Qualys Privacy Statement

Overview

Qualys®, Inc. (Qualys) respects your right to privacy and your desire to control your personal information that you share with us. Personal Information shall mean any information which is related to an identified or identifiable natural person. We have developed this Privacy Statement to inform you about our privacy practices for our public-facing Sites (“The Sites”). This Privacy Statement describes how Qualys collects, uses, shares, and secures the Personal Information you provide to Qualys through The Sites, and other than through Qualys’ Cloud Services. It also describes your choices regarding the use, access, and collection of your Personal Information. This Privacy Statement is not applicable to any of Qualys’ Cloud Services which are governed by our Master Cloud Services Agreement.

GDPR

If you are a citizen of a country that is subject to the protections of GDPR, then please see this EEA Supplement Privacy Policy. The EEA Supplement Privacy Policy addresses both The Sites and the Cloud Services.

Notice at Collection

Information We Gather from You – Personal Information

Below are some ways in which you may explicitly and intentionally provide us with consent to our collection of Personal Information:

• E-mail Request for Information or Registrations for Guides or Seminars – We use links throughout our site to provide you with the opportunity to contact us via e-mail to ask questions, request information and materials, register or sign up for guides, seminars, training classes or provide comments and suggestions. You may also be offered the opportunity to have one of our representatives contact you personally to provide additional information about our services. To do so, we may request additional Personal Information from you, such as your name, telephone number, and other address information, to help us satisfy your request.
• Recruitment and Employment – You may choose to provide us with information about yourself, such as a résumé or other employment-related information in connection with a job application or inquiry, whether advertised on the Qualys site or as otherwise provided by Qualys. Qualys may use this information throughout Qualys and its related entities for the purpose of employment consideration or as you inquire.

Information Related to Data Collected through the Qualys Platform

Qualys collects information and has no direct relationship with the individuals whose Personal Information it processes. In accordance with applicable law, Qualys will retain Personal Information you provide for marketing purposes and to respond to the requests that you have made from Qualys and use this Personal Information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. If you are a client of one of our customers and would no longer like to be contacted by such customer, please contact the customer that you interact with directly.

• Service Provider, Sub-Processors/Onward Transfer – Qualys may transfer Personal Information to companies that provide services to Qualys. Transfers to subsequent third parties are covered by the provisions in this statement regarding notice, choice, and the service agreements with our customers.

How We Share Information We Collect

Qualys shares information with third party service providers that help us operate, provide, improve, integrate, customize, support and market our services. This includes service providers who provide consulting, sales, support, and technical services.

Statistical Information About Your Visit

When you visit The Sites, our systems collect Personal Information (in the manner described above) and statistical or non-personally identifiable information about your visit to The Sites (e. g., IP address, pages visited, origin of visitor domains, and types of browsers used). However, unless you actively submit Personal Information, we do not typically identify you via the non-personally identifiable information. Notwithstanding the foregoing, to the extent permitted by applicable law, we reserve the right to combine non-Personal Information with Personal Information that you have actively submitted.

Use of Cookies

Please see our cookies policy.

Web Beacons

Qualys uses web beacons alone or in conjunction with cookies to compile information about site visitors’ usage of the site and interaction with emails from Qualys. Web beacons are clear electronic images that can recognize certain types of information on your computer, such as cookies, when you viewed a particular website tied to the web beacon, and a description of a website tied to the web beacon. For example, Qualys may place web beacons in marketing emails that collect information when you click on a link in the email that directs you to Qualys’ site. We use web beacons to operate and improve Qualys’ site and email communications. Qualys may use information from web beacons in combination with data about Qualys to provide you with information about Qualys and the Qualys Services.

Information Sharing

We will share your Personal Information with third parties only in the ways that are described in this privacy statement. We do not sell your Personal Information to third parties. In some cases, Qualys uses suppliers to collect, use, analyze, and otherwise process information on its behalf. It is Qualys’ practice to require such suppliers and other service providers to handle information in a manner consistent with Qualys’ policies and to use your Personal Information only as necessary to provide these services to us.

When you register for Qualys Security Conference, an account will be created in Swapcard, Qualys’ online event provider, with all the information that you entered. This account will allow you to access to the platform and the attendees’ list to network before, during and after the event. For further information on your data processing and your rights regarding the information you entered for Qualys Security Conference, please refer to Swapcard’s protection of data policy: https://www.swapcard.com/gdpr or send an email to event@swapcard.com.

We may also disclose your personal information as required by law, such as to comply with a subpoena, or similar legal process when we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. We may also disclose your personal information if Qualys, Inc. is involved in a merger, acquisition, or sale of all or a portion of its assets.

Data Retention

The period for which Qualys retains your Personal Information depends on the type of information collected. After your Personal Information is no longer needed for its purpose, it is either deleted or de-identified or, if that is not possible, then Qualys will securely store your information and isolate it from any further use until deletion is possible.

Your Ability to Access or Delete Personal Information or Opt-out of Sharing

If you wish to request access to, update, correct, delete or opt-out of the sharing of your Personal Information then please contact us at privacy@qualys.com.. We reserve the right to take appropriate steps to authenticate the applicant’s identity. We will respond to your request within a reasonable timeframe.

Your Ability to Opt-Out of Further Notifications

From time to time, we notify visitors to The Sites of new products, announcements, upgrades, and updates unless you have opted out of these notices. If you would like to opt-out of being notified, please contact us at the address given at the end of this Privacy Statement.
If you would like to change your preferences online, please visit https://www.qualys.com/communication-preferences/.

Digital Marketing Service Providers

We periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of Personal Information. The data used in these marketing activities is not supplied by Qualys.

Our appointed data processors include:

(i) Prospect Global Ltd (trading as Sopro) Reg. UK Co. 09648733. You can contact Sopro and view their privacy policy here: http://sopro.io. Sopro are registered with the ICO Reg: Z123456 their Data Protection Officer can be emailed at: dpo@sopro.io.

Surveys

From time-to-time we may request information via surveys. Participation in these surveys is completely voluntary and the user therefore has a choice whether or not to disclose this information. Survey information will be used for improving our customer service and service offerings. The feedback and data we collect from these surveys are aggregated and we do not single out individual responses, unless the respondent chooses to be identified.

Our Security Procedures

We consider the protection of all Personal Information we receive from Qualys Website visitors as critical. Please be assured that we have implemented appropriate security measures in place to protect against the unauthorized loss, misuse, and alteration of any Personal Information we receive from you. As with any transmission over the Internet, however, there is always some element of risk involved in sending Personal Information. In order to try to minimize this risk, we encrypt all information that you submit in ordering our services using the Secure Sockets Layer (SSL) protocol. Our security procedures are also subject to annual SSAE 18 SOC 2 industry-standard audits by an internationally recognized accounting firm. If you have questions about security, please contact us at the information provided below.

Qualys Privacy Shield Notice

Before May 25, 2018, Qualys complies with the European Community’s data protection regime pursuant to Directive 95/46/EC, which applies to the European Economic Area (“EEA”) and restricts companies in the EEA in transferring personal data about individuals in the EEA to the United States, unless there is “adequate protection” for such personal data when it is received in the United States.

GDPR

On and after May 25, 2018, Qualys shall comply with the Regulation 2016/679, the “General Data Protection Regulation” (“GDPR”) of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, The GDPR supersedes EU Data Protection Directive (also known as Directive 95/46/EC). For persons subject to GDPR please see the EEA Supplement here.

EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield

Qualys participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. Qualys is committed to subjecting all personal data received from European Union (EU) member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List at https://www.privacyshield.gov/list.

• Qualys complies with the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including the onward transfer liability provisions. Under those provisions and under certain circumstances, Qualys is responsible for the processing of personal data it receives under the Privacy Shield Framework and subsequently transfers to a third party acting as an agent on its behalf.

• With respect to personal data received or transferred pursuant to the Privacy Shield Framework, Qualys is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Qualys may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

• Qualys commits to cooperate reasonably with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner and to comply reasonably with the guidance provided by such authorities regarding any unresolved Privacy Shield complaints, if any, with regards to human resources data transferred from the EU and Switzerland in the context of the employment relationship.

• Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

Use of Qualys Offerings by Minors

The Qualys Offerings are not directed to individuals 16 and under or those not of the age of majority in your jurisdiction, and we request that these individuals, or others on their behalf, not provide us with their Personal Data.

Scope of this Notice

This Notice does not apply to employees of Qualys; this Notice addresses other data subjects residing in the EEA and Switzerland (“EEA and Swiss Persons”) whose data Qualys may receive from one of its subsidiaries, prospects, customers, suppliers or other businesses in the EEA or Switzerland, e. g., prospects’ procurement managers, suppliers’ sales representatives, individual independent contractors, and EEA and Swiss residents who are mentioned or referred to in documents to be produced in pre-trial discovery proceedings, etc.

Categories of EEA and Swiss Data

Qualys collects data processing and advisory services largely for businesses and rarely if ever for consumers. Thus, Qualys solely receives business-related information from the EEA and Switzerland. Occasionally, Qualys also receives contact information related to individual representatives of businesses with whom Qualys is dealing (including, without limitation, names, addresses, work phone numbers, work email addresses, etc.), and, in connection with our managed document review and advisory services, Qualys processes data that may be relating to EEA and Swiss residents on behalf of, and in accordance with instructions from, prospects (collectively “EEA and Swiss Data”). Since EEA and Swiss Data covered by this Notice is by definition sent to Qualys by another company in the EEA or Switzerland (e.g., a supplier to Qualys), the categories of data sent and the purposes of processing often depend on such other company, with whom the EEA or Swiss Persons typically have a closer employment, business or other relationship (and which therefore, can provide additional information on categories of data shared with us).

Purposes

Qualys collects and uses EEA and Swiss Data for purposes of providing data processing and advisory services to its prospects, communicating with corporate business partners about business matters, processing EEA and Swiss Data on behalf of corporate prospects, transmitting marketing emails and performing other marketing activities, and conducting related tasks for legitimate business purposes.

Disclosure

Qualys shares EEA and Swiss Data with affiliates and contractors, which process EEA and Swiss Data on behalf of Qualys. Qualys also shares EEA and Swiss Data with other third parties for the purposes for which Qualys receives the EEA and Swiss Data (e.g., performance of contractual obligations) and as required or permitted by law.

With respect to marketing emails, EEA and Swiss Persons may opt-out of receiving further email marketing communications from Qualys by sending an email to unsubscribe@qualys.com, or by following opt-out instructions that are contained in each marketing email. EEA and Swiss Persons may also send an email to this address to ask to opt-out of disclosures to third parties, but such a limitation on data sharing may make it difficult or impossible for Qualys to provide the requested services. Notwithstanding other statements in this Notice, Qualys may disclose EEA and Swiss Data where it is legally required to disclose (e.g., under statutes, contracts or otherwise) or the disclosure is permitted by law and Qualys has a legitimate business interest in such disclosure.

Access and Review

EEA and Swiss Persons whose EEA and Swiss Data Qualys holds may request access to, and the opportunity to update, correct or delete some or all of the EEA and Swiss Data that Qualys holds about them. To submit such requests or raise any other questions, please contact Qualys as described below. Qualys reserves the right to take appropriate steps to authenticate an applicant’s identity, charge an adequate fee before providing access and deny requests, except as required by the Privacy Shield Framework. We will respond to any request received within a reasonable timeframe.

Qualys complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. Qualys has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy statement and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov.

Changes to This Statement

We may update this privacy statement to reflect changes to our information practices. If we make any material changes, we will notify you by means of a notice on this site prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.

Contact Information

If you have questions about Qualys’ Privacy Statement, please contact our Qualys Privacy Administrator at 919 E. Hillsdale Blvd., 4th Floor, Foster City, CA 94404, USA, telephone: +1 650 801 6100, or fax: +1 650 801 6101; or email us at privacy@qualys.com.

Qualys has further committed to refer unresolved Privacy Shield complaints to Qualys Data Protection Office (DPO) at DPO@qualys.com, or an alternative dispute resolution provider. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://www.qualys.com/support/ for more information or to file a complaint. The services of dispute resolution are provided at no cost to you.