ZenGRC and Services Privacy Policy

ZenGRC and Services Privacy Policy

Last Updated: February 21, 2020

Reciprocity provides the ZenGRC application (“ZenGRC” or “the application”) in a Software-as-a-Service cloud hosting model. Part of the application functionality includes integration with third party services such as Google Apps for Business, Box.com, Jira, etc. (“Integrated Services”), to further extend the functionality of ZenGRC.This Privacy Policy details the types of information collected, used, stored, and processed by ZenGRC and its Integrated Services.

Ownership and Access

Reciprocity does not own or manage any information submitted by Customers to the ZenGRC application or Integrated Services. Customers are responsible for the accuracy, integrity, reliability, and appropriateness of any data submitted.

Reciprocity personnel may be able to access information stored in ZenGRC or linked from Customer’s Integrated Services. Customers have the right at any time to revoke such access or request Reciprocity to remove such access if desired.

Users will be prompted for explicit permission by ZenGRC before any access is allowed to an Integrated Service. This permission may be denied by users if they do not wish to grant access to such Integrated Services.

Details we provide to users

When ZenGRC asks for authorization to access an Integrated Service, we present the user with a dialog. This dialog provides details regarding the requested integration, including:

  • Who is requesting access: The ZenGRC application is the requestor.
  • What data is being requested: This will vary depending on the Integrated Service being accessed, but generally will be a document repository or ticketing system. The access will usually be ongoing rather than a specific file or data store, to enable continuous access to the most current information (e.g., all current tickets stored in Jira, or the most recent files uploaded to a Google Drive folder).
  • Why the data is being requested: The purpose of all ZenGRC integrations is to extend the functionality of the tool, i.e., to allow users access to all their compliance-related data inside a single application. To that end, access to Integrated Services is requested to allow information stored in such systems to be viewed, used, or manipulated within ZenGRC. Note: no access requests to Integrated Services are initiated without explicit user action. ZenGRC functionality is extended by, but not reliant upon, Integrated Services.

ZenGRC’s Data Use and Handling in Integrated Services

ZenGRC may access Integrated Services on behalf of users for a variety of reasons, as detailed below:

  • Access & Use: Where permitted by users, ZenGRC will access Integrated Services for the purpose of retrieving and displaying files or data related to the information stored in ZenGRC. Examples might include screenshots or documents which relate to audit evidence requests.
  • Store: ZenGRC allows users to conveniently store information in an Integrated Service. For example, this functionality allows users to store files related to audit evidence requests without having to leave the ZenGRC application, or create Jira tickets to assign work from within ZenGRC.
  • Delete, Share, or Other Actions: ZenGRC will never delete information from an Integrated Service or take other actions without express direction by a ZenGRC user. For example, the application may delete a document stored in an Integrated Service if the ZenGRC user requests that the document be deleted. ZenGRC does not share or take any other actions with information stored in an Integrated Service.

ZenGRC Data Protection

Reciprocity stores all ZenGRC application data within secured, limited access networks. Data access, secure storage, and monitoring are included in the scope of Reciprocity’s Information Security Management System, which undergoes an annual SOC 2 Type II audit. For more details of Reciprocity’s ISMS or SOC 2, please contact privacy@reciprocitylabs.com.

Data stored in Integrated Services is subject to the protections offered by the service provider (Data at Rest). When the ZenGRC application accesses such data, it is encrypted using industry-standard methods such as TLS (Data in Transit). The exact methods of Data in Transit protection depend on the features and capabilities of the Integrated Services provider, such as the API or other access methods provided.

Reciprocity does not sell, trade, or otherwise transfer Customer-supplied information to any outside third parties, except where required by law.

Changes to this policy

Reciprocity may, revise, update, or amend this policy, and publish these changes on this page. If you continue to use the service after a change is published you agree to the terms of the revised policy.

Contacting Reciprocity

If you would like to contact us with questions or concerns about this Privacy Policy, our privacy practices, or would like to exercise your privacy rights, you may contact us via any of the following methods:

E-mail: privacy@reciprocitylabs.com

Toll-free Number (USA): +1-877-440-7971.

You may also write to us at:

Attn: Privacy
Reciprocity, Inc.
755 Sansome Street
6th Floor
San Francisco, CA 94111

Our EU Representation:

Attn: Privacy
Reciprocity d.o.o.
Celovška cesta 25
1000 Ljubljana
Slovenia