Phone Number +1-202-802-9399 (US)

CCPA Compliance Statement

In the performance of Thycotic’s cloud security services (“Services”) pursuant to an active master subscription agreement (“Agreement”) executed by Thycotic and the end customer (“Customer”), Thycotic supports the customer’s compliance for Processing covered by the California Consumer Privacy Act of 2018 (the “CCPA”). To confirm applicable aspects of the CCPA in connection with Customer’s use of the Services, Thycotic is providing this Compliance Statement. Terms not defined below have the meanings given to them in the CCPA.

  1. Limitations on Processing. Thycotic will Process Personal Information only on Customer’s behalf, in the context of Services provided for Customer pursuant to the Agreement.
  2. Consumer Requests. To the extent that Thycotic stores Personal Information subject to the CCPA, at Customer’s request, Thycotic will assist Customer with Customer’s obligation to respond to consumers’ requests to exercise their rights under the CCPA by securely deleting or destroying Personal Information pertaining to a consumer identified by Customer where such Personal Information is within possession or control of Thycotic.
  3. Deidentification and Aggregation. If the Services involve Processing Deidentified and/or Aggregated information, Thycotic will do so only with Personal Information that has been Deidentified and/or Aggregated as those terms are defined below. For Deidentified information, Thycotic will implement appropriate safeguards to prevent reidentification.
  4. Information Security. Thycotic maintains a written comprehensive data security program and maintains appropriate technical and organizational security procedures and practices designed to protect Personal Information against anticipated threats or hazards to its security, confidentiality or integrity. Thycotic will ensure that persons authorized to access Personal Information are bound by confidentiality obligations.
  5. Security Breach. Thycotic will notify Customer without undue delay if Thycotic learns that there has been unauthorized access, use, modification, disclosure, loss, or damage to Personal Information in the possession or control of Thycotic (“Security Breach”). Thycotic will provide reasonable assistance and cooperation in the remediation or investigation of a Security Breach and/or the mitigation of potential damage.

For purposes of the above, the following definitions apply: “Aggregated” information means information that relates to multiple Consumers that fall into the same group or category, from which individual Consumer identities have been removed, that is not linked or reasonably linkable to any Consumer or household, including via a device. “Consumer” means a natural person. “Deidentified” means information that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular Consumer. “Personal Information” means any information provided to Thycotic in connection with the Services, in any form, format or media (including paper, electronic and other records) that identifies an individual or relates to an identifiable individual and is subject to the CCPA. “Process” or “Processing” means any operation or set of operations performed on Personal Information or sets of Personal Information, whether or not by automated means. Processing includes the collection, recording, organization, structuring, alteration, use, access, disclosure, copying, transfer, storage, retention, deletion, combination, restriction, adaptation, retrieval, consultation, destruction, disposal, sale, sharing or other use of Personal Information.