Data Privacy

Introduction

Corma's software and services are designed with security by design. Clear procedures and automated controls ensure your data remains protected while you stay in control. Those controls have been tested and audited by external parties granting Corma the ISO 27001 certification. You can verify Corma's ISO certification with this link.

This document has the goal to answer your questions and concerns around data privacy and security at Corma in a digestible and easy to read manner. Besides this document, feel free to consult our official GDPR statement and Data Processing Agreement with your company.

1. Security at Corma

The security of our systems and data is a key element of our product and our business. We attach the utmost importance to implementing good security practices and technical and organisational measures to manage security appropriately and adequately and to ensure resilience to the threats and risks we face. We have the ambition of becoming a market leader in our domain by providing the best possible service with the highest possible value to our users. We believe that this cannot be achieved without a strong Cybersecurity posture. Corma’s Cybersecurity programme is constantly evolving to reflect the company's ambitions, but also to adapt protection in the face of the constant increase in threats targeting SaaS companies. The security strategy is built around these 3 missions:

• Credibility and Trust, with the primary aim of offering professional-level security measures and to ensure constant compliance with customer requirements;

• Control and Resilience, which are based on a risk-based approach strategy necessary for the proper implementation of security measures;

• Detection and Response, to be able to react appropriately and within an appropriate timeframe in the event of suspicious events.

We are certified as compliant to the ISO 27001 standard.

2. Why is Corma collecting data?

Corma offers a service to companies which provides them with full visibility into software usage within the company and helps them to better manage their software accesses. Corma needs to collect certain data points to be able to provide its services.

However, we have no interest in collecting data that would go beyond the need of discovering SaaS tools inside the company and to understand its usage patterns. All of this happens on an aggregated level, so no individual data is of interest to Corma.

3. What are the technicalities of the data collection?

On a technical level, data collection at Corma involves capturing and storing various types of information. The primary data elements include URLs of softwares based in the Cloud called SaaS or authentication tokens generated by the SSO provider or SaaS provider. Additionally, we collect GAIAs (Google Accounts and ID Administration), which are encrypted for security, and record timestamps of time spent on softwares. The data is stored in a dynamic (RDS) database hosted on a Virtual Private Cloud (VPC) in AWS which is hosted inside the European Union.

To maintain data accuracy and integrity, the database utilises triggers, primary keys, and foreign keys. Partitioning is employed to reduce research costs and optimise data retrieval. For added security, GAIAs are hashed, emails are not used or stored and sensitive information, if present in spite of our filters, is immediately removed. The software usage data is linked to a SaaS Whitelist, dynamically updated every week, which verifies and classifies SaaS usage. The goal of the whitelist is to prohibit the tracking of private tools. If a tool passes through our 30,000 software list, we reclassify it accordingly under 24 hours.

To summarise, Corma's Library adopts a comprehensive approach to collect and manage data, ensuring data quality, security, and accessibility.

Map of our current Corma system, as of 04.2024

4. Which data is Corma collecting?

Corma is collecting different types of data which are necessary to provide our services. We are trying to limit the data collected to the minimum necessary and avoid collecting additional personal data.

Personal Data

While using Our Service, We may ask You to provide us with certain personally identifiable information that can be used to contact or identify You. This typically means the email address.

If you choose to share any personal information (such as your email address) with us, we will not share this information with third parties without your explicit permission, except when required by law, subpoena or court order.

WebSite Data

Like most Web sites on the Internet, our servers record certain information they automatically receive from the browser, such as the requested page, Internet Protocol (IP) addresses, browser type, language preference, referring site and so on. For the nature of our Product, this includes Domains of websites visited, timestamps of visits and history. More specifically we collect the following:

• URLs

• Distinguished between professional SaaS and leisure SaaS

• We aim to divide all the URLs together

• GAIAs (Google Accounts and ID Administration), encrypted

• Time spent on website

• Method of authentication (SSO or not SSO)

• Time stamp of sending

Statistical Information

By analysing the Web site usage as explained above, we may compile certain statistical information, such as most popular or most visited pages on our sites. This aggregated statistical data cannot be not linked to any personal information, and we may share such non-personal statistical information with partners or other third parties without expressed personal consent.

5. How is privacy ensured?

There are several pillars to us ensuring data privacy.

Anonymising data on send

When data is sent from the browser extensions it is done so in a anonymous way to ensure that in the event of the data being intercepted by malicious agents on your network, that data is not traceable to a specific individual.

Automatic exclusion of private tools

Corma excludes personal internet usage. Corma has no interest in the private habits of its users. Corma is using a database of SaaS tools (‘Software as a Service’) which encompasses all tools that are commercially available and business-related. Corma is only observing the usage of those tools. Private software, like Youtube, Twitter or Youtube etc. are automatically excluded. Also, if a user logs in with his or her private email address, Corma will not track the tool usage as we assume that it is for private purposes.

Corma’s data collection is strictly confined to work-related software usage. No private software usage gets tracked in any way.

Data aggregation for anonymity

We provide companies with understanding of software usage in their companies and enable them to get the most out of their software stack. To deliver this value, Corma has no need to and does not provide personal data from employees beyond what is critically needed for Corma to function. Corma is only providing aggregated data to its customers.

Consequently, Corma automatically aggregates all data that is collected and only displays them in an aggregated fashion. The maximum of granularity is the number of daily, weekly and monthly usage, last activity as well as the number of logs to determine the level of usage..

Automation for automatic privacy

Excluding private tools or logins with private email addresses are automatically excluded from Corma’s data collection. This happens automatically inside the browser extension, so before it gets to the Corma servers. This automatic bouncing back of private information ensures that no personal data lands at Corma.

6. How and where is the data stored?

All data is stored within France or within the European Union. All the usage data collected from our plugin is stored in French Servers. To display the aggregated data European Servers are used.

7. Who has access to what data?

Inside the Corma company, access to data is restricted on a need-to-know basis. The administrators have the view. In Corma’s case, all members or employees of the organisation have a contractual obligation to keep data they might have access to confidential and not disclose any of it to unauthorised parties. On top of that, nobody has any access to individual usage data or is able to link data to individual users as we are not physically in the client companies. Corma does not provide any personal data to its clients.

*Excluding governmental authorities. Legally, Corma is required to provide data to governmental authorities upon request in the case of the legal requirement to cooperate with official agencies.

8. How secure is the storage?

We secure the storage according to AWS requirements as our database is stored in their Virtual Private Cloud. It is industry standard and our password access also reflects that standard. It is located on the Paris servers of AWS and all our sensitive tools such as the Cloud are accessible only through MFA and to a limited number of team members with access reviews conducted monthly.

9. GDPR compliance

Corma is transparent about its data flows and our close Data Protection Officers relationships describe us as GDPR compliant. We highly value the importance of Data Privacy and Protection. We also believe that we can provide Corma’s service without raising any concerns on the employees privacy.

Corma adheres to GDPR compliance by implementing a privacy-conscious approach to data handling. Personal data is protected through encryption and hashing techniques to ensure individual privacy. The company maintains a strict data retention policy, storing information for only the necessary period. Access controls and audit logs are in place to monitor data access and enhance security. Overall, Corma prioritises data privacy and security, building trust with users and ensuring strict adherence to GDPR regulations.

10. Is Corma in any way certified?

Yes. Corma is ISO/IEC 27001:2022 certified, confirming that the product and services Corma provides are mature, robust, and secure, and that we are actively creating an organization that supports these goals. It also means that our software development processes and practices meet required levels of oversight and monitoring, so that we can proactively monitor, identify and address any unusual activity, remediate it with deep contextual insight, and take corrective action, if and when it is needed. Verify the certification.

11. What can be done in case of additional questions or concerns?

We openly address concerns around data privacy and protection. Please do not hesitate to reach out to the Corma team or the Data Protection Officer of your company (who must be legally assigned). If you would like to dive deeper or get additional information, you can find it in Corma’s privacy policy or read in the Data Processing Agreement between Corma and your company.

If you want to learn more about your legal rights around this topic, please consult our privacy policy where the legal basis and your rights are outlined.