Webgroup Media, LLC (henceforth “WGM”, “our”, “us”, and “we”) is a commercial open source software company founded in April 2001. We develop, license, and provide support for Cerb – a web-based platform for enterprise collaboration and workflow automation.

It is our policy to respect your privacy regarding any information we may collect while operating our websites and services.

We do not sell any personally identifiable information or data stored in Cerb Cloud to third-parties. We do not directly share your information with third-parties without explicit permission except to comply with the law or to provide necessary infrastructure in connection with the services you request; however, there is some passive risk of exposure to third-party access inherent in web-based services that is outlined in detail below. We do our best to mitigate and minimize these risks on your behalf.

Data Privacy Framework (DPF)

Webgroup Media, LLC (WGM) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.

WGM has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.

WGM has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Jurisdiction

As a corporate entity, WGM operates exclusively from the United States. The entirety of our business operations adhere to the Data Privacy Framework Principles. This includes Cerb and Cerb Cloud.

We are subject to the investigatory and enforcement powers of the United States Federal Trade Commission (FTC).

Resolving Privacy Complaints

In compliance with the Data Privacy Framework, WGM commits to resolve complaints about our collection or use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our Data Privacy Framework policy should first contact us at: team@cerb.ai

WGM has further committed to refer unresolved Data Privacy Framework complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.

Independent Arbitration

Under certain limited circumstances, individuals may invoke binding Data Privacy Framework arbitration as a last resort if all other forms of dispute resolution have been unsuccessful. To learn more about this method of resolution and its availability to you, please read more about Data Privacy Framework.

Liability For Onward Transfers

Where WGM has transferred personal information of EU, UK, or Swiss residents to third parties, WGM shall be liable if those third parties do not process personal information in compliance with the Data Privacy Framework Principles. This shall not be the case where WGM establishes that it is not responsible for the damage caused by the third party.

Your Personal Data Rights

We are committed to your personal data rights.

Right to be Informed

You have the right to be informed regarding the collection of personal data from you or about you, and the relevant business purposes for such collection.

This document provides such information.

Right of Access

You have the right to a copy of any personal information we have collected from you or about you, if such data exists.

This information will be transmitted electronically no later than one month from the date we receive your request.

Please submit Data Subject Access Requests (DSAR) by email to: team@cerb.ai

Right of Choice

You have the right to express affirmative consent (opt-in) before the transfer of your sensitive personal information to third-parties for any use other than those necessary for us to provide your requested services.

Sensitive personal information includes, but is not limited to: medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information specifying the sex life of the individual.

Absent your consent, we will not transfer your sensitive personal information to third parties for any purpose other than those explicitly outlined in this document.

You may formally opt out of all non-essential third-party information disclosure through email to: team@cerb.ai. Please include the associated email addresses you wish to opt-out with.

Right to be Forgotten

You have the right to the erasure of any personal data we have collected from you or about you.

Please submit data removal requests by email to: team@cerb.ai

California Privacy Rights

Residents of the State of California have the right to opt-out of our disclosure of personal information to third parties for the purpose of allowing such third parties to directly market their products and services.

We do not disclose your personal information to advertisers.

You may formally opt out by emailing: team@cerb.ai

What Personal Data We Collect

In connection with our business, we operate the cerb.ai project website, as well as Cerb Cloud, a subscription-based “software as a service” offering, on the cerb.me, cerb.cloud, and cerb.email domains.

Cerb Cloud

We develop and sell Cerb, a software application (as-a-service and on-premises) for sharing team inboxes, building collaborative workspaces, managing customer relationships, and automating business workflows.

We maintain profiles on our customers and their organizations based on past interactions (e.g. email address, gender, date of birth, IP addresses, public social media photos, organizational affiliation and job title, email support history, and order history).

With Cerb Cloud, we act as a data processor for companies around the world. Due to the customizable design of Cerb, our clients (as data controllers) may store any kind of personal data about their own clients (as data subjects). Depending on the nature of our clients’ organization, or the type of email they receive (e.g. newsletters, receipts, test results), this may include sensitive personal data – race/ethnicity, political opinions, religion, health, sexuality, etc.

Aside from what processing is necessary to provide the service (e.g. web server access logs, storage, aggregate usage info), we do not directly process personal information within our clients’ databases.

Cookies

A cookie is a string of information that a website stores on a visitor’s computer, and that the visitor’s browser provides to the website each time the visitor returns.

We use cookies to identify and track visitors, observe their usage of our website, and store their website access preferences.

Visitors who do not wish to have cookies placed on their computers should set their browsers to refuse cookies before using our websites, with the drawback that certain features of our websites may not function properly without the aid of cookies.

Web-based software applications like Cerb require cookies to be enabled, although their use is limited to identifying distinct user sessions.

Non-personally identifying information

Like most website operators, we collect non-personally identifying information of the sort that web browsers and servers typically make available, such as the browser type, language preference, referring site, and the date and time of each visitor request.

Our purpose in collecting non-personally identifying information is to better understand how visitors use our websites and web-based applications.

Potentially personally identifying information

We also collect “potentially personally identifying” information like Internet Protocol (IP) addresses for website visitors. We only disclose IP addresses under the same circumstances that we use and disclose personally identifying information as described below.

Personally identifying information

Certain visitors to our websites choose to interact in ways that require us to gather personally identifying information. The amount and type of information that we gather depends on the nature of the interaction.

For example, we ask users who sign up for Cerb Cloud to provide an email address. Those who choose to engage in financial transactions with us (e.g. by purchasing products and services) are asked to provide additional information, including as necessary the personal and financial information required to process those transactions.

In each case, we collect such information only insofar as is necessary or appropriate to fulfill the purpose of the visitor’s interaction.

We do not disclose personally identifying information other than as described below.

Visitors can always refuse to supply personally identifying information, with the caveat that it may prevent them from purchasing licenses or engaging in certain services.

Ads

We do not display third-party advertising on our websites or in our applications. We do not willfully disclose any personal information to advertisers.

Testimonials

We display a list of clients and testimonials on our websites. We do not disclose the names of licensed organizations, or their representatives, without explicit permission, except in the event that a client freely discloses their identity through postings on public forums or social media networks.

Aggregated Statistics

We collect statistics about the behavior of visitors to our websites and users of our Cerb Cloud service.

For instance, we gather metrics about individual Cerb instances such as the number of active workers, addresses, conversations, messages, and attachments; the composition of file attachments, such as distributions of sizes or file types; or the amount of activity over a given time period.

This information is used to improve the usability and performance of products and services provided by us, as well as to curtail abuse.

We may display this aggregate, anonymous information publicly or provide it to others. However, we do not disclose personally identifying information other than as described below.

Why and To Whom We Disclose Personal Data

We disclose personally identifying information only to those of our employees, contractors, and affiliated organizations who both:

  • Require that information to process your requested products and services on our behalf,
  • Have agreed not to disclose it to others.

Some of those employees, contractors, and affiliated organizations may be located outside your home country; and by using our websites and services you consent to the transfer of such information to them.

We have not, and will not, rent or sell personally identifying information to anyone.

Other than to our employees, contractors, and affiliated organizations, as described in this section, we disclose personally identifying information only in response to a subpoena, court order, or other governmental request, or when we believe in good faith that disclosure is reasonably necessary to protect our property or rights, or those of third parties, or of the public at large.

Amazon Web Services (AWS)

We remotely provision, administer, and maintain servers in various data centers throughout the world.

Our website, and web-based applications like Cerb Cloud, are provided through cloud computing services provided by Amazon Web Services.

In cloud environments, many users from various organizations share a pool of resources like computational power and storage capacity, although provisioned resources are isolated from one another to a similar degree as dedicated servers in a datacenter.

Due to the remote nature of cloud computing, authorized technicians from our vendors and service providers may have temporary access to our servers in order to perform physical maintenance and upgrades, or to provide hands-on assistance with troubleshooting issues like hardware failures.

In such events we defer to the AWS privacy policy: https://aws.amazon.com/privacy

Limit your disclosure to AWS: Use a Cerb self-hosted license rather than the Cerb Cloud managed service.

Banking through Freshbooks, WePay, Stripe, Wells Fargo, and PayPal

We do not store credit card information on our servers.

For one-time transactions we do not save credit card or bank account numbers anywhere, although we do store email-based receipts that include contact information, redacted account information, payment type, transaction IDs, and authorization codes.

For recurring transactions, payment information is stored with vendors who adhere to the Payment Card Industry Data Security Standards (PCI DSS). We contract with FreshBooks and Stripe for sending invoices and collecting payments, and they protect and encrypt financial information in accordance with regulations.

The electronic payments we receive through Freshbooks are collected by WePay.

Depending on a client’s preferred payment method, these transactions may alternatively take place through other vendors like PayPal, Stripe, or wire transfers to Wells Fargo Bank NA.

We do not have direct access to client credit card numbers or bank account information through any of these vendors. Bank account information may be disclosed through the use of paper checks, but we do not retain it.

Limit your disclosure to our payment processors: Use a payment method with minimal exposure of personal or financial information (e.g. PayPal).

Google (G Suite)

We contract with Google for hosting and archiving our corporate email accounts.

They have access to data from email messages (e.g. sender, subject, body, and attachments).

They do not have access to any client data outside of email communication.

Limit your disclosure to Google: Do not include personal information in email correspondence with us, or encrypt this information with our public key found on our website.

Your Privacy Choices

We provide the following privacy choices for your data:

  • You may choose to not provide us with certain information. To subscribe to Cerb Cloud, or to purchase a self-hosted Cerb license, we only require a verified email address and a seat count. We do not require you to disclose your name, organization, location, phone number, revenue, employee count, or other personal details.

  • You may choose to host our software on your own servers and network without transmitting any data to us. We optionally provide Cerb Cloud as a fully-managed service where you retain control over the data you choose to send to us.

  • You may choose to arrange payment through an intermediary like PayPal to protect your financial information.

  • You must opt-in to receive newsletters and other marketing email from us. At any time, you may opt-out of marketing communications by clicking the “unsubscribe” link found at the bottom of such messages. Note that after you opt-out, you may still receive email from us related to your active licenses and services, or in response to information you have requested.

  • You may receive a full backup of your content from Cerb Cloud at any time by contacting team@cerb.ai.

  • You may delete records and other data within your Cerb instance. Use the search menu in the top right of the application, edit a record, and click the Delete button.

  • You may request that we delete your personal profiles, organizational profiles, and/or testimonials, from our client database by contacting team@cerb.ai.

  • You may close your Cerb Cloud account and request that your data and backups be permanently deleted by contacting team@cerb.ai.

Security and Safeguards

We take reasonable precautions to protect your data and personally identifying information.

We do not have physical access to any of our servers or online storage mediums. These servers are protected within state-of-the-art data centers.

We perform 24/7/365 monitoring of our network and service infrastructure. This includes server load, process information, account access, service utilization, network activity, and logs.

Web-based communication with our servers is protected through 256-bit encryption via Secure Socket Layer (SSL) technology when URLs are prefixed with “https://”. This feature is required and automatically enforced for all Cerb Cloud subscriptions. It is the responsibility of clients and their representatives to ensure the use of SSL elsewhere.

Our technicians securely access our servers using Secure Shell (SSH) encryption. Logins are authenticated with RSA keys rather than simple passwords. Two-factor authentication is used with vendors and services that support it. We do not provide direct client access (e.g. SSH, Telnet, FTP) to machines housing Cerb Cloud data for multiple tenants. Instances with a need for direct access are hosted on isolated private servers.

We have disabled non-secure features in our PHP environment (e.g. process control, shell command execution, remote file includes) to protect against arbitrary code execution. To protect against cross-site scripting (XSS), we “escape” all user-provided data that is displayed in a web browser. Cerb also contains security mechanisms to combat cross-site request forgery (CSRF), and other common attack vectors.

Disclosure of Security Breaches

We will notify you as soon as possible if a security breach results in the potential disclosure of any personally identifiable information or data related to your account. At the conclusion of a security investigation, we will provide you with a report about the nature of any compromised data (e.g. email addresses, worker account passwords) and the actions taken to prevent future intrusions.

Backups

Cerb has two main components for storing customer data: (i) the database, and (ii) the /storage/ filesystem (which contains immutable objects like email attachments). Data is distributed among many servers in our Cerb Cloud network within Amazon Web Services.

If you communicate with us, or use Cerb Cloud services provided by us, your information will be routinely copied for the express purpose of maintaining backups for continuity and disaster recovery.

Disposal of Data and Backups

Upon cancellation, we remove all live client data from the Cerb Cloud network and send a final backup to Amazon S3. We will attempt to make arrangements for this backup to be transferred to the client before permanently destroying our final copy. Without an explicit request for their immediate removal, backups may be persisted for several years.

We will comply with any written, and duly authenticated, client requests for the immediate destruction of all account data and backups.

Business Transfers

If WGM or substantially all of its assets were acquired, or in the event that we go out of business or enter bankruptcy, user information would be one of the assets that is transferred or acquired by a third party. You acknowledge that such transfers may occur, and that any acquirer of WGM may continue to use your personal information as set forth in this policy.

Data Protection Addendum

If you require a signed Data Protection Addendum (DPA) for GDPR compliance, you may download ours here. This document formalizes the contract between data exporter and data importer, as well as describing the rights of data subjects. Please review the terms and return a signed copy to team@cerb.ai.

Privacy Policy Changes

Although most changes are likely to be minor, we may modify this Privacy Policy from time to time at our sole discretion. You are encouraged to frequently check this page for any changes to the Privacy Policy. Your continued use of this site after any change in this Privacy Policy will constitute your acceptance of such change.

Changelog

  • 02-October-2023: Updated the URL for JAMS dispute resolution.

  • 19-September-2023: Clarified that arbitration is a right of all covered individuals under the DPF (EU, UK, Swiss).

  • 06-September-2023: Updated the ‘Data Privacy Framework’, ‘Your Personal Data Rights’, and ‘Why and To Whom We Disclose Personal Data’ sections for DPF certification.

  • 28-August-2023: Updated Privacy Shield to the Data Privacy Framework.

  • 11-December-2019: Added instructions to the ‘Your Privacy Choices’ section.

  • 03-January-2019: Published the Privacy Shield sections.

  • 20-December-2018: Updated Privacy Shield sections for review and compliance (“Your Privacy Choices” and “Liability For Onward Transfer”).

  • 05-October-2018: Added sections for Privacy Shield review and compliance.

License

This privacy policy is available under a Creative Commons Sharealike license derived from original groundwork by Automattic. WGM is not affiliated with Automattic.