Brivo Services Privacy Statement
At Brivo©, privacy and security are core elements of our service. This Brivo Services Privacy Statement (the “Privacy Statement”) describes Brivo’s privacy practices in relation to the data Brivo receives through the use of hardware, services and applications provided by Brivo (collectively, the “Brivo System”). Brivo Systems LLC and its subsidiaries are collectively referred to in this Privacy Statement as “Brivo”.
This Privacy Statement applies to the following:
- Personal information that a Customer’s Administrator, or Brivo Reseller, inputs, or uploads or that is otherwise captured by the Brivo System;
- Activity and event data that is automatically collected by Customers using the Brivo System; and,
- Personal information acquired by or captured about Customers, their users, and visitors, in order to establish or maintain their business relationship with Brivo.
Collectively this is considered “Customer Data”.
Capitalized terms used, but not defined in the Statement, shall have the meanings given in Section 1 (Definitions) of the Brivo Applications Terms of use.
Roles of Customers, Resellers and Brivo in Protection of Customer Data
Brivo provides the Brivo System to Customers via its Reseller channel. Resellers selected by the Customer handle the initial setup and configuration of the Customer’s Brivo account. Customers can choose what data to share with the Reseller and/or Brivo during the set-up process. After the initial set-up, the Customer’s access to the Brivo System is limited to its authorized Administrators.
Customers are responsible for verifying that all individuals who are designated as Administrators are authorized by the Customer for the levels of access granted. In general, Brivo recommends that the Customer designate an employee of the Customer to be the Primary Administrator. If the Customer chooses to permit an individual who is not an employee of the Customer (such as, for example, an employee of a Reseller to have any administrative rights or other access or privileges to the Customer’s account or Customer Data), the Customer is responsible for monitoring the third party’s access to and use of the account and Customer Data. Brivo is not responsible for any unauthorized use or misuse of the Customer’s account access, account privileges or Customer Data by anyone using access provided by the Customer.
Certain Brivo employees also will have access to Customer Data, solely in connection with the provision of the Brivo System and to respond to specific Customer and Brivo Reseller requests for technical support. Brivo will access Customer Data only for the purposes of providing the Brivo System, preventing, or addressing service or technical problems, in accordance with the provisions of any separate written agreement between Brivo and Customer (such as, for example, the Brivo terms of use applicable to the Brivo System (the “Terms of Use”)), or as may be required by law.
COLLECTION AND USE OF CUSTOMER DATA
Brivo collects and processes all Customer Data strictly on behalf of Customers in accordance with Brivo’s contractual agreements with them and/or as defined in the Terms of Use and/or as required or permitted by law.
Customers are responsible for ensuring that Customer Data is collected and processed in accordance with all applicable laws. Since Customer Data is managed by the Customer, the Customer is responsible for providing appropriate notice and choice regarding Brivo’s processing of Customer Data on behalf of the Customer. If an individual has any questions or concerns related to Brivo’s handling of Customer Data pertaining to them, he or she may contact us at privacy@brivo.com and we will work with the applicable Customer to address the concern.
Brivo may also collect personal information from Customer employees, contractors, or agents in order to properly manage Brivo’s business relationship with Customer. Customers will receive login credentials to manage their Brivo System accounts, including such personal information.
Types of Customer Data Collected Related to the Brivo System
Brivo collects the following types of Customer Data:
- Information provided by Customers: The Brivo System provides the capability for Customers to store basic personal information such as an individual’s name, credential number, email address and photograph. This information is used to correlate events to the correct individual, as well as to enable notifications and mobile application functionality. The Customer is solely responsible for determining if storage of this data is appropriate and permitted in the context of applicable laws and regulations.
- Information generated from security events: The Brivo System is used by the Customer to collect activity and event data. For example, the Customer can use the Brivo System to record that an access credential was used at a particular door at a certain time. Through correlation with the information a Customer provides, Brivo may be able to tie an access event to a particular individual’s credential.
- Log Information: The Brivo System records the actions of Administrators, as well as the status and the settings of various devices that have been configured to operate with the Brivo System. Log information may be used by the Customer to review the activity of Administrators.
- Mobile Applications: Brivo provides mobile applications which can optionally be used with the Brivo System. The Brivo Mobile App provides administrative access to the Brivo System. Brivo Mobile Pass is a form of digital credential used, for example, to authorize physical access to a building. Brivo uses Wi-Fi and Bluetooth to identify when the device is within proximity to applicable available Brivo readers to open the proper lock or door. In order to use the services of the Brivo Mobile App, various features such as location services, Wi-Fi and Bluetooth communication must be activated on the mobile device.
Customer Data may be used by Brivo to:
- Enable event notifications and Brivo Mobile Pass functionality.
- Contact the Customer to inform them of product and service enhancements that Brivo thinks may be of interest to them.
- Provide important service notices regarding the Brivo System and related devices. (While Customers use Brivo System services, it will not be possible to opt out of communications regarding Brivo System service notices.)
- Ask the Customer to participate in surveys that help Brivo better understand the Customer’s needs in order to improve Brivo products and services.
Brivo also shares data with relevant third-party service providers when explicitly authorized by Administrators in the relevant Brivo System account; for example, to enable integrations via Brivo’s Application Programming Interface (API).
Compliance with General Data Protection Directive (GDPR) Application of the GDPR for Brivo:
In the context of the GDPR, individual residents in the European Economic Area with data stored in the Brivo System or using Brivo applications are considered “Data Subjects.” Customers (and in some cases Brivo Resellers or Brivo API Partners) are considered “Data Controllers.” Brivo is generally a “Data Processor” but can also be a sub-Processor with respect to Customer Data. Brivo is a Data Controller with respect to User Private Data, as defined in the Terms of Use – Brivo Subscription Services. Brivo’s obligations with respect to User Privacy Data are as set forth in the End User License Agreement – Brivo Mobile Apps.
In Brivo’s role as a Data Processor, Brivo is the responsible custodian of the Data Subject’s data, performing this role on behalf of the Data Controller. The Data Controller is completely responsible for determining what data is captured, stored, and processed within the Brivo System. Brivo does not share, sell, rent or trade personally identifiable information with third parties unless directed by a Data Controller.
Within Brivo’s service model, most Data Subjects will have limited direct interaction with the Brivo System applications that capture and store their data. This interaction by Data Subjects will primarily be via the Brivo Mobile Pass application. Most Data Subjects will be employees, visitors, or contractors of the Data Controller. Data is captured based on their relationship with the Data Controller. The Data Controller is responsible for gaining necessary consent from the Data Subject regarding the data to be stored. In cases where a Data Subject requests Customer Data to be deleted from the Brivo System, Brivo will refer such request to the Data Controller for adjudication.
The GDPR includes provisions that grant Data Subjects portability rights in their personal data. Brivo will coordinate with Data Controllers and, as applicable Data Subjects, when requested to delete or port data. Brivo provides portability and is continually working to enhance its data export capabilities.
GDPR Right of Individual Access and Limited Use
Those residing within the European Economic Area may request access, correct or to limit the use of their personal information within the Brivo System by submitting a request to Brivo at privacy@brivo.com or by contacting us as set forth below.
Information Security
Brivo maintains a comprehensive, written information security program that contains industry standard, administrative, technical, and physical safeguards designed to prevent unauthorized access to Customer Data.
Brivo has the distinction of being one of the first building security platforms to be SOC 2 audited and being the first physical security software-as-a-service (SaaS) company to utilize the SSAE 16/18 framework to provide security review. Brivo undertakes an independent third-party annual SOC 2 audit that reviews certain of its internal controls and processes. Brivo also is certified under ISO27001. Brivo recognizes that the GDPR will help it move towards the highest standards of operations in protecting Customer data.
Law Enforcement Requests
Brivo may be required to disclose an individual’s personal information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.
Data Location & Transfer of Information
Brivo stores all Customer Data in the continental United States or Europe depending on the instance you use. To facilitate Customers’ global operations, Brivo transfers some information to the United States and provides access to that information to Customers around the world.
Accountability for Onward Transfer of Personal Data
Except as otherwise provided herein, Brivo may share personal information with third parties in connection with the operation of our business and consistent with the purpose for which the personal information was collected.
Data Retention
Brivo retains Customer Data according to the time frames set forth in the Terms of Use – Brivo Subscription Services.
Data Incidents
If Brivo becomes aware of any improper access, unauthorized use, or disclosure of Customer Data (a “Data Breach”), Brivo will analyze the facts of the Data Breach in the context of applicable laws, regulations, policies, and contractual obligations to determine the appropriate notification process. Brivo will conduct notifications in a timely manner after becoming aware of a Data Breach and take reasonable steps to minimize harm and mitigate further risks to Customer Data.
For data transfers to the U.S. from the European Union, the UK (and Gibraltar) or Switzerland, Brivo adheres to the Data Privacy Framework Principles. Our Data Privacy Framework Statement is available at: https://www.brivo.com/data-privacy-framework/.
Contacting Us
If you have questions regarding this Privacy Statement or if you need to request access to or update, change or removal of personal information that we control, you can do so by contacting:
Brivo Systems LLC
7700 Old Georgetown Road, Suite 300
Bethesda MD, 20814 USA
privacy@brivo.com
+1 301-664-5277
CALIFORNIA PRIVACY RIGHTS (FOR CALIFORNIA RESIDENTS ONLY)
California law may provide California residents with additional rights regarding our use of their personal information. To learn more about the privacy rights of California residents, visit our CCPA Privacy Notice page.
CERTAIN RIGHTS FOR RESIDENTS OF COLORADO, CONNECTICUT, UTAH, and VIRGINIA
Residents of Colorado, Connecticut, Utah, and Virginia may have additional rights under applicable state law. Please contact Brivo as described above with any questions you may have.
Changes to this Privacy Statement
Brivo reserves the right to change this Privacy Statement from time to time but will alert you that changes have been made by indicating on this Privacy Statement the date it was last updated. If Brivo makes a material update, Brivo may provide you with notice prior to the update taking effect, such as by posting a conspicuous notice on Brivo’s website or in the Brivo System or by contacting you using the email address you provided. We encourage you to periodically review this Privacy Policy to stay informed about Brivo’s collection, processing and sharing of Customer Data.