
- Have agreed not to disclose it to others.
Some of those employees, contractors, and affiliated organizations may be located outside of your home country; and by using our websites and services you consent to the transfer of such information to them.
We have not, and will not, rent or sell personally identifying information to anyone.
Other than to our employees, contractors and affiliated organizations, as described in this section, we disclose personally identifying information only in response to a subpoena, court order, or other governmental request, or when we believe in good faith that disclosure is reasonably necessary to protect our property or rights, or those of third parties, or of the public at large.
Amazon Web Services (AWS)
We remotely provision, administer, and maintain servers in various data centers throughout the world.
Our website, and web-based applications like Cerb Cloud, are provided through cloud computing services provided by Amazon Web Services.
In cloud environments, many users from various organizations share a pool of resources like computational power and storage capacity, although provisioned resources are isolated from one another to a similar degree as dedicated servers in a datacenter.
Due to the remote nature of cloud computing, authorized technicians from our vendors and service providers may have temporary access to our servers in order to perform physical maintenance and upgrades, or to provide hands-on assistance with troubleshooting issues like hardware failures.
Banking through Freshbooks, WePay, Authorize.net, Wells Fargo, and PayPal
We do not store credit card information on our servers.
For one-time transactions we do not save credit card or bank account numbers anywhere, although we do store email-based receipts that include contact information, redacted account information, payment type, transaction IDs, and authorization codes.
For recurring transactions, payment information is stored with vendors who adhere to the Payment Card Industry Data Security Standards (PCI DSS). We contract with FreshBooks for sending invoices and collecting payments, and they protect and encrypt financial information in accordance with regulations.
Most of our payments are collected by WePay in association with Freshbooks.
We also occasionally process credit card transactions directly through our merchant account at Authorize.net.
Depending on a client’s preferred payment method, these transactions may alternatively take place through other vendors like PayPal, or wire transfers to Wells Fargo Bank.
We do not have direct access to client credit card numbers or bank account information through any of these vendors.
Google (G Suite)
We contract with Google for hosting and archiving our corporate email accounts.
They have access to data from email messages (e.g. sender, subject, body, and attachments).
They do not have access to any client data outside of email communication.
We use Disqus to enable comment functionality on the blog and documentation of our project website.
They have access to information typically made available by web browsers: IP addresses, visited pages, browser, and platform.
They do not have access to any client data.
Your Privacy Choices
We provide the following privacy choices for your data:
You may choose to not provide us with certain information. To subscribe to Cerb Cloud, or to purchase a self-hosted Cerb license, we only require a verified email address and a seat count. We do not require you to disclose your name, organization, location, phone number, revenue, employee count, or other personal details.
You may choose to host our software on your own servers and network without transmitting any data to us. We optionally provide Cerb Cloud as a fully-managed service where you retain control over the data you choose to send to us.
You may choose to arrange payment through an intermediary like PayPal to protect your financial information.
You may opt-out of receiving commercial emails from us.
You may receive a full backup of your content from Cerb Cloud at any time.
You may delete records and other data within Cerb.
You may close your Cerb Cloud account and request that your data and backups be permanently deleted.
Security and Safeguards
We take reasonable precautions to protect your data and personally identifying information.
We do not have physical access to any of our servers or online storage mediums. These servers are protected within state-of-the-art data centers.
We perform 24/7/365 monitoring of our network and service infrastructure. This includes server load, process information, account access, service utilization, network activity, and logs.
Web-based communication with our servers is protected through 256-bit encryption via Secure Socket Layer (SSL) technology when URLs are prefixed with “https://”. This feature is required and automatically enforced for all Cerb Cloud subscriptions. It is the responsibility of clients and their representatives to ensure the use of SSL elsewhere.
Our technicians securely access our servers using Secure Shell (SSH) encryption. Logins are authenticated with RSA keys rather than simple passwords. Two-factor authentication is used with vendors and services that support it. We do not provide direct client access (e.g. SSH, Telnet, FTP) to machines housing Cerb Cloud data for multiple tenants. Instances with a need for direct access are hosted on isolated private servers.
We have disabled non-secure features in our PHP environment (e.g. process control, shell command execution, remote file includes) to protect against arbitrary code execution. To protect against cross-site scripting (XSS), we “escape” all user-provided data that is displayed in a web browser. Cerb also contains security mechanisms to combat cross-site request forgery (CSRF), and other common attack vectors.
Disclosure of Security Breaches
We will notify you as soon as possible if a security breach results in the potential disclosure of any personally identifiable information or data related to your account. At the conclusion of a security investigation, we will provide you with a report about the nature of any compromised data (e.g. email addresses, worker account passwords) and the actions taken to prevent future intrusions.
Cerb has two main components for storing customer data: (i) the database, and (ii) the /storage/ filesystem (which contains immutable objects like email attachments). Data is distributed among many servers in our Cerb Cloud network within Amazon Web Services.
If you communicate with us, or use Cerb Cloud services provided by us, your information will be routinely copied for the express purpose of maintaining backups for continuity and disaster recovery.
Disposal of Data and Backups
Upon cancellation, we remove all live client data from the Cerb Cloud network and send a final backup to Amazon S3. We will attempt to make arrangements for this backup to be transferred to the client before permanently destroying our final copy. Without an explicit request for their immediate removal, backups may be persisted for several years.
We will comply with any written, and duly authenticated, client requests for the immediate destruction of all account data and backups.
If WGM or substantially all of its assets were acquired, or in the event that we go out of business or enter bankruptcy, user information would be one of the assets that is transferred or acquired by a third party. You acknowledge that such transfers may occur, and that any acquirer of WGM may continue to use your personal information as set forth in this policy.
03-January-2019: Published the Privacy Shield sections.
20-December-2018: Updated Privacy Shield sections for review and compliance (“Your Privacy Choices” and “Liability For Onward Transfer”).
05-October-2018: Added sections for Privacy Shield review and compliance.