CDNetworks Enterprise Secure Access service is designed to create a secure, efficient, and easy-to-use remote access/office environment for enterprises. The Enterprise Secure Access service is operated by CDNetworks Inc. and its global affiliates (each separately, and collectively, “CDNetworks” or “us”). CDNetworks understands end users (hereinafter, “you”) play a high value on how your personal data been processed and is committed to safeguard the security and reliability of your personal data to the best of our ability.

Upon your company/organization (hereinafter, “organization”)’s successful subscription to the Enterprise Secure Access service, one or more designated persons of organization can be registered as system administrator with access to the backend of Enterprise Secure Access management system.

This Privacy Policy for Enterprise Secure Access Service (hereinafter, “Privacy Policy”) will help you to be aware of and understand the following:

• Your Enterprise Secure Access service account;
• What personal data do we collect;
• How we use your personal data;
• How do we entrust, share, and transfer your personal data;
• How do we protect your personal data;
• How do we store and retain your personal data;
• Your rights;
• Protection of children and minors;
• Change to this privacy policy;
• How to contact us.

Please make sure that you have fully read, understand, and consent with the content of this Policy before using Enterprise Secure Access service.

1. Your Enterprise Secure Access Service Account

CDNetworks’ provision of Enterprise Secure Access service to you (and your organization) and processing of your personal data in connection therewith is based on the subscription agreement between your organization and us. Your Enterprise Secure Access service account is provided by your organization to you.
Your organization can:

• control and manage your Enterprise Secure Access service and service account, including controlling privacy-related settings;
• access and process your data, including the contact information, the interaction data, and the contents in relation with your Enterprise Secure Access service account.

Besides this Policy, your use of the Enterprise Secure Access service may also be subject to the rules and policies of your organization. CDNetworks is not responsible for the rules, policies, or privacy/security practices of your organization. If you have any privacy inquiry (including, any requests to exercise your data subject rights) during your use of Enterprise Secure Access service, we recommend you to first direct that inquiry to the administrator of your organization.

The cancellation of your account at your organization (e.g. due to change of employment) will lead to the loss of access to your Enterprise Secure Access account.

2. What Personal Data Do We Collect

The personal data we collect depends on the choices of you and/or the administrator of your organization made on the product settings, as well as the context of your interactions with CDNetworks.

Categories of data collected and processed by CDNetworks may include the following:

Name and contact data. Your first and last name, phone number, e-mail address, username, company name, and other similar contact data.
When the administrator of your organization registers Enterprise Secure Access service account for you, your organization may provide us with your first and last name, phone number, e-mail address and username (such username may be your name or other identifying name stipulated by the management strategy of your organization, the same concept applies to the other parts of this Policy) for account registration, two-factor authentication when logging in, and processing of the verification code during password resetting.

CDNetworks believes that before your personal data be provided by your organization to us, your organization has already obtained your prior written consent on personal data sharing.

To put it specifically:
a)Username: a username is necessary to use Enterprise Secure Access service. However, the specific setting as the user name will only affect the administrator’s ability to identify the real identity of the account user. It will not affect your ability to use Enterprise Secure Access for its normal functions;
b)Phone number: if the administrator of your organization didn’t provide us with this information, the end user who enables SMS two-factor authentication will not be able to login to Enterprise Secure Access, reset his/her account password through mobile phone number, or modify and bind his/her mobile phone number. This will not affect the users who did not enable SMS two-factor authentication function;
c)E-mail address: if the administrator of your organization didn’t provide us with this information, you will not be able to reset your Enterprise Secure Access account password through e-mail, and you will not be able to receive notification e-mails sent by the server, including, but not limited to: account creation, account expiration, password reset, TOTP key reset, and mobile phone number modification. This will not affect other features of Enterprise Secure Access that you use.

• Credentials. Passwords and similar security information used for authentication and account security.
• Device data. The device you use to login to Enterprise Secure Access, the interactions of you and your device with Enterprise Secure Access, type of your device and identifiers, operating system of your device, location of your device, and other similar usage or device information.
• Log/traffic data. Data generated through your use of CDNetworks Enterprise Secure Access service. Log/traffic data may include: IP addresses, URLs of sites visited, geographic location, etc.
  Log/traffic data may be or may not be regarded as “personal data” depending on the variation of data protection laws among jurisdictions. Log/traffic data will not be processed by CDNetworks through identifiable means.

The aforementioned data may be collected directly from you during your use of Enterprise Secure Access, or indirectly from the administrator of your organization during account set up or recovery process, if any.

3. How We Use Personal Data

CDNetworks uses the data it collects to provide better service to you, which including, but not limited to:

• updating, troubleshooting, remote support;
• improving and developing product function.

Our processing of personal data for the above purposes includes both automatic and manual processing. CDNetworks’ use and process of your personal data are on the ground of your consent and/or as required to fulfill our contractual obligations and provide Enterprise Secure Access service to you. CDNetworks believes that before your personal data be provided by your organization to us, your organization has obtained your prior written consent on personal data processing.

Personal data processing activities on different occasions:

• When you install and run Enterprise Secure Access software on your device for the first time, we will request storage and location permissions, where the storage permission is necessary for software installation. You may choose on your own accord whether to authorize us with the location permission.

• In the process of logging in to Enterprise Secure Access, we will request for VPN permission to ensure the normal function of the product. It collects your mobile phone number, device name, device model, operating system, Enterprise Secure Access software version number, location information of the device (such as login IP address, GPS location, etc., accurate to one kilometer), unique device identifier (this refers to the string information used by the device manufacturer to identify a specific device, such as Mac address), operation log, etc., in which the mobile phone number is used for two-factor authentication when logging in. If the administrator of your organization does not enable SMS two-factor authentication for you, then we will not collect your mobile phone number information.

• In the process of resetting your password, we will collect your mobile phone number or e-mail address information for sending the two-factor authentication verification code. If you refuse to provide this information, you may ask the administrator of your organization to reset the account password through his/her console. This does not affect other features of Enterprise Secure Access that you use.

• In the process of resetting your TOTP key, we will collect your mobile phone number or e-mail address information for sending the two-factor authentication verification code. If you refuse to provide this information, you may ask the administrator of your organization to reset the account TOTP key through his/her console. This does not affect other features of Enterprise Secure Access that you use.

• When using Enterprise Secure Access service, if your organization has access behavior audit requirements, then we will collect access log information, including access time, quintet, domain name details and other information.

• When using the change mobile phone number function, we will collect your mobile phone number information for sending the two-factor authentication verification code.

• When you use the issue report/user feedback function and need to upload images, we will request permissions to access photo albums and your device camera, and your uploaded descriptions, user logs and images will be stored on our server. Storage of this information is necessary for us performing this function.

• When you encounter usage issues that require our assistance in troubleshooting, we will collect and proceed with your operation log information, including but not limited to username, permission resources, operation behavior, domain name access record, DNS resolution result, software failure information, IP routing information, the method, type and status of access to the network, network quality data, etc., which are the basic information that we must collect for troubleshooting. For instance, we will use permission resources and domain name access records to determine the occurrence of any unauthorized access; we will use DNS resolution results to determine abnormal DNS resolution incidents.

• When the administrator of your organization resets your password through the console and chooses to notify you through your mobile phone number or e-mail address, we will collect the information of your mobile phone number or e-mail address.

When you use the above functions, our App will request for a total of 5 system permissions: storage, location, photo album, camera and VPN. The aforementioned permissions are not enabled by default. You can choose whether to grant these system permissions to our App.

4. How Do We Entrust, Share, and Transfer Your Personal Data

4.1 Entrustment
No delegated processing will be involved in any functions and/or modules of Enterprise Secure Access.

4.2 Information Sharing
We share your personal data with your consent or for provision of Enterprise Secure Access service to you:

• as your Enterprise Secure Access service account is provided by your organization, we will share certain data with your organization to enable your organization managing the product.
• CDNetworks is a transnational enterprise with global presences, on some occasions to provide Enterprise Secure Access service to you, CDNetworks may need to collaborate with its affiliate and share personal data among CDNetworks affiliates. CDNetworks affiliates will commit to the same degree of care on the protection of your personal data.
• CDNetworks will only share your information with third parties with your consent or upon your instruction.
• CDNetworks may, for compliance with laws and regulations applicable, for responding to regulatory authorities, or for fulfillment of judicial orders, retain, transfer, or share your personal data on an as-needed basis.

Please note that if you use Enterprise Secure Access service to link or connect to products of third parties, those third-party products may adopt their own privacy policies. Your submission and provision of your personal data to such third-party products will be governed by the privacy policies of such third-party product.

4.3 Transfer
We will not transfer your personal data to any third-party company, organization or individual outside our organization, except in the following cases:

• transfer with your explicit consent;
• due to the event of merger, acquisition or bankruptcy liquidation. On such occasion we will require the succeeding company or organization to continue to be bound by this Privacy Policy.

5. How Do We Protect Personal Data

5.1 CDNetworks has adopted administrative, technical, and organizational measures to protect your personal data from unauthorized access, use, alternation, disclosure, or leakage. We will take all reasonable and feasible measures to protect your personal data. For instance:

• For information storage and display, we will use encryption technologies (hash algorithm, NCA algorithm, etc.), console desensitization display and other means to protect your personal data;
• For data transmission, we leverage encryption technologies such as RSA and AES to prevent sensitive data from being disclosed;
• For device level software security capabilities, we have adopted technical measures such as preventing decompile, preventing two-factor packaging, preventing tampering, etc., to ensure that sensitive data is not disclosed; prohibit the use of our services on devices in simulators and debugging, root, jailbreaking, etc., to prevent the disclosure of personal data;
• d) For access control, to prevent account theft, unique device identifiers, login IP addresses, operation logs, access logs, location information and other data may be analyzed to facilitate the adoption of security measures or security reminders.

5.2 We will take all reasonable and feasible measures to ensure that personal data will be collected to the minimal necessary extent. We will only retain your personal data for the period necessary to fulfill our contractual obligations as described in this Policy, unless otherwise required by law.

5.3 We are all aware that the Internet is not a 100% secure environment. CDNetworks will endeavor to the best of our ability to safeguard the security of your personal data.

5.4 In the event of any personal data security incident, we will follow the requirements of laws and regulations, inform you of the incident and its possible impact at the earliest, and keep you updated about the measures we have taken or will take, and suggest actions that you can take to prevent and reduce the impact at your side. We will promptly inform you about the incident-related information in one or a combination of ways such as e-mail, telephone, etc., and when it is not feasible to get contact with you directly, we will issue an announcement in a reasonable and effective manner.

At the meantime, we will also report the handling of personal data security incident to the corresponding regulatory authority in accordance with the requirements applicable.

6. How Do We Store and Retain Personal Data

Personal data collected by CDNetworks will be stored in an encrypted manner in your region or other regions where CDNetworks or its affiliates operates.

CDNetworks will retain personal data as necessary to provide services to you and/or your organization, or for the fulfillment of our statutory/judicial obligations. Our retention period may vary depending on the type of personal data and difference of mandatory requirements in data protection laws among jurisdictions applicable.

To put it specifically:

• Username, mobile phone number and e-mail address: we will retain a record of these information during your use of Enterprise Secure Access. When your organization stops subscribing Enterprise Secure Access services, or when your organization notify us to cancel your account, we will delete the corresponding information.
• log/traffic data: log/traffic data will be retained for up to 180 days in most instances. If the data retention laws in certain jurisdictions requires a longer retention period, we will follow such statutory requirements.

7. Your Rights

You may exercise the following rights with regards to your personal data:

You have the right to access, correct, delete your personal data, or withdraw the authorization of your consent, unless otherwise stipulated by relevant laws and regulations. If you wish to exercise the above rights, you may do the following: 1) log in to our App and click “Settings”; 2) Click “Account Management” to access, correct or delete your personal data.

However, subject to the agreement between CDNetworks and your organization, if the administrator of your organization sets certain restrictions on end user accounts, you may not be able to modify, delete your personal data or withdraw the consent at your side, in such circumstance please contact your organization to learn more about how to access and control your personal data.

Please note that only when your organization confirms that you are no longer been granted access to Enterprise Secure Access, may you cancel your Enterprise Secure Access account and CDNetworks will stop providing services to you and delete (or anonymously process) your personal data under the relevant accounts within a reasonable period of time.

8. Protection of Children and Minors

CDNetworks Enterprise Secure Access service is provided to organizations and their employees who have full civil capacity. The Enterprise Secure Access is not designed or intended to be used by children or minors. You as end user should not lend or allow any third party to use your Enterprise Secure Access account, including children or minors in your family. CDNetworks assumes that there is no personal data of children or minors been collected or processed under Enterprise Secure Access.
Definition to “children” and “minor” are subject to the laws applicable.

9. Change to This Privacy Policy

We may update this Privacy Policy from time to time in response to:

• Changes/updates in data protection laws that may affect our products/services;
• Feedbacks/improvement suggestions from our customers, end users, regulators, and/or other stakeholders;
• Changes in product functions.

If any change be introduced to this Privacy Policy and may materially affect the manner we collect and process your personal data or the way you use Enterprise Secure Access service, we will notify you through the contact method you chose. If CDNetworks is not able to get in touch with you directly, we will notify you by posting a notice on our website. All changes to this Privacy Policy will be posted on our website with change history available. CDNetworks recommends you to periodically check the latest version of this Privacy Policy to be aware of any changes.

10. How to Contact Us

If you have any question, concern or suggestion in relation with this Privacy Policy, please reach us via e-mail to: abuse@cdnetworks.com with title: [privacy_Enterprise Secure Access].