Zetta.IO Technology AS ("We", "us", "our") is committed to protecting and respecting your privacy.
This policy describes how personal data we collect from you, or you provide to us, will be processed by us. It is part of your Agreement with Zetta.IO, along with the Terms of Service, Service Level Agreement and Acceptable Use Policy, and is subject to all the terms and conditions stated in these documents.
For the purpose of the European Union General Data Protection Regulation 2016 (the "GDPR"), the data controller is Zetta.IO Technology AS located in Oslo/Norway.
What we may collect about you
The data we collect and process is strictly limited to that which is necessary for us to provide our Service to you under the lawful bases of consent and/or necessity.
- Information you fill out in forms on our site. For example account registration, service subscription, updates to billing and contact information or when contacting us for support
- When creating an account with us, we will ask for your full name, email, company, country, phone number, a domain name, a username and password (encrypted and salted when stored).
- After registration we also ask you to enter details about your business or you as an individual for billing purposes
- When contacting us, we may keep records of that correspondence (email, attachments etc.)
- Occasionally we may ask you to complete surveys for research purposes. You have no obligations to respond to them.
- Details about your visits and resources you allocate in our cloud platform for billing purposes
- Credit Card information is processed by Dibs Payment Services AB. We may only store and process the first 6 and last 4 digits of your credit card number, its expiry date and a reference number to your card provided by the payment processor.
- Information about payments
- If you register for an account with us, we may use your IP address at the time of registration for "geolocation". This is mainly a weak sanity check to ensure all information is correct. You can at any time set your country in your billing information.
We do not request, collect or store any sensitive personal data as defined under the GDPR.
How information is stored
We store all production data in physically secure data centers.
The following datacenter facilities are used by Zetta.IO to produce our Services:
- NO-OSL1 – Facilities are managed by PowerTech Information Systems AS and DigiPlex Norway AS, located at Ulven in Oslo, Norway. This facility is in compliance with BS EN ISO 9001:2008, ISO 22301:2012, ISO 14001:2004 and ISO 27001:2013.
- NO-OSL9 – Facilities are managed by Availo AS, located at Nydalen in Oslo, Norway. Used for offsite backup, monitoring, management and disaster recovery.
All data centers employs strict access control systems linked to system alarms, CCTV monitoring systems and fire detection/suppressant systems.
Data centers are connected via high-speed links to provide secure and fast data transfers between data centers. Where applicable, private links are used. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer or transport or while being recorded onto data storage media. Zetta.IO transfers data via Internet standard protocols.
We monitor a variety of communication channels for security incidents, and security personnel will react promptly to known incidents. We cooperate with the Norwegian Computer Emergency Response Team, NSM NorCERT. We make use of encryption technologies where applicable and available.
We will implement appropriate technical and organizational measures within commercially reasonable means to protect information against accidental or unlawful destruction or accidental loss, alteration, or unauthorized disclosure or access. Zetta.IO has implemented a set of security measures as outlined below. We may update, modify or extend these security measures provided that such updates or modifications do not result in the material degradation of the security of the Services.
Zetta.IO have internal data access processes and policies designed to prevent unauthorized persons and/or systems from gaining access to systems used to process personal data.
Zetta.IO stores data in a multi-tenant environment on our own servers. We logically isolate the Customers. Certain physical media containing data may experience performance issues, errors or failure that lead to them being decommissioned. Decommissioned media is erased in accordance to an internal disk erase policy, or destroyed.
All our personnel are required to conduct themselves in a manner consistent with our guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Zetta.IO conducts reasonably appropriate backgrounds checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.
Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Zetta.IO’s confidentiality and privacy policies.
Zetta.IO will maintain an incident response program appropriate to respond to data incidents. If we have reason to believe that a data incident has occurred, we will:
- Promptly investigate and take steps to remediate.
- Notify Customers of the data incident as soon as reasonably possible once we have established the nature of the incident and taken measures to secure data against any imminent harm, consistent with the requirements of law enforcement authorities.
- Notify Customer by an email sent to the email address provided by Customer or by direct communication. Customer is solely responsible for fulfilling any third party notification obligations.
Subject Access Requests
You have the right to access personal information held about you by us (also known as "Subject Access Request" under the GDPR). You may exercise this right at any time by emailing firstname.lastname@example.org from the email address associated with your request. If you have an account with us, or we hold any personal information pertaining to you, we will provide this in a machine-readable format within 30 days. There is no fee in relation to your request for access.
Right To Erasure
You have the right to ask us to remove all data and/or personal information we hold about you. We will use reasonable endeavours to remove all information from our systems, where technically feasible, within 30 days. You can exercise this right at any time by contacting us at email@example.com. We may retain certain specific information, where required by law. There is no fee in relation to your request for erasure.
If you have any questions or comments, please contact us at firstname.lastname@example.org