Cloud Services
Cloud Identity Service Policies
CONTENTS
1 INTRODUCTION
2 ONBOARDING JOURNEY
3 ROLES
3.1 CUSTOMER ROLES
3.2 EmpowerID SERVICE PROVIDER ROLES
4 PRE-REQUISITES AND REQUIREMENTS
5 EmpowerID CLOUD SERVICES
5.1 INCLUDED SERVICES
5.2 ADD-ON AND ADDITIONAL COST SERVICES
5.3 EXCLUDED SERVICES
5.4 SERVICE REGIONS
6 SERVICE AVAILABILITY
6.1 OVERALL SERVICE AVAILABILITY
6.2 TOTAL AVAILABLE MINUTES PER MONTH
6.3 DOWNTIME MINUTES
6.4 SCHEDULED MAINTENANCE
6.4.1 SCHEDULED MAINTENANCE NOTIFICATION
6.5 UNSCHEDULED MAINTENANCE
6.5.1 UNSCHEDULED EXTENDED MAINTENANCE NOTIFICATION
6.5.2 STAGGERING EMPOWERID SOFTWARE MAJOR UPDATES AND NEW VERSIONS
6.6 SERVICE LEVEL REMEDY POLICY
6.7 SERVICE LEVEL EXCLUSIONS
6.8 NETWORK BANDWIDTH AND LATENCY
7 TECHNICAL SUPPORT
8 HIGH-LEVEL ARCHITECTURE
9 DATA INTEGRATION
9.1 STANDARD DATA INTEGRATION OPTIONS
9.2 DATA INTEGRATION SECURITY
10 SECURITY
10.1 ACCESS CONTROL
10.1.1 SYSTEM HARDENING
10.1.2 SYSTEM AND APPLICATION ACCESS CONTROL, USER AND PASSWORD MANAGEMENT
10.2 INFRASTRUCTURE SECURITY
10.3 AUTHENTICATION
10.4 AUTHORIZATION
10.4.1 SYSTEM ACCESS AND APPLICATION AUTHORIZATION
10.4.2 INTEGRATION-SPECIFIC AUTHORIZATION
10.5 NETWORK TRAFFIC SECURITY
10.5.1 DATA TRANSPORT ENCRYPTION
10.5.2 NETWORK AND FIREWALLS
10.5.3 ISOLATION AND SEGREGATION
10.6 DATA SECURITY
10.6.1 TRANSIENT DATA
10.6.2 BACKUP DATA
10.6.3 CUSTOMER DATA OWNERSHIP
10.7 MOBILE DEVICE SECURITY
10.8 SECURITY INCIDENT RESPONSE
10.8.1 COMPUTER SECURITY INCIDENT MANAGEMENT TEAM (CSIMT)
10.8.2 INCIDENT RESPONSE PLAN
10.9 SECURITY CERTIFICATES AND DETAILS
10.9.1 ISO 27001:2013
11 INCIDENT RESPONSE
11.1 DEFINITIONS
11.1.1 INCIDENT
11.1.2 DISASTER
11.1.3 RECOVERY POINT OBJECTIVE (RPO)
11.1.4 RECOVERY TIME OBJECTIVE (RTO)
11.2 HIGH AVAILABILITY AND REDUNDANT INFRASTRUCTURE
11.2.1 NETWORK
11.2.2 APPLICATION SERVERS
11.2.3 DATABASE SERVERS
11.3 DISASTER RECOVERY AND DATA RESTORATION STRATEGY
11.3.2 SERVICE LEVEL – FAILOVER AND DISASTER RECOVERY
11.3.3 DATA BACKUP AND RESTORE STRATEGY
11.3.4 SERVICE LEVEL – DATA BACKUP
11.4 MEASUREMENT AND MONITORING
12 ACCEPTABLE USE POLICY
13 CLIENT DEVELOPMENTS, CUSTOMIZATION AND IDENTITY WAREHOUSE DATABASE COPY ACCESS
13.1 CLIENT CAN DEVELOP AND CUSTOMIZE SHAPES, WORKFLOWS AND CONNECTORS
13.2 CLIENT MAY ACCESS A READ ONLY COPY OF THE IDENTITY WAREHOUSE DATABASE
14 SUSPENSION AND TERMINATION POLICY
14.1 TERMINATION OF SERVICE
14.1.1 TERMINATION OF TRIAL ENVIRONMENTS
14.2 SUSPENSION OF SERVICE
14.3 CUSTOMER DATA OWNERSHIP RIGHTS
1 INTRODUCTION
EmpowerID Cloud Identity Service is a cloud-based, Software-as-a-Service (SaaS) offering that provides EmpowerID software and supporting components as a service (the “SaaS Service”) which allows EmpowerID clients who prefer a “cloud first” strategy to utilize a cloud-based service, in which software and associated maintenance operations can be licensed as a comprehensive service managed by EmpowerID. With EmpowerID Cloud Identity Service, EmpowerID provides and maintains the platform and the EmpowerID IAM application that enables customers to use EmpowerID’s broad IAM functionality for both their on-premise and Cloud-based systems without the overhead of deploying, hosting and maintaining EmpowerID environments. The client does not manage or control the underlying infrastructure (such as network, servers, operating systems, storage or EmpowerID software components) or the standard EmpowerID application development cycle and deployed EmpowerID software modules and their standard functionality. The client can also elect to connect to custom system and run custom workflows for an additional cost to create and to support them.
This document describes these Services as well as policies applicable to the Services. The Service is provided under the terms of the EmpowerID Cloud Identity Service Subscription Agreement (the “Subscription Agreement”), the applicable Order (as defined in the Subscription Agreement) and the policies described within this document. These policies are subject to change at EmpowerID's discretion. The Service as ordered by the customer will be governed by the policies in effect at the time the Service was ordered for the period acquired. These policies are reviewed annually and may be revised to incorporate issue resolutions and process improvements.
As used in this document, the terms “Customer,” “Client”, “Subscriber,” "you" and "your" refer to the individual or entity that has ordered the Service from EmpowerID, as applicable.
2 ONBOARDING JOURNEY
This section describes the typical onboarding journey for new customers of the EmpowerID Cloud Identity Service.
1 Customer Onboarding Session
The customer and Customer Success Management team complete an onboarding call that details:
- The specifics of the Service.
- The roles on the customer and EmpowerID side that will be involved in coordinating and configuring EmpowerID Cloud Identity Service for the customer’s on-premise directories and line-of-business systems can be discussed and coordinated with the Remote Mentoring offering as well.
- Details of the Technical Support system – specifics on how to file a ticket, check on ticket status and how to work with the Support team.
- Details on communication of Service updates from the Service Operations team.
- Details on preferred region deployment of the Service. Available regions are listed in the Service Regions section below.
- General use of the Service.
2 Core Infrastructure Provisioning
Service Operations and Datacenter Operations will provision standardized core Service infrastructure in established datacenter locations, at a location agreed with the customer to facilitate data location and latency requirements for the customer’s production EmpowerID Cloud Identity environment. See the production and non-production environment details in the IncludedServices section below.
Core service infrastructure setup will include
- The required hardware and Docker Container infrastructure to operate the service
- Network infrastructure setup and configuration such as firewalls and load balancing
- EmpowerID Cloud Identity database installation and configuration
- EmpowerID Cloud Identity software installation as per best practices
- Installation of quality-of-service monitoring software
- Testing the EmpowerID Production environment by performing base configuration testing
- Disaster Recovery infrastructure setup and configuration
- Service end points and URLs finalization
- Service monitoring setup
3 Service is made available
EmpowerID Cloud Identity Service environment(s) available for use by customer’s EmpowerID Administrators and Developers.
3 ROLES
There are various roles involved in a Service subscription; use the table below to understand the role definitions.
3.1 CUSTOMER ROLES
|
Customer End Users |
All of the customer’s users managed by or permitted to login to the EmpowerID environment. |
|
Customer EmpowerID Administrators |
Customer resources who maintain the applications and application specific components on the EmpowerID production and non-production environments. |
|
Customer EmpowerID Helpdesk |
Customer resources who provide first-level application support for the applications deployed on the EmpowerID production and non-production environments. |
|
Customer EmpowerID Developers |
Optional Customer resources who are responsible for building workflows or connectors that run on or utilize EmpowerID Cloud Identity Service environments. These include no-code developers who may build applications with tools like EmpowerID Form, Lookup, and Page Designers as well as coding-developers who build connectors and workflows that extend EmpowerID Cloud Identity Service or interact with EmpowerID Cloud Identity Service though the available APIs. |
|
Customer Application and Directory Administrators |
Customer resources who maintain the customer’s existing applications and directories and can create and manage service identities for use by EmpowerID. |
|
Customer Network Administrators |
Customer resources who maintain the customer’s network and network infrastructure. |
3.2 EmpowerID SERVICE PROVIDER ROLES
|
EmpowerID Service Operations Manager |
The EmpowerID Service Operations Manager directs the Service Operations staff and reports to the Vice President of Engineering. |
|
Service Operations |
Service resources who maintain the EmpowerID environment and associated infrastructure and provide support for operational issues. |
|
Customer Success Manager |
Service resource who acts as the customer’s main liaison and contact person. |
|
Service Onboarding |
Service resources who assist during the customer onboarding phase. |
|
Technical Support |
EmpowerID Cloud Identity technical support services. |
|
EmpowerID Professional Services |
EmpowerID consulting services. |
|
Datacenter Operations |
Resources provided by the datacenter provider to maintain aspects like hardware and network infrastructure on the Service infrastructure. |
|
Computer Security Incident Management Team (CSMIT) |
Team of Service resources that respond to security threats and breaches. |
4 PRE-REQUISITES AND REQUIREMENTS
The following prerequisites and requirements must be satisfied to subscribe to the Service.
- Customers will be required to deploy the “EmpowerID Cloud Gateway app onto at least one on-premise Windows computer to act as a bridge between the EmpowerID Cloud Identity Service and managed on-premise directories and applications.
- Proxy Accounts for on-premise systems and directories with the appropriate access as specified in the EmpowerID documentation.
5 EmpowerID CLOUD SERVICES
A EmpowerID Cloud Identity Service subscription includes several services that, when combined, constitute the Service Offering. The following sections describe the standard included services, excluded services and services that will be available separately.
5.1 INCLUDED SERVICES
|
Category |
Description |
Roles involved |
|
On-boarding Services |
EmpowerID provides onboarding services to enroll in the Service, available from the on-boarding call with the Customer Success Manager until the Service is made available to the organization. |
EmpowerID • Customer Success Manager • Service Onboarding • Service Operations Customer • Customer Application and Directory Administrators • Customer EmpowerID Administrators |
|
Service setup and installation |
Core infrastructure provisioning such as application servers, database servers, networking hardware, virtualization, operating systems and applications needed to support the EmpowerID Cloud Identity installation. |
EmpowerID • Service Onboarding • Service Operations |
|
Production EmpowerID Cloud Identity Service environment |
A production environment is made available to all EmpowerID Cloud Identity Service customers. Customers will access EmpowerID Cloud Identity Service design, workspace and management tooling via a web-based URL. Customers may request a specific tenant name for their environment during the onboarding process. |
EmpowerID • Customer Success Manager • Service Onboarding • Service Operations Customer • Customer EmpowerID Administrators |
|
Category |
Description |
Roles involved |
|
Non-production EmpowerID Cloud Identity Service environment |
Customers that require additional nonproduction environments will work with their Customer Success Manager to coordinate provisioning and accessing such additional non-production environments. |
EmpowerID • Customer Success Manager • Service Onboarding • Service Operations Customer • Customer EmpowerID Administrators |
|
Service planned maintenance |
Scheduled core infrastructure maintenance such as hardware upgrades, operating system and application version upgrades. |
EmpowerID • Service Operations • Datacenter Operations |
|
Service unplanned maintenance |
Unplanned core infrastructure maintenance such as replacement of failed hardware or installation of critical operating systems and application patches. |
EmpowerID • Service Operations • Datacenter Operations |
|
EmpowerID Cloud Identity Service configuration |
Configure the EmpowerID Cloud Identity Service and supporting technologies. |
EmpowerID • Service Operations |
|
Operations Monitoring |
Quality-of-service monitoring of infrastructure and EmpowerID to ensure the Service is performing to specification. These metrics are collected and made available to the Service Operations team to adjust the Service as necessary. |
EmpowerID • Service Operations |
|
EmpowerID Cloud Identity Service Health Dashboard |
Customers have access to a Service status monitoring webpage. The details of this page will be provided during the customer onboarding process. |
Customer • EmpowerID Administrators |
|
Standard Backup |
Configure and perform automatic backups of the infrastructure and Service-specific databases. |
EmpowerID • Service Operations |
|
High Availability |
If necessary, address failures using the appropriate failover mechanism. |
EmpowerID • Service Operations • Datacenter Operations |
|
Category |
Description |
Roles involved |
|
Recovery |
When necessary, restore underlying Service data infrastructure either via a customer request or as the result of an overall disruption in Service. |
EmpowerID • Technical Support • Service Operations Customer • EmpowerID Administrators |
|
Disaster Recovery (DR) and Failover testing |
Verification that backup is configured correctly and operational by running fail-over and DR tests. |
EmpowerID • Service Operations • Datacenter Operations |
|
Infrastructure and Service environment troubleshooting |
Troubleshooting issues in the core infrastructure and Service environment. Customer Application troubleshooting is not included in these services. |
EmpowerID • Technical Support • Service Operations Customer • EmpowerID Administrators |
|
Promotion of Workflow Studio Artifacts |
Ability for the customer to promote Service application elements (Forms, Workflows, Connectors, Class Libraries) between environments using EmpowerID Package and Deployment tools. |
Customer • EmpowerID Administrators • EmpowerID Developers |
|
Service security administration |
Administer users and permissions for Forms, Workflows and EmpowerID protected resources (directories and applications). |
Customer • EmpowerID Administrators • EmpowerID Developers |
|
Service system administration |
Service administration tasks as necessary to address system instability or reliability issues. |
EmpowerID • Service Operations |
|
Service usage |
Administer and report on licensed usage. |
EmpowerID • Service Operations Customer • EmpowerID Administrators |
|
Reporting |
Reporting on Service quality. |
EmpowerID • Service Operations • Customer Success Manager |
|
Category |
Description |
Roles involved |
|
Requests and tickets |
Online system to log requests and support issues. |
EmpowerID • Technical Support Customer • EmpowerID Administrators |
|
Technical Support |
EmpowerID provides access to EmpowerID support centers and core engineering teams as needed. |
EmpowerID • Technical Support |
|
EmpowerID API Access |
All standard supported EmpowerID Cloud Identity Service web-based APIs are included in the Service. Customers can reference these APIs when building custom applications to connect to the Service. |
Customer • EmpowerID Developers |
|
Security monitoring and response |
Management and containment of security related incidents or breaches as described in the Security Incident Response section below. |
EmpowerID • CSMIT |
|
EmpowerID licensing costs |
The Service subscription will include specified EmpowerID licenses. Additional charges may apply for additional EmpowerID components and/or services. Customers may acquire additional EmpowerID licenses as user counts or usage increase. |
EmpowerID • Service Operations • Customer Success Manager Customer • EmpowerID Administrators |
5.2 ADD-ON AND ADDITIONAL COST SERVICES
Services which may incur additional cost include (but are not limited to) the following:
|
Service |
Notes |
|
Troubleshooting |
Where EmpowerID’s troubleshooting exercises repeatedly (more than 3 times) determine that root cause is related to “how-to,” non-EmpowerID issues, issues related to Custom Development not performed by EmpowerID professional services, or customer related operational issues, further EmpowerID assistance may be available through EmpowerID professional services. |
|
Service |
Notes |
|
Customer-initiated data recovery |
Customer-initiated requests to restore point-in-time data from a database backup may be requested via a Technical Support Ticket request. The capability to recover data is based upon the Recovery Point Objective policy associated with the customer’s Service. |
|
Investigation of impact of data restoration |
EmpowerID Cloud Identity Service typically acts as middleware and interacts between various systems based on workflow tasks, connectors jobs, escalations or other mechanisms. Restoration and re-activation of restored workflows might cause unexpected issues, such as duplicated transactions in other systems or re-escalations. As these issues may be solution specific, EmpowerID professional services can be engaged to investigate the impact of restoring a EmpowerID Cloud Identity database to a specific point in time. |
|
Configuration of additional integration points and custom connectors |
EmpowerID professional services can assist in the configuration of additional integration points, custom connectors and functionality that is not part of the onboarding process for standard workflows and standard connectors. |
|
Creation of additional custom workflows |
EmpowerID professional services can assist in the creation of custom workflows that are not part of the standard onboarding process. |
|
Additional production and non-production environments |
Additional instances of production and non-production Service environments are available separately. |
|
Configuration of additional network infrastructure |
Customers that desire to connect Service environments to on-premises systems via the Cloud Gateway are responsible for obtaining all related network infrastructure and configuration. The Service Operations team will assist in “last mile” connection to the Service. Customers will be responsible for both the external network infrastructure costs. |
5.3 EXCLUDED SERVICES
Actions which are not provided as part of the Service may include (but are not limited to) the following:
|
Service |
Notes |
|
Managed Directories and Applications configuration and setup |
Service Onboarding will provide requirements, instructions and policies for setting up managed directories and applications in preparation for Service onboarding. Such changes need to be made by the customer and are not provided as part of the Service. |
|
Service |
Notes |
|
Workflow and Connector testing |
EmpowerID tests standard workflows and standard connectors against new and updated versions of the EmpowerID Cloud Identity Service. Testing of customer’s new or existing custom workflows or new and existing custom connectors against new versions of EmpowerID software is not included in the Service. EmpowerID software upgrades could have both expected and unintended effects on custom applications and custom connectors. While EmpowerID continues to invest significantly in testing and QA to minimize impact from upgrades to the Service, ultimately it remains the customer’s responsibility to test custom applications and custom connectors against new versions of the Service. See the Change Management section for more information. |
5.4 SERVICE REGIONS
The EmpowerID Cloud Identity Service runs in Microsoft Azure. Currently Azure has over 60 announced regions, more than any other cloud provider, and you have a choice of datacenters and regions that are right for you and your customers subject to the availability of Azure Kubernetes Service (AKS) in that datacenter and region. EmpowerID will work with clients during the design of the integration plan to develop a solution that meets the client’s operational and data residency needs.
You can learn more about the Azure Global Network here:
https://azure.microsoft.com/en-us/global-infrastructure/global-network/#overview
|
NOTE |
Customers are responsible for validating that they can legally operate in the third-party datacenter regions described above. Customers should also be aware that in some situations both Datacenter Operations and Technical Support may be hosted in a country other than where the datacenter is located. Not all datacenters and regions can host all services required by the EmpowerID Cloud Identity Service. |
6 SERVICE AVAILABILITY
The Service is designed to be available to the customer 24 hours a day, 7 days a week, 365 days a year, except during system maintenance windows, unplanned downtime and as otherwise detailed below.
6.1 OVERALL SERVICE AVAILABILITY
The Service is available when the customer can access the Service production environment.
|
NOTE |
The EmpowerID Cloud Identity Service offers customers a 99.9% Overall Service Availability within a billing month. |
Overall Service Availability is measured as a “Monthly Uptime Percentage” and is calculated via the following formula:
6.2 TOTAL AVAILABLE MINUTES PER MONTH
Total available minutes per month is the total minutes in the applicable billing month less Scheduled Maintenance.
6.3 DOWNTIME MINUTES
Downtime minutes is defined as the total minutes in a billing month in which the Service is unavailable, excluding (i) Scheduled Maintenance or (ii) unavailability of the Service due to issues described in the Service Level Exclusions below.
6.4 SCHEDULED MAINTENANCE
Scheduled maintenance events are planned, periodic major updates,and major upgrades made by Service Operations to the Service environment. Service Operations will communicate any planned downtime to customers as per this Service Level Policy.
6.4.1 SCHEDULED MAINTENANCE NOTIFICATION
|
Notification Type |
Target Notification Window |
Notes |
|
Notification of Standard Scheduled Maintenance including minor Service updates and patch rollups not related to Service major updates and version upgrades |
3 Days |
Service Operations will provide three days notice of Standard Scheduled Maintenance. Notifications will be posted via the Service Status page. Standard Scheduled Maintenance changes include those applied during scheduled or unscheduled maintenance and will be communicated as per the defined Service Level. Standard Scheduled Maintenance is not expected to affect Service availability or the expected stability of both standard and custom workflows and standard and custom connectors, In all cases, EmpowerID will retain history of changes applied for auditing purposes |
|
Notification of Major Scheduled Maintenance for major Service updates or Service version upgrades |
30 days |
Customers will be notified in advance of planned Service version upgrades to allow for testing custom developments against the new update or new version in a preproduction environment.. Notifications will be sent to the primary customer contact for the Service. For more information on EmpowerID releases, please refer to EmpowerID Product Release Strategy. |
6.5 UNSCHEDULED MAINTENANCE
Unscheduled maintenance events are considered unplanned, ad-hoc updates, fixes or changes made by Service Operations. Most of these maintenance tasks are performed without any impact on Service availability, but some maintenance tasks may require updates that make the Service unavailable for a short period. address time-critical issues and may result in unplanned downtime. Additionally, any outages of the underlying third-party datacenter which may affect the quality of the Service generally or a customer’s Service environment specifically may result in unplanned downtime.
|
Notification Type |
Target Notification Window |
Notes |
|
Continuous Maintenance consisting of patches and fixes, as well as emergency patches and fixes, datacenter resource remediation |
None |
For changes that will not affect Service availability or the expected stability of both standard and custom workflows and standard and custom connectors, or in the instance where an emergency patch or fix must be applied to mitigate downtime or service instability, Service Operations will apply such changes without notice, but in all cases, EmpowerID will retain history of changes applied for auditing purposes In case of emergency maintenance or downtime, Service staff will make reasonable efforts to communicate the downtime to affected customers. |
6.5.1 UNSCHEDULED EXTENDED MAINTENANCE NOTIFICATION
|
Notification Type |
Target Notification Window None |
Notes |
|
Notification of unscheduled maintenance |
As fast as practical |
For broader Service outages that require unscheduled maintenance, the Service Status page will be updated. Customers should subscribe to updates via the Service Status page. For isolated incidents within customer-specific tenants, EmpowerID Service staff will make all reasonable efforts to communicate the downtime directly to affected customers. |
6.5.2 STAGGERING EMPOWERID SOFTWARE MAJOR UPDATES AND NEW VERSIONS
Customers have the ability to request a delay in scheduled service-initiated changes of a production environment to allow for additional testing or problem remediation in associated non-production environments prior to the update of their corresponding production environment by coordinating with their Customer Success Manager. A production environment service-initiated change can be delayed by a maximum of thirty business days.
For customers that have both a production and development environment, both environments must be updated to the same version within a given Service update period.
|
NOTE |
It is important to note that the migration of solutions between new customization and developments (whether client created or EmpowerID created solutions) between non-production and production environments will not be possible during that the period that the non-production and production environment versions are not in sync. |
A production EmpowerID Cloud Identity Service environment can only be delayed further in cases where an issue is discovered during regression testing of a customer non-production environment that would introduce the same issue within production.
|
NOTE |
There are certain circumstances in which delaying the upgrade of an environment cannot be scheduled – specifically when multiple client environments share a managed directory or application. A change to either of the EmpowerID apps associated with these types of tenants will render other connected tenants potentially problematic; all tenants that share resources such as these should be upgraded at the same time. |
6.6 SERVICE LEVEL REMEDY POLICY
When Overall Service Availability of 99.9% is not met in a given subscription month, EmpowerID, after confirming the nature and accuracy of the availability issue(s), will credit the customer’s account by the percentage of the monthly portion of the annual Subscription fee amount (“Service Credit”) equal to the percentage of the monthly downtime (downtime minutes divided by total available minutes in a given month), subject to the terms provided below.
To receive a Service Credit, the incident must have been recorded by EmpowerID’s system downtime monitoring logs which are available to the customer, or the customer must have opened a Technical Support Ticket for the availability issue, and the customer must notify the Customer Success Manager associated with the customer’s Service within thirty (30) days of the end of the month in which the Overall Service Availability was not met to provide the following:
- The Technical Support Ticket number
- A detailed description of when the Service was not available including duration of the downtime
- How the customer was affected
- Description of the steps the customer initially took to attempt to resolve the issue
EmpowerID reserves the right to withhold a Service Credit if it cannot verify the downtime or if the customer cannot provide evidence that they were adversely affected as a result of the downtime.
A customer must be in compliance with the Agreement in order to be eligible for a Service Credit. Customers in breach of the Subscription Agreement, including payment obligations, are not entitled to a Service Credit.
6.7 SERVICE LEVEL EXCLUSIONS
Unless specified otherwise, the Overall Service Availability applies only to a customer’s Service production environment. Service Credits for Overall Service Availability of non-Production environments are not offered.
Overall Service Availability does not include the following:
- A failure, degradation of performance or malfunction resulting from scripts, data, applications, infrastructure, software, penetration testing and/or performance testing directed, provided or performed by customer.
- A failure, degradation of performance or malfunction resulting from changes to connected systems or directories, whether cloud or premise-based, that is the result of a change , deprecation or removal of a feature by an application or directory vendor other than EmpowerID. If a failure, degradation of performance or malfunction resulting from a change or changes to connected systems or directories, EmpowerID will respond to the problem based on the Priority level assigned to the event, however if no commercially reasonable solution is available as a workaround or permanent resolution, such event will be considered a force majeure event and will only correct the problem if and once the responsible vendor introduces a subsequent fix or modification that allows a commercially reasonable solution to be developed by EmpowerID to correct the problem.
- Planned outages, scheduled maintenance, or outages initiated by Service Operations at the request or direction of customer for maintenance, activation of configurations, backups or other purposes that require the Service to be temporarily taken offline.
- Interruption or shut down of the Service due to circumstances reasonably believed by Service Operations to be a significant threat to the normal operation of the Service, the operating infrastructure, the facility from which the Service are provided, and/or access to, or the integrity of customer data (e.g., a hacker or malware attack).
- Outages due to unsupported system administration, commands or changes performed by customer users or representatives.
- Outages due to denial of service attacks, natural disasters, changes resulting from government, political, or other regulatory actions or court orders, strikes or labor disputes, acts of civil disobedience, acts of war, acts against parties (including carriers and other EmpowerID vendors), and other force majeure events.
- Inability to access the Service or outages caused by the customer’s conduct, including negligence or breach of the customer’s material obligations under the Service, or by other circumstances outside of Service Operations’ or EmpowerID control.
- Lack of availability or untimely response time of the customer to respond to incidents that require customer participation for source identification and/or resolution.
- Outages caused by failures or fluctuations in electrical, connectivity, network or telecommunications equipment or lines due to customer conduct or circumstances outside of Service Operations’ control.
6.8 NETWORK BANDWIDTH AND LATENCY
The Service is not responsible for a customer’s network connections or for conditions or problems arising from, or related to, a customer’s network connections (e.g., bandwidth issues, excessive latency, network outages), or caused by the Internet. This includes any connectivity between the Service environment and any resources managed by the customer. Service Operations monitors network performance within the Service environment and will address any networking issues within the Service environment that may impact availability or latency.
7 TECHNICAL SUPPORT
Standard Technical Support is provided as part of the Service. Additional premium support is available for separate fees. The Technical Support Policy for the Service is available for review on request.
8 HIGH-LEVEL ARCHITECTURE
Figure 1 below illustrates the default high level architecture for the production environment of a EmpowerID Cloud Identity Service subscription.
Figure 1 - EmpowerID Cloud Identity Service Architecture
9 DATA INTEGRATION
The Service natively provides the ability for customers to connect to data systems external to the Service as a means to integrate critical line-of-business systems into the workflows and automated Identity Management processes that are offered by EmpowerID Cloud Identity Service. These connections – called Connectors – can be configured either as a standalone read, standalone write or bi-directional read-write connections and allow for a customer to interact with data in the systems of record without manually importing data into and out of the Service. The data that is integrated via Connectors is cached within the Service for Identity Analytics analysis as well as access reporting and policy enforcement. The EmpowerID Cloud Identity Service Connectors periodically inventory connected directory and application data stores to ensure that customer data is always the most relevant version available.
9.1 STANDARD DATA INTEGRATION OPTIONS
Refer to Product Compatibility, Integration and Support for more details: https://dotnetworkflow.jira.com/wiki/spaces/EAG/pages/454233824/Integrations
|
NOTE |
Additional external data sources can be configured to connect to the EmpowerID Cloud Identity Service. Such connections may require additional configuration assistance which can be provided by EmpowerID professional services. |
9.2 DATA INTEGRATION SECURITY
Each external system that can be integrated with the Service allows for definition of a Security Provider during configuration of the Connector. For all systems, the following Security Providers are available:
- Static
- Service Account
- OAuth
Customers should evaluate the authentication needs of the external systems that are being connected into prior to configuring data integration.
|
NOTE |
Neither Service Operations nor Technical Support will provide assistance in configuring integration into specific external line-of-business systems. Documentation will be provided around specific integration-type capabilities via the EmpowerID Learning platform. If a customer has specific requests not addressed by EmpowerID Learning information, additional requests can be coordinated with the EmpowerID professional services to provide specific one-on-one assistance. |
10 SECURITY
Security of customer data and applications is of outmost importance to EmpowerID. Service subscriptions leverage the security features provided by the underlying infrastructure and system architecture. In addition, the Service constantly looks to improve security by applying new security features as they become available.
The Service has in place various procedural, administrative, technical, and physical safeguards to help protect subscriber accounts, EmpowerID environments and data from loss, theft, misuse, abuse and unauthorized access, disclosure, alteration, and destruction.
10.1 ACCESS CONTROL
10.1.1 SYSTEM HARDENING
As part of the onboarding process and ongoing maintenance, the Service employs standardized system hardening practices such as restricting access, removing or disabling unnecessary software and services, removing unnecessary user accounts, setting up network security, patch management, and logging.
10.1.2 SYSTEM AND APPLICATION ACCESS CONTROL, USER AND PASSWORD MANAGEMENT
Access to underlying Service environments by Services Operations is restricted to authorized personnel only. Service Operations’ access to Service infrastructure is limited to remote connectivity only, secured with accounts controlled by Service Operations. The Service employs strong password policies, including restricted access to authorized usernames and passwords. Service Operations staff will be able to access and manage the EmpowerID infrastructure with role-specific permissions, limited to the requirements of managing the Service.
In the event Technical Support needs access to a Service environment for troubleshooting, read-only database access may be granted to Technical Support for the explicit purpose of attempting to resolve an issue. Such access may include the ability to enable or disable logging and extract those logs for further review.
All access requests by either Service Operations or Technical Support will be logged for auditing purposes.
Customer resources will not be allowed to access the Service infrastructure. Administrative access to the Service by the customer will use the standard administration interfaces provided by EmpowerID within the Service, and only when authorization is in place.
As the Service can integrate with third-party cloud applications and data (such as Salesforce, Azure SQL, private and public web services, etc.), integrating with these services may require additional, ad-hoc security and communication configuration based on the technology being integrated and the specific use case of the integration.
The customer is responsible for all end user and application administration within the Service environment. EmpowerID does not own, control or manage the customer’s end user accounts or applications in the Service environment. Customers may configure the environment and applications on the Service environment using EmpowerID’s built-in security features, authorization protocols and administration tools. Customers are responsible for managing and reviewing access for their own employee accounts.
For details on specific authorization for Service environments, please refer to the Authorization section of these policies.
10.2 INFRASTRUCTURE SECURITY
All physical Service infrastructure is hosted on reliable and scalable global datacenter infrastructure with very strict physical access security policies. In addition to infrastructure-specific security policies, the Service subscription adheres to additional industry recognized security and certification policies such as ISO 27001 2013 and other standards. More details on security certifications of the EmpowerID Cloud Identity Service are available in the Security Certificates and Details section.
Neither EmpowerID nor any customer resources will have physical access to the machines or infrastructure in any Service environment. Only employees of Microsoft’s Azure Datacenter Operations have physical access to underlying machines or infrastructure within the Service environment.
10.3 AUTHENTICATION
A Service environment will leverage the customer’s allowed and configured Identity Sources for authentication to ensure that only valid, authenticated users have access to the EmpowerID environment. If a customer has enabled Multi-Factor Authentication within their EmpowerID subscription, this will also be included within the authentication pipeline for any users within the Service as well.
The Service does permit Anonymous Access for specific workflows and user interfaces if desired. This access is configured and enabled as per the standard Anonymous Access configuration supported by EmpowerID workflows.
|
NOTE |
In certain cases, non-typical credentials could be used to integrate with systems, such as when Basic, Static or OAuth Authentication Modes are used by Connectors to integrate with external systems. Such integration is the responsibility of the customer and not provided as a feature of the overall Service. |
10.4 AUTHORIZATION
Authorization policies are applied to ensure that appropriate rights and permissions are in place to restrict access to Service resources and allow only the access that is required to achieve specific tasks. It is possible that certain application requirements may require additional permissions, or that ad-hoc authorization may be required to address issues in the environment. EmpowerID will not make any authorization changes without prior notification, and subject to documented agreement by the customer.
The tables below describe the base-level authorizations that are applied in Service.
10.4.1 SYSTEM ACCESS AND APPLICATION AUTHORIZATION
Virtual access to machines and access to supporting applications will be restricted to minimum permissions that will allow the infrastructure and applications to operate. The table below describes some machine and software authorization that apply in a Service implementation
|
Securable Component |
Permissions | Roles | Notes |
|
Service underlying infrastructure and components |
Access through Service administration interfaces |
Service Operations Technical Support |
Service Operations staff will have remote access to the Service environment and be able to perform administrative operations to the infrastructure. Technical Support may be allowed read-only database access to the customer environment for the express purpose of attempting to resolve a customer issue. Technical Support may enable/disable logging and export logs for review. All access requests by Service Operations or Technical Support are logged for auditing purposes. Customer users will not be allowed to access the Service infrastructure. |
|
Customer Remote Cloud Gateway, Directories, and Applications |
Administrative access |
Service Operations |
Service Operations staff will not have access to customer servers or machines in the customer environment. |
|
EmpowerID database |
Database administration and ownership |
Service Operations Technical Support EmpowerID Service Account |
Service Operations will have administrative access to the EmpowerID databases. Technical Support will have read-only access to the EmpowerID databases. The EmpowerID Service Account has the ability to interact with the EmpowerID database as well. |
10.4.2 INTEGRATION-SPECIFIC AUTHORIZATION
Integration with applications outside of the Service environment (such as interacting with cloud-based data providers or on-premises data sources) will be application-specific and subject to the particular requirements of the application. For example, some integration may leverage OAuth token flow. The target system can then apply authorization based on the credential used by EmpowerID for integration. In all cases, the specific authentication mode and authorization applied will be established based on the application requirements and the infrastructure support. As such, it is not possible to provide integration specific authorization information because the authorization necessary will depend on the integration.
10.5 NETWORK TRAFFIC SECURITY
Customers will connect to the Service via the following different primary mechanisms:
- Directly to Service tooling via a web browser
- By utilizing third party reporting tools
- By utilizing the EmpowerID Workflow Studio Windows application
- Via customer-managed, custom applications
- Via a device specific EmpowerID Mobile application
In each of these scenarios, traffic between the Service and the customer will travel over secure and encrypted TLS/SSL channels.
Figure 2 – Network Security of connections to EmpowerID Cloud Identity Service
10.5.1 DATA TRANSPORT ENCRYPTION
As data is either retrieved or generated from within the Service, it is secured during transport to the client. Internal network traffic within the Service environment is secured using network subnets utilizing Access Control Lists (ACLs) to restrict network communication to resources within the Service environment only. All communication is made over secure and encrypted channels.
For customers that are connecting to systems external to the Service via Connectors, secured communication channels should be utilized whenever possible.
10.5.2 NETWORK AND FIREWALLS
All data communication within the Service environment (for example, communication between the EmpowerID application servers and the EmpowerID database) occurs within the underlying protected network and does not touch the public Internet until data is returned to the calling client via secured TLS/SSL channels.
10.5.3 ISOLATION AND SEGREGATION
Each Service subscription, along with the resources within that subscription (including the EmpowerID environments, servers, data storage and network communication), is logically separated per customer.
10.6 DATA SECURITY
Data stored within the Service are kept separate in individual customer environments and is isolated from neighboring environments.
The data stored in the Service itself is protected from unauthorized access with underlying data infrastructure security applied to logins and roles, based on the standard minimum-permission model applied by the Service.
10.6.1 TRANSIENT DATA
The Service architecture is designed to securely retrieve or update data in real time from external systems. When communicating directly with an external system, SSL configuration is recommended for every connection between the Service and an external system; however, this is ultimately at the discretion of the customer when establishing connections. See Network Traffic Security section for additional details.
|
NOTE |
Customers should be aware that the database roles required for maintaining a EmpowerID database means that Service Operations may have access to the data stored in the EmpowerID Connector data stores. Service Operations is restricted from altering, deleting or extracting that data from the Service. Any interaction that Service Operations has with customer data stored within the Service is only initiated after a customer logs a Technical Support ticket to address a particular issue and during ongoing development projects, upgrades, and never without direct customer request and notification. |
10.6.2 BACKUP DATA
Customer application data, system configuration data and underlying Service database and database backups are securely stored as part of the Service High Availability capabilities.
10.6.3 CUSTOMER DATA OWNERSHIP
EmpowerID does not claim ownership of customer data in the EmpowerID database. To obtain such stored data from the Service, a customer must initiate a request via the Technical Support ticket system indicating they would like to obtain such data. Technical Support will work with Service Operations to provide an extract of the data in a timely manner. More details are available in the Customer Data Ownership Rights section.
10.7 MOBILE DEVICE SECURITY
Communication between devices operating the EmpowerID Mobile App and the Service environment will occur via the HTTPS-secured connection to the public-facing EmpowerID web-service endpoints and websites.
Data for the EmpowerID Mobile App is stored in a device-specific local database on the device and locally encrypted. Additionally, user credentials are encrypted using device-specific encryption capabilities.
10.8 SECURITY INCIDENT RESPONSE
While reasonable precautions are taken to secure Service environments from security threats and breaches, in any connected environment there is always a risk of security incidents that might originate from external or internal threats. The Service has in place certain teams, policies and procedures to deal with security incidents.
Security incidents that are not automatically detected by Service Operations can be reported through the normal support channels, or in case of emergency, contact security@EmpowerID.com.
10.8.1 COMPUTER SECURITY INCIDENT MANAGEMENT TEAM (CSIMT)
EmpowerID has established a Computer Security Incident Management Team (CSMIT) to resolve Service security incidents. The table below describes the roles and responsibilities of the CSIMT:
|
Role |
Responsibility |
|
Technical Support Engineer |
The Technical Support Engineer is the first line of support when reporting any security incidents and will initiate CSIMT responses. |
|
Service Operations Manager |
The Operations Manager will begin to isolate the incident and preserve any forensic evidence and will determine the scope of the incident in conjunction with Service Security Analysts. |
|
Service Security Analyst |
Security Analysts will assist the Chief Engineer to better understand the nature and root cause incident. |
|
Service Engineering Director |
The Engineering Director owns the CSIMT process and works with all other team members to ensure the proper steps are followed and the incident is addressed and documented with appropriate action towards resolution. |
|
Security Officer |
The Security Officer will coordinate with executive leadership for risk and damage analysis and consolidate all communications to inform subscribers and media of any incidents. |
|
General Counsel (GC) |
This role is primarily responsible for overseeing legal and liability matters, including liaising with local, state and federal authorities. |
10.8.2 INCIDENT RESPONSE PLAN
In the unlikely event of a security-related incident or breach, EmpowerID has a system to report, contain, analyze, communicate and resolve security related incidents. This incident response plan outlines the roles and procedures in place for responding to security incidents involving the Service, infrastructure and systems. The plan does not cover security breaches within a customer’s internal environment or other third-party environments connected or integrated into the Service.
-
Monitoring
- Service Operations actively monitors automated metrics for system level events and will investigate and report incidents accordingly.
- Service penetration tests are performed periodically and identified issues are addressed.
- Customers are encouraged to monitor for any unusual activity or behavior and report any suspicious or malicious events immediately by contacting Technical Support.
-
Incident Reporting and Escalation
- All security related incidents must be reported to Technical Support Engineers who will log the incident and begin primary investigation.
- If the primary investigation warrants escalation, the Technical Support Engineer will escalate to the Service Operations Manager, Service Chief Engineer and Service Engineering Director.
- Following investigation, if the incident is a valid security incident, the Security Office is notified and assists in the incident response.
-
Containment
- The Technical Support Engineer, Service Operations Manager will initiate an immediate lock-down procedure to contain the incident and preserve any forensic evidence.
- The Service Engineering Director will oversee the containment process and notify the Security Officer of the incident.
- The Security Officer will notify subscribers of any planned downtime due to lockdown and containment procedures.
- if additional help is required, outside forensic assistance may be utilized to assist in the investigation.
-
Analysis
- The Service Engineering Director will coordinate with all involved parties to analyze the extent of the incident.
- The Security Officer will coordinate with executive leadership to analyze the financial and material impact of the incident.
- The Engineering Director and the Security Officer will work together to determine the scope of the incident and how Service business continuity may be affected.
-
Communication
- The Security Officer will work with the General Counsel to involve outside authorities if required.
- The Security Officer will coordinate timely communication with customers regarding the incident and expected business continuity disruption.
-
Resolution
- The Engineering Director will determine next steps to resolution and if any Service change requests are needed.
10.9 SECURITY CERTIFICATES AND DETAILS
EmpowerID understands how critical it is for customer applications and data to be secure no matter where they run. We utilize a rigorous program of third-party audits to ensure cloud security and compliance across a number of industry standards.
10.9.1 ISO 27001:2013
ISO 27001:2013 is a widely accepted set of international standards relating to the secure management of information, particularly in a cloud-based environment. The Service has been designed to meet all ISO 27001:2013 standards for cloud security and information management.
11 INCIDENT RESPONSE
The following section details disaster recovery capabilities of the EmpowerID Service.
11.1 DEFINITIONS
11.1.1 INCIDENT
An incident refers to any single event or any set of events that result in downtime.
11.1.2 DISASTER
For the purposes of this policy, a disaster is defined as an unplanned event or condition that causes a complete loss of access to the customer’s production Service instance.
11.1.3 RECOVERY POINT OBJECTIVE (RPO)
RPO is commonly defined as the amount of time between a data backup and when the disruptive event occurred.
11.1.4 RECOVERY TIME OBJECTIVE (RTO)
RTO is the maximum loss of availability following a disruptive event measured by the maximum amount of time before the application fully recovers.
Figure 3 - Visual representation of RPO and RTO
11.2 HIGH AVAILABILITY AND REDUNDANT INFRASTRUCTURE
Production environments feature high availability architectures to ensure that failure of a single node will not affect production availability. These same capabilities are optionally available for non-production environments for separate fees.
11.2.1 NETWORK
Network infrastructure is duplicated where possible (e.g., duplicate NICs) as per the third-party datacenter provider’s policies, or otherwise virtualized for rapid replacement.
11.2.2 APPLICATION SERVERS
Application servers are load-balanced and redundant, so that a failure of all but one application server will not result in system downtime.
11.2.3 DATABASE SERVERS
Database storage is continuously backed-up and can be restored to a point-in-time.
11.3 DISASTER RECOVERY AND DATA RESTORATION STRATEGY
The Service maintains internal business continuity plan (BCP) and disaster recovery (DR) policies in support of certifications such as ISO27001:2013.
A Service subscription includes disaster recovery (DR) for the production environment which is intended to provide Service restoration in the event of a major disaster, as declared by the Service.
Data restoration is available in the event of a DR event or upon customer request.
|
NOTE |
The disaster recovery datacenter may not be geographically close to a customer site and may incur different latency responses from the Service. |
11.3.2 SERVICE LEVEL – FAILOVER AND DISASTER RECOVERY
|
Item |
Target Response Objective |
Notes |
|
Recovery Time Objective (RTO) |
Within 12 hours after DR event |
This refers to the time necessary to restore the Service from backup infrastructure following a disruption event. |
11.3.3 DATA BACKUP AND RESTORE STRATEGY
Data pertaining to the customer’s configuration of the Service resides solely in the EmpowerID database and is natively backed-up.
Should a database restore be required (either due to a DR event or following customer-initiated request for restoration), the restore operation can be initiated by submitting a Technical Support request. Details about the impact of a database restore within a customer’s tenant can be discussed with the Customer Success Manager and/or Technical Support Engineer as needed.
11.3.4 SERVICE LEVEL – DATA BACKUP
|
Item |
Target Response Objective |
Notes |
|
Recovery Point Objective (RPO): |
1 hour or less |
EmpowerID database which contains EmpowerID configuration data as well as any data stored by the customer in EmpowerID Connectors can be restored to any restore point within 14 days. Restoration of data is also subject to the Database RTO Service Level detailed above. |
|
Data backup retention period |
14 days of backup data |
Retention of last 14 days of the underlying EmpowerID database backups. EmpowerID database restores can revert backups to any restore point within 14 days. Restoration of data is subject to the Database RTO and RPO Service Levels. |
11.4 MEASUREMENT AND MONITORING
The Service includes automatic measurement and monitoring of the underlying infrastructure and network communication for the Service environment. Any monitoring outside of the Service infrastructure (such as network connectivity to the customer site, or availability of customer systems that integrate with the Service) is not included in the Service. Measurement and monitoring of application-specific performance metrics is not included.
Service Operations monitors system availability constantly and will communicate any availability issues as soon as possible. System status, availability, performance and security notifications and issues will be posted via a Service status webpage.
In addition to the general status updates posted to the Service status site, Service Operations internally monitors various environmental performance, usage and stability metrics. While these metrics are not shared with customers, they do provide monitoring and fault identification capabilities to Service
Operations and are a key tool utilized to make sure that a customer’s environment is stable, available and performing to standards.
12 ACCEPTABLE USE POLICY
Use of the Service is conditioned on this Acceptable Use policy. A customer shall not:
- Allow anyone other than authorized users to use the Service
- Sell, resell, license, sublicense, rent, lease or share the Service, or use the Service as an application service or outsourcing offering
- Use the Service to store or send any infringing, libelous or otherwise tortious or unlawful data or material, or any data or material in violation of third-party privacy rights, or to send junk mail or spam
- Use the Service to store or send any computer viruses, time bombs, worms, Trojan horse code, and/or other malicious or harmful code, macros, scripts, files, programs or agents
- Attempt to gain unauthorized access to the Service or applicable infrastructure
- Interfere with or disrupt the delivery of the Service or any data or other material utilized or stored by the Service
- Cause or permit the reverse engineering, de-compilation or disassembly of the Service or any portion thereof, except and only to the extent that such activity is expressly permitted by applicable law
- Disclose results of any Service benchmark tests without EmpowerID’s prior written consent
- Use the Service for purposes of competitive analysis or development of a competitive offering
13 CLIENT DEVELOPMENTS, CUSTOMIZATION AND IDENTITY WAREHOUSE DATABASE COPY ACCESS
13.1 CLIENT CAN DEVELOP AND CUSTOMIZE SHAPES, WORKFLOWS AND CONNECTORS
Client can use Workflow Studio to develop and customize workflows, connectors and other components (collectively “the client custom developments”). To help maintain the robust performance and high reliability of the EmpowerID Cloud Identity Service, client developments will be managed and maintained in EmpowerID’s Azure DevOps.
Using Continuous Integration and Continuous Delivery (CI/CD) pipelines, client will commit its developments into an EmpowerID Git Repository. An automated process in the client’s DEV environment triggered via a client operated workflow takes the committed changes in the EmpowerID repository and merges them into the running environment allowing for quick and automated client controlled deployments into their DEV environment.
Once the client is satisfied the developments are ready to be promoted to the TEST or PROD environment, they will submit a change request to the EmpowerID infrastructure team to have the approved developments promoted to the specified instance. EmpowerID will then deploy the developments during a change window as specified by the client in the change request. A minimum lead time to execute the change request will be required based on the client’s SLA.
Client is responsible for testing all client custom developments both prior to deployment to the running environment and when major updates and major upgrades take place.. Downtime that results from a client custom development defect will not count as service downtime for the purpose of calculating service downtime credits. If system instability or downtime is experienced following the introduction of specific client developments, EmpowerID may elect to roll back to the container version prior to the introduction of the specific client developments to mitigate problems with the service.
13.2 CLIENT MAY ACCESS A READ ONLY COPY OF THE IDENTITY WAREHOUSE DATABASE
Direct access to the EmpowerID Cloud Identity Service’s Identity Warehouse databases is not permitted in order to maintain the security and integrity of the databases, however for a separate monthly fee, client can request availability to a read only mirror of the Identity Warehouse database to be able to execute reads, queries, and query based collections to build reports and perform other operations when access to the data contained in the Identity Warehouse is needed.
14 SUSPENSION AND TERMINATION POLICY
14.1 TERMINATION OF SERVICE
For 35 days after the termination or expiration of the Service, EmpowerID will keep available customer production data – if any – for retrieval by the customer. After such 35 days, EmpowerID will have no obligation to retain the customer data, and EmpowerID shall delete any customer data from the Service. A customer can request immediate deletion of any customer data from Service upon termination as well. Upon request, EmpowerID will issue the customer with a certificate validating the deletion of data.
Within the 35-day post-termination period, a customer may request production environment data retrieval through Technical Support. EmpowerID will provide assistance to allow the customer to retrieve or export such data from the customer’s production Service EmpowerID database. Data will not be made recoverable for customer non-production environments.
14.1.1 TERMINATION OF TRIAL ENVIRONMENTS
EmpowerID will not retain data used in any trial or proof-of-concept environments after the applicable evaluation period has expired.
14.2 SUSPENSION OF SERVICE
EmpowerID may temporarily suspend customer access to or use of the Service if the customer or users acting on behalf of the customer violate any provision of the Subscription Agreement or these policies, or if in EmpowerID’s reasonable judgment, the Service or any component thereof are about to suffer a significant threat to security or functionality. Service Operations will make reasonable efforts to provide advance notice to customers of any such suspension and to promptly re-establish the affected Service once the issue has been remedied.
14.3 CUSTOMER DATA OWNERSHIP RIGHTS
Each client retains ownership of its data residing in the Data Depository database, or in any other data repository in the EmpowerID Cloud Identity Service. EmpowerID has no ownership rights in such customer data. A client subscription to the EmpowerID Cloud Identity Service does not grant any rights in EmpowerID software, or other software and code that helps run the service. For clients located in the European Union (EU) or who are subject to EU regulations, please review the EmpowerID Data Processing Addendum (DPA) to understand how EmpowerID handles your data during the usage of the service and how EmpowerID stays in compliance with the EU data privacy regime (GDPR).
EmpowerID is a trademark and tradename of The Dot Net Factory, LLC. © 2020 The Dot Net Factory, LLC. All rights reserved.
Information contained herein is subject to periodic update. Where any conflict between the terms, concepts, conditions or policies exists between this document and client’s subscription agreement with EmpowerID, the subscription agreement shall prevail.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
