Ping Identity’s Commitment to 
GDPR Compliance

Ping Identity has a comprehensive global privacy and security program to enable compliance with the GDPR and other applicable privacy laws worldwide. Our policies, procedures, and controls are designed to reflect fair information principles, such as collection limitation, data quality and purposes specification, and provide the foundation for our enterprise privacy and data protection program. Transparency and accountability are core to our program.

Ping Identity is a leading provider of enterprise identity and access management (IAM) products and related security solutions to large enterprises. Our products enable customers to provide secure access to their networks and systems for their employees and customers. Our products range from fundamental single sign-on solutions to fully orchestrated risk-based, adaptive authentication workflows that support different IAM use cases, such as fraud detection, identity proofing, and authorization. 

In order to provide IAM services, personal data pertaining to our customers’ employees and/or customers may be routinely transferred to and processed by Ping Identity. This data is processed as needed to provide the services, verify, and authenticate user identities, manage access rights and privileges, and for compatible security and access management purposes. 

Ping Identity solutions generally only require non-sensitive data elements such as the person’s first and last name, title, position, employer, contact information (company, email, phone, physical business address), ID and device data, connection data, and localisation data. Some products provide customers and end users with the capability to process biometric data for authentication and multi-factor authentication:

• For the PingID Service: The service itself does not process biometric data but does allow users to authenticate using the biometric capabilities of their devices (such as TouchID).  

• For the PingOne Verify Service: If implemented by our customer, biometric data (facial recognition) is processed for authentication. The end user uploads a photo to enable this functionality. 

• For the PingOne DaVinci Service: The orchestration platform allows customers to process and store additional categories of data, which may include special categories of data—these are determined by the customer and are not required by Ping Identity.

While Ping Identity primarily serves as a data processor for GDPR purposes, we do further process customer data as permitted by law for specific, limited internal business purposes, namely: 

• Detecting security breaches and protecting against malicious, deceptive, fraudulent, or illegal activity.

• Debugging to identify and repair errors that impair intended functionality of our products and other activities needed to maintain the quality and/or safety of the products and platforms.

• Internal operational activities, such as responding to data subject requests, making back-ups as part of disaster recovery/business continuity programs, and confirming usage quantities.

• Processing required for legal or regulatory compliance.

The confidentiality, accuracy, integrity, and availability of the data we process is of paramount importance for Ping Identity. As a leader in the enterprise security industry, our products are engineered for unparalleled security. Comprehensive information about Ping Identity’s information security program can be found by viewing Security at Ping Identity and our Security Exhibit.  

Ping Identity maintains SSAE18 SOC 2 and ISO/IEC 27001:2013 certifications. ISO 27001 is the international standard outlining best practices for information security management systems. Compliance with these standards demonstrates our commitment to a repeatable, continuously improving, risk-based security program. The management system was inspected by an independent third party accredited through the ANSI-ASQ National Accreditation Board (ANAB).

Ping Identity also uses strong encryption for data in transit and at rest to enhance the security and privacy of customer data.

Ping Identity’s IAM products and solutions have received numerous awards for IT security, API security, and platform excellence. A list of our awards is provided here.

Yes, Ping Identity uses strong encryption for data in transit and at rest to enhance the security and privacy of customer data.

Our security breach response program is designed to enable us to (1) detect possible security breaches, (2) mitigate risk of harm from the breach, and (3) comply with applicable laws and our contracts. As a processor, if we determined that a security breach impacted customer data, we would notify the customer without undue delay. 

Yes, Ping Identity’s EEA affiliates have appointed a Data Protection Officer (DPO). Ping Identity’s DPO may be contacted via dpo_privacy@pingidentity.com

In the event that we receive a request from an individual in our capacity as a processor, we would refer the individual to our customer.

Yes. Where we act as a data processor for customers, Ping Identity includes the mandatory terms in our contracts as required by the provisions of Article 28(3) of the GDPR. Our Customer Data Privacy Addendum (DPA) is available here. Legally mandated terms are also included in our contracts with our suppliers and service providers.

As detailed in our customer Data Privacy Addendum, when personal data is no longer necessary for the purposes set forth in the customer agreement or at an earlier time as a customer request in writing, we will (at the customer’s request) either return the customer’s data to it or delete the customer’s data—except for backups and monitoring data which will be deleted per Ping Identity’s data retention policy. Any Personal Data that is not immediately deleted will continue to be protected in accordance with GDPR and our DPA. Our Customer DPA can be found here.

Ping Identity is happy to help its customers complete DPIAs as required by law. As a practical matter, processing activities associated with our IAM services themselves are generally not “high risk” for users. As a processor, Ping Identity is not generally engaged in profiling, automated decision-making, or other activities that trigger DPIA requirements. Ping Identity may provide further information upon request.

Ping Identity has formal third-party risk management programs to manage risks associated with its third-party service providers. These programs include procedures for supplier qualification, contracting, ongoing oversight, and off-boarding at the end of the term. All suppliers that handle personal data are required to accept appropriate contract terms, and those that access EEA personal data are bound by contractual terms that reflect Article 28 of GDPR. A list of third-party processors that may have access to customer personal data is provided here.

Customer data is physically stored in Google Cloud Platform (GCP) and Amazon Web Services (AWS) secure data centers at the locations listed in our Data Supplement. Each customer selects its hosting region during implementation, and EEA/UK/Swiss customers may elect to have their data stored within the EEA, in the AWS colocation centers in Germany and Ireland. However, this data may be accessed remotely by Ping Identity workers as needed to provide the contracted services and 24/7 support. Remote access to EEA/UK/Swiss data may occur from our operations centers located in our Data Supplement. 

Companies can use standard contractual clauses to transfer personal data to third countries if they also assess the risks of transfers to non-EEA jurisdictions. As the European Court of Justice noted in the Schrems II opinion, the primary concern is foreign government access to personal data in connection with national security and law enforcement activities. Remote access to EEA/UK/Swiss data may occur from our operations centers located in our Data Supplement. Canada, Israel, and the United Kingdom have been deemed adequate by the European Commission.

For transfers to the U.S., companies must assess risks stemming from Executive Order 12333 and Section 702 of the Foreign Intelligence Surveillance Act (FISA). EO 12333 risks arise from the U.S. government’s ability to potentially collect personal data while it is in transit to the U.S. by intercepting data traveling over transatlantic cables. Personal data can effectively be protected by this type of interception through security measures, such as encryption. Ping Identity encrypts customer data in our services in transit and at rest. FISA 702 risks arise from the ability of the U.S. government to see warrantless disclosures of data from certain types of communications companies. Ping Identity does not provide telecommunications or electronic messaging services.

Additionally, to further address and mitigate risks raised by the Schrems court, the US government has implemented additional controls and safeguards.  On 7 October 2022, Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities.¹ This Order:

• Adds further safeguards for U.S. signals intelligence activities, including requiring that such activities be conducted only in pursuit of defined national security objectives; take into consideration the privacy and civil liberties of all persons, regardless of nationality or country of residence; and be conducted only when necessary to advance a validated intelligence priority and only to the extent and in a manner proportionate to that priority.

 

• Mandates handling requirements for personal information collected through signals intelligence activities and extends the responsibilities of legal, oversight, and compliance officials to ensure that appropriate actions are taken to remediate incidents of non-compliance.   

 

• Requires U.S. Intelligence Community elements to update their policies and procedures to reflect the new privacy and civil liberties safeguards contained in the Order.

 

• Creates a multi-layer mechanism for individuals to obtain independent and binding review and redress of claims that their personal information collected through U.S. signals intelligence was collected or handled by the United States in violation of applicable U.S. law, including the enhanced safeguards in the Order.

 

• Calls on the Privacy and Civil Liberties Oversight Board to review Intelligence Community policies and procedures to ensure that they are consistent with the Executive Order and to conduct an annual review of the redress process.

A response statement from the EU Commission² also issued on 7 October notes that these are “significant improvements” and indicates that, on the basis of the Order, the Commission will now prepare a draft adequacy decision for the new EU-US Data Privacy Framework and launch the adoption procedure for the updated Framework.  

Ping Identity has been an active participant in both the EU-US and Swiss-US Privacy Shield programs since January 2017. While it will take some time for the updated Privacy Shield framework to be declared adequate and relied upon for transfers, the Order itself provides clear evidence that risks raised by the Schrems court are being mitigated by the US government, also supporting the appropriateness of transfers pursuant to the Standard Contractual Clauses.

For transfers to Australia and India, companies must assess risks associated with local laws providing for (and regulating) law enforcement and national security agency access to personal data. Both countries also have various privacy laws that offer protections for personal data. Additionally, Ping Identity has several supplementary security and organizational measures in place to help protect personal data.

Although it is ultimately our customers’ responsibility to assess the risk of transfers of personal data outside of the EEA/UK/Switzerland, we have prepared several resources that are available upon request to help our customers perform these analyses.

_________________________________________

¹ Order: https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/
Fact Sheet: https://www.whitehouse.gov/briefing-room/statements-releases/2022/10/07/fact-sheet-president-biden-signs-executive-order-to-implement-the-european-union-u-s-data-privacy-framework/

² https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_6045

Ping Identity has an established policy related to Government Agency Requests for Personal Data. We also publish a detailed transparency report that summarizes any governmental requests for access to data using subpoenas, search warrants, court orders, national security requests, and international requests, along with the kind of reply provided, insofar as publication is allowed by local law. Please note: Ping Identity has not and does not expect to receive government agency requests for access to customer data.

No. Ping Identity has not and does not expect to receive government agency requests for access to customer data. Ping Identity does not provide telecommunications or electronic messaging services. For purposes of clarity, some of our products allow customers to communicate with Ping Identity services as part of multi-factor authentication processes (such as text-to-verify). These features rely on third party telecommunications providers (namely the user’s carrier or ISP), and these third parties may be subject to laws such as FISA. These features are optional, and the communications with Ping Identity services do not result in any processing of any sensitive data or other information that is likely to qualify as “foreign intelligence information” under 50 USC § 1801(e).

Ping Identity’s Policy and the current Transparency Report are available here.

Ping Identity has assessed the risks associated with cross-border transfers and we are happy to help customers document the appropriateness of allowing Ping Identity to process data in a non-adequate jurisdiction. We can provide additional information upon request.

We are always happy to receive privacy-related questions or comments. You can contact Ping Identity’s Global Privacy Office with any questions via email to privacy@pingidentity.com.