DigiCert Public Privacy Notice

Public Privacy Notice in other languages

English | Français | Deutsch | Español | Italiano | Nederlands | Português | 日本語 | 한국인 | 简体中文 | 繁体中文

Effective Date

September 15, 2023
Privacy Notice Archive

INTRODUCTION

DigiCert, Inc. and its subsidiaries (“DigiCert”, “DigiCert Group,” “we” or “us”) are committed to protecting the privacy of its Website visitors (“you”) and Customers (“you” or “Customer”) and employees or agents of Customers (“you” or “Individuals”). As a result, DigiCert has promulgated this privacy notice to inform its Website visitors, Customers and Individuals about how DigiCert will collect, use, or otherwise process any personal data or usage information. This privacy notice applies to all sites owned and operated by DigiCert (collectively, “Websites,” individually referred to as a “Website,” meaning each and every Website owned and operated by DigiCert). Unless otherwise provided, this privacy notice also applies to DigiCert’s provision of website and other certificate services and all dealings with natural-person representatives of our Customers.

DigiCert is a company established in the United States with principal offices at 2801 North Thanksgiving Way, Suite 500, Lehi, Utah 84043 and for the purpose of the EU General Data Protection Regulation (“GDPR”) and any other applicable data privacy laws, we are the data controller of personal information obtained through our Website. Unless otherwise provided, we are also a data controller in relation to the Individuals’ personal information that we receive from Customers, either directly or through resellers. For QTSP services provided in the EU and Switzerland, the data controller is the relevant QuoVadis entity within the DigiCert Group providing the respective QTSP services. For all other services, the data controller is the contracting entity- DigiCert, Inc., DigiCert Ireland Ltd., DigiCert Japan G.K., or as may otherwise be provided in the Customer’s agreement for services.

If you have any concerns or questions regarding the personal data we process through our Website or through providing services to our Customers, you may contact DigiCert’s Data Privacy Officer at Privacy Request Form. If you are an EU or Switzerland resident, we have appointed a Data Protection Liaison for Europe at DigiCert Ireland Ltd. as our Europe Representative who you can contact (in addition to or instead of our Data Privacy Officer, located at our US headquarters) should you have any issues in connection with personal information processed through our Website. Contact details for the Data Privacy Officer and Europe Data Protection Liaison are provided below.

For data subjects in the People’s Republic of China, please see the China Privacy Addendum to this Notice.

INFORMATION THAT DIGICERT RECEIVES

Through our Website: DigiCert collects information such as the name, organization, and email address of Website visitors and Customers who voluntarily submit that information via our Website, email, instant chat, by creating an account or otherwise, in order to download software or to submit sales or technical support questions.

Through our OCSP Service: When an Online Certificate Status Protocol (“OCSP”) request is made against a HTTPS website or other TLS service that is secured by a DigiCert certificate, DigiCert collects that OCSP request and the client IP address and certificate serial number to operate the OCSP Service as described in our Certification Practices Statement. OCSP data is retained by DigiCert for up to 7 years and is used for troubleshooting and detection of malicious or fraudulent activity. OCSP data processed by our content delivery network is deleted after 10 days.

From Customers: Customers request DigiCert Certificates through their account in DigiCert’s Website (the “Account”) or through other contact with DigiCert or its resellers. When submitting a request, Customers typically provide to DigiCert the following information about Individuals: name, email address, telephone number, address, and government-issued identification (which may include additional information, depending on the identification used). Specific information about personal data required for particular DigiCert services and products may be found in DigiCert’s Certification Practices Statement.

Where Customers provide personal information of Individuals with DigiCert, Customers represent that they have collected and processed such information in accordance with data privacy laws, and that they have duly informed the Individuals that their personal information was provided to DigiCert. DigiCert will process such information following Customer instructions as well as according to the industry standards that govern the issuance of digital Certificates (“Industry Standards”). More information on the Industry Standards may be found through consulting DigiCert’s Certification Practices Statement.

From Candidates for Employment: Interested persons submit personal information relevant to a job inquiry or application for employment. Candidates for employment can find specific information about how we use personal information provided to us in this context in our Candidate Portal Privacy Notice.

From Third Parties: When performing its services, DigiCert uses third party sources to confirm or supplement the information that it obtains from a Customer, including information about Individuals. DigiCert uses such information from third-party sources exclusively for the purposes of its Validation Services, based on the legitimate interests of DigiCert and of the Customer to provide services and have a Certificate issued.

Where DigiCert makes external communications through social media platforms, we collect and analyze the activity related to our communications to measure customer satisfaction and brand reputation as well as understand the effectiveness of our external communication strategies.

Where DigiCert conducts marketing activities, we may also collect and use information from third parties such as lead generation and data quality providers, as well as from publicly available sources, where this is permitted by law.

Social Media Listening: We use certain third-party tools that integrate with social media platforms through application programming interfaces. These tools gather analytics information from social media posts regarding DigiCert made by Consumers and Individuals and others that help us improve our products and services. We do not use this information for marketing purposes or sales outreach, but we may link information gathered through social media listening with customer accounts.

USE OF INFORMATION

We will use your information to:

Provide products and services / live chat / sales & support: As it is in our legitimate interest to market, sell and provide our products and services, send order confirmations, respond to Customer service requests, provide chat services with sales questions and technical support needs, and fulfill your order, including using the information to verify the identity of the Customer or to contact the Customer in order to discuss support, renewal, and the purchase of products and services (“Support Services”). When you communicate with us, we will attempt to associate the method and substance of the communication with your account. When you Contact Us via telephone, we record the communication for quality assurance and training purposes. We may retain these recordings for up to 30 days, or as needed to address a specific Customer question or concern.

Marketing: We will use your information as it is in our legitimate interests to send out promotional emails (subject to seeking your consent where required by applicable law). These emails include beacons that communicate information about the email back to DigiCert. Such tracking allows DigiCert to gauge the effectiveness of its advertising and marketing campaigns. Recipients can opt-out of receiving promotional communications from DigiCert by following the unsubscribe instructions provided in each email or by using our Privacy Request Form. DigiCert may use third parties, under restricted processing agreements, to send promotional emails on our behalf. However, DigiCert does not permit any third party to use Customer information provided by DigiCert or obtained on DigiCert’s behalf for any other purpose.

NAI/DAA Consumer Opt-Out: You may visit the following webpages to opt-out of targeted advertising from a broad array of companies, including some who serve ads on behalf of DigiCert. For Network Advertising Initiative or “NAI” visit http://www.networkadvertising.org/managing/opt_out.asp and for Digital Advertising Alliance or “DAA” visit http://www.aboutads.info/choices/. Opting out through these sites does not mean you will stop see advertisements when using DigiCert websites or platforms, but it does mean that the company or companies from which you opt-out on these sites will no longer show ads that have been tailored to your interests.

Validation Services: DigiCert uses information provided by Customers to perform Validation Services, in accordance with Industry Standards. DigiCert uses this information as follows: (1) to perform our contracts with Customers that are natural persons; (2) based on the legitimate interest of DigiCert to provide services to Customers that are legal entities; and (3) based on the legitimate interest of Customers to have DigiCert issue Certificates.

Please refer to DigiCert’s Master Services Agreement and Certification Practices Statement for details on the terms, conditions, policies and standards regarding the request and issuance of Certificates.

Advisory e-mails: While a Customer account is active, DigiCert will send advisory e-mails to Customers to provide support and security updates in relation to our products and services, as this is necessary for the performance of our contracts with Customers. Advisory emails are used to respond to inquiries, provide support and validation services, provide upgrade information and security updates, inform customers about expiring Certificates, and inform the Customer about ordered products and services. Because advisory emails contain essential information related to the use and security of DigiCert’s products and services, Customers are not able to unsubscribe from advisory service emails while their Customer account is active. DigiCert may also use third-party service providers to assist in sending these communications, subject to the same restrictions as mentioned in the “Marketing” sub-heading, above.

Technical usage information: As it is in our legitimate interests to ensure the proper functioning of our Website by personalizing its use, monitoring usage activity and trends, and keeping the Website safe and secure, when you visit the Website, we collect the information sent to us by your computer, mobile phone, or other access device. This information includes: your IP address; device information including, but not limited to, identifier, name, and type of operating system; mobile network information; and standard web information, such as your browser type and the pages you access on our Website.

Customer analytics: It is in our legitimate interest to analyze information provided by our Customers to track sales, demographics, product usage and related analytics so that we can improve our product offerings and target marketing and sales resources. We create reports and data analyses that are reported internally and processed by third-party service providers, who are under a duty of strict confidentiality and who are not authorized to use information provided by us for any other purpose than to provide services as directed by us.

Cookies & Tracking Technologies

DigiCert uses cookies, web beacons and log files to automatically gather, analyze, and store technical information about Website visitors. See Cookie Settings for more information.

Sharing with Third Parties

We do not rent, sell, share, or otherwise disclose your personal data with third-party partners for their direct marketing purposes.

DigiCert will publicly disclose information embedded in an issued Certificate as necessary to provide the services contracted by Customer, in accordance with Industry Standards. See our Certification Practices Statement for information specific to the various services and products offered by DigiCert.

We will share your personal information with third parties, who are under strict contractual agreement to only perform the contracted services at our instruction, including these categories of recipients:

• IT service providers that provide us with SaaS services including customer relationship management and other database and application software;
• Marketing providers, advertisers and advertising networks that process the data to send you advertisements about our products and serve relevant advertisements across platforms to you and others;
• Analytics and search engine providers that assist us in the improvement and optimization of the Website;
• Chat-based support software services that allow users to input information, including an email address, to request support and clarify their problem; and
• Credit card and payment providers that help process payments for us (note that we do not store any provided credit card information).

DigiCert will share your information with law enforcement agencies, public authorities or other organizations if legally required to do so, including to meet national security or law enforcement requirements, or if we have a good faith belief that such use is reasonably necessary to:

• comply with a legal obligation, process or request;
• enforce our terms and conditions and other agreements, including investigation of any potential violation thereof;
• detect, prevent, or otherwise address security, fraud, or technical issues; or
• protect the rights, property or safety of us, our users, a third party or the public as required or permitted by law.

DigiCert will also disclose your information to third parties:

• in the event that we sell any business or assets, in which case we will disclose your data to the prospective buyer of such business or assets; or
• if we or substantially all of our assets are acquired by a third party, in which case information held by us about our users will be one of the transferred assets.

Blogs

Our Website offers publicly accessible blogs or community forums. Any information you provide in these areas can be read, collected, and used by others who access them.

To request removal or your personal information from our blog or community forums, please contact us through this Privacy Request Form. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why, as well as additional contact information when applicable.

Social Media Widgets

The Website includes social media features, such as a Facebook “Like” button and widgets, as well as share buttons or interactive mini-programs. These features collect the user’s IP address, the pages visited on the Website, and set cookies to enable the features to function properly. Social media features are either hosted by a third party or hosted directly on the Website. Interactions with these features are governed by the privacy notice of the corresponding social media company.

Security

The security of your personal information is of the utmost importance to DigiCert. DigiCert only transmits personal data, including sensitive data (such as credit cards), using transport layer security (TLS, formerly referred to as secure sockets layer or SSL). To learn more about TLS, follow this link: https://www.digicert.com/what-is-an-ssl-certificate.

Unfortunately, no method of transmission over the Internet or electronic storage is 100% secure. While DigiCert strives to use commercially acceptable standards to protect personal information, DigiCert cannot guarantee absolute security. If you have any questions about the security of your personal information, please contact us at privacy@digicert.com.

We take all necessary security and legal precautions to ensure the safety and integrity of the Individuals’ personal data that we receive from Customers, including, as appropriate, (i) the pseudonymization of personal data; (ii) ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) restoring the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (iv) regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. More information about DigiCert’s security practices can be found here. Summaries of our external audits can be found here.

Where We Store Your Data

The DigiCert Group has its parent company based in the United States and our Website is hosted in the United States. Therefore, if you are located outside the United States, the information that you submit to us through our Website will be transferred to the United States. Unless otherwise provided, DigiCert performs Support and Validation Services in its offices in Australia, Germany, Ireland, South Africa, United Kingdom, the United States, and provides hosting services for certain products in Australia, Japan, Netherlands, Switzerland, and the United States. Accordingly, depending on the products you are using, Customer data and your personal data may be accessible from and transferred to Australia, Germany, India, Ireland, Japan, Netherlands, South Africa, Switzerland, United Kingdom, and the United States.

Where you have a question, dispute or complaint regarding DigiCert’s collection, storage, or use of your personal information, you may ask a question or make a complaint to DigiCert by using this Privacy Request Form. If the dispute or complaint is not satisfactorily resolved or you do not receive a timely response, you may escalate the matter to a data privacy authority in your jurisdiction, if such an authority has been established where you live or the complaint arises. DigiCert commits to cooperate with the relevant data privacy authority and will comply with the advice given by this authority with regard to your information in the context of this Website or through DigiCert’s provision of services. You may also contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. Where required by law, such complaint is without prejudice to your right to launch a claim with the data privacy supervisory authority in the jurisdiction in which you live or work.

INDIVIDUAL RIGHTS OVER PERSONAL INFORMATION

Generally, a Customer or Individual can review, delete inaccuracies, and update personal information through their DigiCert account interface by accessing and editing their Account Profile through the DigiCert service platform they are using. Information and help in accessing and editing the Account Profile can be obtained by contacting DigiCert Support at support@digicert.com.

You will not be discriminated against for exercising your privacy rights. However, many of our services depend on the processing of personal data. Therefore, the exercise of your privacy rights may impact DigiCert’s ability to provide services to you or may be limited by our Certification Practices Statement.

In addition to any other lawful right not specifically enumerated below, Individuals have the following rights:

Access and portability: You have the right to know whether we process personal data about you, and if we do, to access data we hold about you and certain information about how we use it and to whom we disclose your personal data.

Correction, erasures, and restriction of processing: You have the right to require us to correct any personal data held about you that is inaccurate and have incomplete data completed or ask us to delete data (i) where you believe it is no longer necessary for us to hold the personal data; (ii) where we are processing your data on the basis of our legitimate interest and you object to such processing; or (iii) if you believe the personal data we hold about you is being unlawfully processed by us. You can ask us to restrict processing data we hold about you other than for storage purposes if you believe the personal data is not accurate (whilst we verify accuracy); where we want to erase the personal data as the processing we are doing is unlawful but you want us to continue to store; where we no longer need the personal data for the purposes of the processing but you require us to retain the data for the establishment, exercise or defense of legal claims or where you have objected to us processing personal data and we are considering your objection.

Customers and Individuals cannot edit a DigiCert Certificate directly. In order to update information in a Certificate, including personal information, Customers or Individuals must submit a change request through the Customer’s Account, and DigiCert will implement the edits or issue a new certificate where applicable. If you have questions about how to submit a change request to your Certificate, please contact DigiCert Support at support@digicert.com.

Objection: You have the right to object to our processing of data about you and we will consider your request. Please contact us through this Privacy Request Form with details of your objection, providing us with detail as to your reasoning so that we can assess whether we have a compelling or overriding interest in continuing to process such data or whether we need to process it in relation to legal claims.

Testimonials: With prior permission from the Customer, DigiCert displays personal testimonials of satisfied Customers on our Website in addition to other endorsements. Customers wishing to update or delete a testimonial should contact us through this Privacy Request Form.

Marketing: You have the right to ask us not to process your personal data for marketing purposes. You can exercise your right to prevent such processing at any time by contacting us through this Privacy Request Form.

Complaints: In the event that you wish to make a complaint about how we process your personal data, please contact us in the first instance through this Privacy Request Form and we will endeavor to deal with your request. Depending on the laws pertaining to your locale, this is without prejudice to your right to launch a claim with the data privacy authority in the jurisdiction in which you live or work where you think we have infringed data privacy laws.

You can exercise these rights through this Privacy Request Form or by mailing DigiCert at the address listed in this notice. Before we respond to your request, we will ask you to verify your identity. DigiCert does not sell personal data. DigiCert does not process sensitive data other than as required for the purpose of Remote Identity Verification. Please see our separate Privacy Notice on Remote Identity Verification here. DigiCert recognizes all rights granted under laws and shall honor any lawful request whether or not specifically enumerated in this section.

Designating an Authorized Agent: Depending on the state or country where you reside, you may have a right to designate an authorized agent to make requests on your behalf.  In the United States and potentially other states/countries, you may provide a power of attorney to designate your authorized agent. If you do not have a power of attorney, you may contact privacy@digicert.com to receive a form that you will need to fill out to designate your authorized agent. Please note that there may be additional steps required to verify your identity and to designate an authorized agent.

Right to Appeal: Unless there is an overriding interest or requirement, we honor all requests submitted by Individuals and Customers with respect to the privacy rights enumerated above.  However we may be unable to take action on a request if there is a legitimate business reason or other requirement that may override the request. If this is the case, we will inform you as to the reason why we were unable to fulfill your request.  Depending on the state or country where you reside, you may have a right to appeal if we are unable to take action on your request. You may file an appeal by emailing privacy@digicert.com with subject line “Appeal.”

HOW LONG WE STORE YOUR DATA

We will retain your information as follows:

Account data and data provided for Validation Services (including to send Advisory e-mails): As long as the account is active, while a Certificate remains unexpired, and in accordance with industry standards, which requires us to maintain the data for 7 years (depending on the type of Certificate with which the data is associated, see Certification Practices Statement) after account cancellation or Certificate expiration according to the Certificate requirements and as contractually agreed upon. In addition, after account cancellation, we will keep this for as long as necessary to defend against legal claims, resolve disputes or enforce Customer agreements.

Data provided and collected for marketing and web experience customization purposes: until you notify us that you no longer want us to use your information for marketing and/or web experience customization purposes, by unsubscribing from any marketing email you receive, changing your cookie preferences through consulting our Cookie Settings, or by contacting us through this Privacy Request Form.

After we no longer have a legitimate basis for retaining your personal data, we may store your information in an aggregated and anonymized format so that a specific Individual cannot be identified, and the personal data cannot be restored. Anonymized data may include the following categories of data:

• Transactional elements such as type, quantity, and cost of services provided
• Usage activity and interaction with features of the services
• Performance metrics of the services and support provided

EU-U.S. DATA PRIVACY FRAMEWORK, SWISS-U.S. DATA PRIVACY FRAMEWORK, UK EXTENSION

DigiCert complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  DigiCert has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  DigiCert has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the UK Extension to the EU-U.S. DPF, and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov.

DigiCert is responsible for the processing of personal data it receives, under each Data Privacy Framework, and subsequent transfers to a third party acting as an agent on its behalf. DigiCert complies with the Data Privacy Framework Principles for all onward transfers of personal data from the EU, UK, and Switzerland, including the onward transfer liability provisions.

With respect to personal data received or transferred pursuant to the Data Privacy Framework, DigiCert is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.  In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, DigiCert commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, should first contact DigiCert at privacy@digicert.com.   

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

Under certain conditions, more fully described under the Data Privacy Framework website at https://www.dataprivacyframework.gov/s/article/How-to-Submit-a-Complaint-Relating-to-a-Participating-Organization-s-Compliance-with-the-DPF-Principles-dpf, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

APPLICABILITY

Terms of use for software downloaded from DigiCert’s Websites may override the terms of this privacy notice, with respect to use of the software. We may also provide supplementary privacy notices which describe processing activities outside the scope of this privacy notice.

Our Website includes links to third party websites whose privacy practices may differ from those of DigiCert. If you submit personal information to any of those websites, your information is governed by their privacy policies. We encourage you to carefully read the privacy policies of those third-party websites before you submit any information to those websites.

Our Website and services are not directed towards, nor do we knowingly collect personal data from, children under the age of 18. If you are under 18, please do not use the Website or services or provide your personal data to us.

Unless prohibited by local laws, non-English translations of this privacy notice are provided for convenience only and in the event of any ambiguity or conflict between translations, the English version shall be deemed to prevail as the authoritative version.

CHANGES TO THIS PRIVACY NOTICE

If we make material changes to our information practices, we will update this privacy notice and notify interested parties (e.g., by posting a notice on our home page or by emailing affected Individuals). Visitors should check the Website regularly to be aware of changes. We encourage you to periodically review this page for the latest information on our privacy practices. Revisions to the privacy notice are effective 30 calendar days after being posted, or as required by applicable law.

CONTACT

Please contact the DigiCert Data Privacy Officer or DigiCert’s Europe Data Protection Liaison with any questions or concerns about this privacy notice or our data collection practices. Individuals in the United Kingdom may also contact our United Kingdom Representative.

DigiCert Data Privacy Officer

DigiCert, Inc.

Attention: Data Privacy Officer, Aaron Olsen

2801 North Thanksgiving Way, Suite 500

Lehi, Utah 84043, United States

Toll Free: 1-800-896-7973 (US & Canada)

Direct: 1-801-701-9600

Fax Toll Free: 1-866-842-0223 (US & Canada)

Fax Direct: 1-801-705-0481

privacy@digicert.com

Europe Data Protection Liaison

DigiCert Ireland Ltd.

Attention: Europe Data Protection Liaison, Richard Hall

Unit 21, Beckett Way

Park West Business Park

Dublin 12, Ireland

Phone: +353 1803 5400

Fax: +353 1861 7990

richard.hall@digicert.com

United Kingdom Representative

DigiCert UK Limited

Attention: United Kingdom Representative

c/o Worldwide Corporate Advisors Llp

150 Minories

London EC3N 1LS United Kingdom

For assistance with technical difficulties, including problems with accessing or using your Customer account, please email support@digicert.com.

As noted above, if you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request. Where required by law, this is without prejudice to your right to launch a claim with the data privacy authority in the jurisdiction in which you live or work.

DIGICERT LEGAL REPOSITORY

The DigiCert Legal Repository is available at: DigiCert Legal Repository