DXC ConfidentID Authenticator Service Privacy Statement

 

 

At DXC our commitment to privacy goes beyond the minimum legal and regulatory requirements. We strive for best-in-class data protection and privacy management, which requires a sound data privacy governance structure and an effective data privacy compliance and best practices program to ensure DXC meets ever-changing and increasingly-complex regulatory standards and all contractually agreed privacy obligations.

 

This following Data Privacy Statement applies to your use of the DXC Android or iOS ConfidentID Authenticator Service. This statement describes the limited personal data collected and stored in the DXC ConfidentID™ service, where they are stored, how they are protected, and who will have access to them and why. It also confirms your consent to this collection and storage of your personal data.

 

By clicking the “AGREE” button during your installation of the service on your mobile device, you acknowledge that you have read and understood this Data Privacy Statement and agree to the collection, use, and disclosure of your personal data as described below. If you click “CANCEL,” your installation will be cancelled, and you will be unable to use ConfidentID™ Mobile Authenticator Service. And in that case you will again be presented with these notices on any subsequent installation attempt.

 

·         What personal data does the ConfidentID Authenticator Service retain about you?

       ConfidentID retains the following types of user data:

1.    (For users of Android applications) An Android device ID, which is a distinctive number associated with a smartphone or similar handheld device. ConfidentID holds no such related information for iOS devices.

2.    IP address – the ConfidentID service will capture end-user IP addresses in support of the authentication process. The service will hold IP addresses long enough to support standard DXC security processes, and then deleted. In its standard processing, the ConfidentID service does not attempt to associate the IP address with a named individual.

3.    (For users of iOS applications) If you choose to authenticate using Face authenticator the device built-in Face ID is utilized during FIDO authentication session. We do not collect any data other than Face ID is enabled.  Your face data - including mathematical representations of your face - is encrypted and protected by the Secure Enclave in the device. ConfidentID Authenticator app is only notified as to whether the authentication is successful and can’t access Face ID data associated with the enrolled face.

 

·         How will your personal data be used?

These personal data will be used to facilitate authentication requests for designated applications and specific transactions. These data will be linked to your biometric data using a unique identifier to ensure there is only a single identity for any given person and that your identity cannot be used by anyone other than you. 

 

·         How will your personal data be protected?

The ConfidentID service resides on DXC infrastructure located in the United States. Your biometric data never leave your mobile device. They are only stored on your mobile device and not on the infrastructure.

Technical and organizational security of the DXC Android or iOS ConfidentID Authenticator Service and/or its supporting components is maintained in accordance with DXC security policies and is supported by authorized system administrators only. System-level security measures follow the principles of “need-to-know” as well as “least privileges by default.” ConfidentID data do not replicate to other systems for purposes other than business continuity. In addition, technical security controls have also been put into place to encrypt biometric information and different access levels are applied to data within the system to ensure that data are visible only to appropriate users and groups.

Administrative access to your profile in the service is restricted on a need-to-know basis and is only granted to:

1.    System administrators

2.    Support and administrative users

3.    Security auditors.

 

·         How long will your personal data be held?

The DXC Android or iOS ConfidentID Authenticator Service will retain your anonymized profile data as long as is required to support your authentication into selected applications and/or services and for a reasonable time thereafter. If/when your association with said applications and/or services ends, standard processes will disable your ConfidentID profile. If you want DXC to delete the data you have provided via the ConfidentID service, please contact cidm-support@dxc.com and DXC will respond in a reasonable time. Please note that some or all of the data you have provided may be required for the ConfidentID service to function properly.

 

·         How will you be notified if the uses of your data change?

DXC will not share your data with any third parties, except as required by law.  If the uses of your personal data in the ConfidentID service change, DXC will attempt to notify you beforehand and allow you to respond. That notification will provide you access to any applicable, separate data privacy statements.

 

·         Your Consent

By clicking the “AGREE” button during your enrollment, you acknowledge that you have read and understood this Data Privacy Statement and agree to the collection, use, and disclosure of your personal data as described above. If you click “CANCEL”, your installation will be cancelled and you will be unable to use designated ConfidentID™ applications. And in that case you will again be presented with these notices on any subsequent enrollment attempt.

 

·         Contact Us

If you have any questions regarding privacy while using the service, or have questions about our practices, please contact us via email at cidm-support@dxc.com.

 

Last update: April 9, 2019