Trust Center

When using the IdentityIQ software, the customer is the data processor.

IdentityIQ is on-premises software that is operated in your data center or the data center or cloud service of your choosing. SailPoint does not need and does not expect to receive access to the information loaded into the IdentityIQ software in your environment in order to provide the software and the support and maintenance services. Support does not require or include remote access to your environment.

If we are engaged to provide professional services, SailPoint will likely have limited access to at least some of the information in the software during the project, but the means by which we access information and the information we can access is determined by you.

When using the IdentityNow service, SailPoint Technologies, Inc. acts as the data processor for our customers.

IdentityIQ is our on-premises identity security solution, which can be hosted in the public cloud or deployed in a customer’s data center. It provides large, complex enterprise customers a unified and highly configurable identity security solution that consistently applies business and security policies as well as role and risk models across applications and data on-premises or hosted in the cloud. IdentityIQ enables organizations to:

• Empower users to request and gain access to enterprise applications and data;
• Enable business users to reset their passwords via self-service tools without the need for IT involvement;
• Provide on-demand visibility to IT, business, and risk managers into “which identities have access to what resources” to help make business decisions, improve security, and meet audit requirements;
• Improve security and eliminate common weak points associated with data breaches, including weak passwords, orphaned accounts, entitlement creep and separation-of-duties policy violations; and
• Manage compliance using automated access certifications and policy management.

We package and price IdentityIQ into Core Modules and Advanced Integration Modules. All customers leverage the IdentityIQ Governance Platform, which provides the base features of the solution, including the identity warehouse, workflow engine and governance models. The three Core Modules include:

• • Lifecycle Manager: This module provides a business-oriented solution that delivers access securely and cost effectively. The self-service access request capabilities feature an intuitive user interface that empowers business users to take an active role in managing changes to their access while greatly reducing the burden on IT organizations.
    Automated provisioning manages the business processes of granting, modifying and revoking access throughout a user’s lifecycle with an organization, whether that user is an employee, contractor, or business partner. Changes to user access can be automatically provisioned via a large library of direct connectors for applications such as Workday and SAP or synchronized with IT service management solutions such as ServiceNow.
  • Compliance Manager: This module enables the business to improve compliance and audit performance while lowering costs. It provides business user friendly access certifications and automated policy management controls (e.g., separation-of-duty violation reporting) that are designed to simplify and streamline audit processes across all applications and data. Built-in audit reporting and analytics give IT, business, and audit teams visibility into, and management over, all compliance activities in the organization.
  • File Access Manager: This module secures access to the growing amount of data stored in file servers, collaboration portals, mailboxes, and cloud storage systems. It helps organizations identify where sensitive data resides, which identities have access to it, and how they are using it and then puts effective controls in place to secure it. File Access Manager is designed to interoperate with the Compliance Manager and Lifecycle Manager modules to provide comprehensive visibility and governance over user access to all data. By augmenting identity data from structured systems with data from unstructured data targets, organizations can more quickly identify and mitigate risks, spot compliance issues, and make the right decisions when granting or revoking access to sensitive data.

The Advanced Integration Modules provide connectivity to target application platforms such as SAP, mainframes, and file storage systems.

IdentityNow is a microservices-based, multi-tenant identity governance platform, which is delivered as a SaaS subscription offering. IdentityNow provides customers with a set of fully integrated services for compliance, provisioning and password management for applications and data hosted on-premises or in the cloud. We package and price IdentityNow into a Cloud Platform and Governance Services with unique functionality as outlined below:

• Cloud Platform: IdentityNow provides foundational components for identity security in the cloud, including production and sandbox instances and the IdentityNow Cloud Gateway virtual appliance, which leverages our patented method for integrating with on-premises applications and data. IdentityNow also includes a large catalog of pre-built connectors and application profiles to on-premises and cloud applications, leveraging the intellectual property developed for our on-premises solution, IdentityIQ. It is included with all Governance Services at no additional charge.
• User Provisioning: This module enables business users to be productive from day one. With IdentityNow user provisioning, organizations can streamline the on-boarding and off-boarding process with best practice configurations and workflows, enabling IT to immediately grant employees access to the applications and data they need to do their jobs.
• Access Request: This module empowers the entire enterprise with a robust self-service solution for requesting and approving access to applications and data. Automating the access request process quickly delivers business users the access they need to do their jobs.
• Access Certifications: This module automates the process of reviewing user access privileges across the organization. Using IdentityNow, organizations can quickly plan, schedule and execute certification campaigns to ensure the right users have the appropriate access to corporate resources.
• Separation-of-Duties: This module simplifies and speeds the process of investigating access, quickly uncovering any access-related conflicts of interest for review and mitigation. It also automates the creation of policies that ensure continuous compliance with internal and external audit requirements.
• Password Management: This module offers business users an intuitive, self-service experience for managing and resetting passwords from any device and from anywhere. This service enforces consistent and secure password policies for all users across all systems from the cloud to the data center.

The customer will determine whose data is loaded into IdentityIQ and IdentityNow. The IdentityIQ  and IdentityNow software is typically licensed for use in managing the customer’s employees and contractors, in which case only employee and contractor data is processed.

The customer will determine what types of data, including personal data, are loaded into IdentityIQ. Typically, data in IdentityIQ is limited to business contact information, such as employee name, title, email, office and/or mobile phone number, and office address; employment information such as manager, role, etc.; entitlement data (what applications can an individual access and what permissions do they have); and metadata, such as IP address.

The customer will determine what types of data, including personal data, are loaded into IdentityNow. Typically, data in IdentityNow is limited to business contact type information, such as employee name, title, email, office and/or mobile phone number, office address, manager, role, etc.; entitlement data (what applications can the employee access and what permissions do they have); and technical information, such as IP address and geolocation data.

With regards to IdentityIQ, our on premise solution, the customer will determine from whom the data is collected and whether this is done on an automated or voluntary basis. SailPoint will not collect personal information on the customer’s behalf.

For our SaaS solution, SailPoint does not expect sensitive personal data, including special categories of personal data as referenced in Art. 9 GDPR, such as health data, political opinions, religious or philosophical beliefs, trade union membership, race or ethnic origin, sexual orientation, genetic data, biometric data, criminal activity data, or financial account number or tax ID number will be processed in IdentityNow. SailPoint’s standard contractual terms included in the Software as a Service Agreement (available at https://www.sailpoint.com/legal/customer-agreements/) include restrictions against providing this type of personal data.

Restrictions. Customer and its Users shall not, and shall not permit any third party to:

• send or store any Sensitive Data in the SaaS Services;

The customer will determine from whom the data is collected and whether this is done on an automated or voluntary basis. SailPoint will not collect personal information on the customer’s behalf.

Data loaded in IdentityIQ or IdentityNow is typically pulled from other systems in the customer’s environment. Data is aggregated in IdentityIQ or IdentityNow to provide better visibility into who has access to what applications or systems. IdentityIQ and IdentityNow allows customers to certify user access privileges, which may be required to meet legal, regulatory, and/or corporate governance requirements.

IdentityIQ and IdentityNow also allow customers to streamline the onboarding and off-boarding process, enabling IT to quickly grant employees access to the applications they need to do their jobs or quickly remove access when it is no longer needed.

The customer will determine its purpose in using IdentityIQ or IdentityNow and processing personal data within IdentityIQ or IdentityNow. Because IdentityIQ and IdentityNow aggregate data from other applications in the customer environment, the purpose for data processing in IdentityIQ and IdentityNow will likely be consistent with the purpose for which it was collected and processed in the other applications.

IdentityIQ and IdentityNow are typically used to provide identity governance capabilities for employees and contractors. Identity governance is designed to ensure the right people have access to the right applications and information in an organization. The customer is solely responsible for determining the legal basis for its data processing. The customer’s legal basis for processing may be legitimate business interests and/or legal requirements. We would not expect customers to process employee data on the basis of consent, but the customer is responsible for that determination.

Information is loaded into IdentityIQ and IdentityNow by the customer. As such, the customer will determine whether the data they load into IdentityIQ or IdentityNow are necessary for and limited to a specific purpose.

Where SailPoint acts as the data processor, we will only process the data as instructed by the customer, who is the data controller, and as required to fulfill our contractual obligations.

IdentityIQ is on-premises software that is operated in your datacenter or the datacenter or cloud service of your choosing. SailPoint does not need and does not expect to receive access to the data loaded into the IdentityIQ software in your environment in the course of providing the software and the support and maintenance services. Support does not require or include remote access to the customer environment.

If we are engaged to provide professional services, SailPoint will likely have limited access to at least some of the data in the software during the project, but the means by which we access the data and the data we can access will be determined by you.

SailPoint will receive business and personal data in the course of maintaining the business relationship. SailPoint stores elements of your business information, including business contact information (employee name, title, email, phone number, address, manager, role, etc.) for the customer personnel who interact directly with SailPoint, contract details (copies of fully executed agreements and summary details such as products and services purchased, contract effective date and renewal dates, amounts, etc.) and information about the customer IT environment in which the IdentityIQ software is installed (software version and related operating system, application server, database, hardware specifications, etc.). This information is stored in a CRM database that physically resides in the US and is accessible to certain SailPoint personnel worldwide (access is granted by role on a least privileged access/need to know basis).

Troubleshooting information that may be provided to SailPoint support by your system administrators or project team members is in addition to the business information described above and may include screenshots, log files, or XML objects. This troubleshooting information can be sanitized to remove or redact personal or sensitive data before being provided to SailPoint. Once transmitted to SailPoint, this troubleshooting information will physically reside on servers in the US and be accessible to SailPoint support personnel worldwide (access is granted by role on a least privileged access/need to know basis).

Some of your employees may be granted access to certain portals/websites made available by SailPoint to its customers (i.e. Compass and Identity University sites). Access to such portals/websites will require each user to provide their name, company name, and work email in order to establish an account that will allow access to the site. The user may also provide other business contact information, such as title, phone number, office address, etc. A limited subset of your employees and contractors will require access to these SailPoint sites. The user information provided for this purpose will be stored on servers physically located in the US and will be visible to SailPoint staff with a need to access such information from locations worldwide.

A customer’s IdentityNow environment is accessible by SailPoint DevOps and support personnel for support purposes. DevOps and support personnel are able to access data in your IdentityNow environment similar to the customer’s system administrator.

This data is generally limited to name, email address, other business contact information and entitlement information (what applications can an employee access and what permissions do they have). SailPoint personnel are not able to access sensitive information, including passwords and challenge questions, which is encrypted.

If SailPoint is engaged to provide professional services, SailPoint professional services personnel will have access to the customer’s IdentityNow environment during the engagement.

SailPoint Technologies, Inc. is a data processor who will receive the personal data from the customer, who is the data controller. SailPoint leverages its Affiliates and a range of third-party sub-processors to assist it in providing the contracted services. SailPoint uses third-party sub-processors to provide ancillary support services and account administration. Depending on the geographic location of customer and the nature of the services provided, SailPoint may use one or more of its Affiliates as sub-processors. A list of sub-processors is available at https://www.sailpoint.com/legal/sub-processors/.

For the IdentityNow service, SailPoint Technologies, Inc. is a data processor who will receive the personal data from the customer, who is the data controller.

SailPoint leverages Amazon Web Services (AWS) to host the IdentityNow service. While AWS doesn’t have access to information in IdentityNow, they do have physical control of the systems and data. SailPoint leverages Twilio to provide two-factor authentication via mobile device within IdentityNow. If this functionality is enabled by the customer’s system administrators, mobile phone numbers are shared with Twilio for this purpose.

A list of other third-party and affiliate sub-processors who may assist in provision of the services is available at https://www.sailpoint.com/legal/sub-processors/.

The customer will determine from where the data comes and from where the customer and its users access the data. The customer will also determine the location where the IdentityIQ software is hosted.

Where personal data is provided by the customer and processed by SailPoint, it may be processed in the US and any of the locations shown in the list of sub-processors.

SailPoint’s corporate systems, such as email and support ticketing, reside in the US. The data in these corporate systems will physically reside in the US and be accessible to SailPoint employees worldwide (access is granted by role on a least privileged access/need to know basis).

The customer will determine from where the data comes and from where they access the data. The customer will also determine the location where the IdentityNow service is hosted. SailPoint leverages Amazon Web Services (AWS) for hosting IdentityNow. IdentityNow can be hosted in any one of the following AWS Regions, AWS US East (Northern Virginia) Region, AWS Europe (Frankfurt) Region, AWS Europe (London) Region, AWS Asia Pacific (Sydney) Region or Asia Pacific (Tokyo) Region. Although the data in IdentityNow will physically reside in the chosen location, the customer’s IdentityNow environment will be managed and maintained by SailPoint DevOps and support personnel located in the US, UK, Ukraine, India, Singapore and Australia.

The customer is responsible for providing any notices to individuals through employment contracts, posted policies or other means prior to collecting data and should insure that information provided to individuals includes all required information. IdentityIQ supports a configurable “click-through” usage agreement or notice. SailPoint will not collect personal information on the customer’s behalf.

The customer is responsible for providing any notices to individuals through employment contract, posted policies or other means prior to collecting data and should insure that information provided to individuals includes all required information. IdentityNow supports a customer configurable usage agreement or notice. SailPoint will not collect personal information on the customer’s behalf.

The customer determines how long data is processed in its instance of IdentityIQ and how data is updated in and/or deleted from its instance of IdentityIQ.

SailPoint will return or destroy customer data upon request following termination or expiration of the contractual relationship, unless customer data must be retained to meet legal, accounting, or corporate governance requirements. Elements of customer data retained will only be used for the purpose for which they were retained and will be protected from any further processing.

SailPoint will only process customer data in IdentityNow for the duration of the IdentityNow subscription term. The customer can edit and delete data in IdentityNow during the subscription term. Within 30 days of termination or expiration of the IdentityNow service, SailPoint will delete the customer instance of IdentityNow and all customer data stored therein. Customer data from IdentityNow that is archived on back-up systems will be securely isolated and protected from any further processing for the 30-day duration that the backup is held.

Where SailPoint maintains customer business and personal data, we will update or delete that information on request.