Find answers to the most common security and privacy related questions.
Q: Where can I find or download information about HID Origo's security certifications or accreditations?
This can be found on HID Global's Certification page.
Q: How can I attain a penetration test report for an HID Origo service?
While we do not share full penetration test reports with external parties, executive summaries can be provided if a nondisclosure agreement is signed. Please contact your Sales representative or email firstname.lastname@example.org.
Q: How often does HID Global perform independent, third-party security audits or assessments?
Independent external audits and penetration tests are conducted at least yearly.
Q: What third-party suppliers does HID Global leverage that store customer data?
|Google LLC||US||API Gateway, Google Analytics|
|Amazon Web Services||US, Ireland||Infrastructure, security and integration services|
|HSL Mobile||UK||Deliver one-time passwords via SMS for two-factor authentication to mobile phones. The phone numbers are not linked to individuals and the information is not retained after it has been delivered|
|Rapid7 LLC||US||Central storage and analysis of application log files|
|Mixpanel||US||Usage analytics data from the HID Origo SDK|
Q: Will HID Global notify customers if the list of third-party suppliers changes?
Customers will soon be able to subscribe to notifications of such changes.
Q: How do you notify customers if security incidents or breaches occur?
HID Global promptly notifies impacted customers of any actual or reasonably suspected unauthorized disclosure of their respective customer data to the extent permitted by law. Customers affected by a data breach will be informed by email about the nature of the breach, summary of impact, root cause analysis and mitigation.
Q: Can customers configure their own password policy?
No, this is not supported at the moment, but support for SSO using SAML 2.0 is under implementation (please see question below).
Q: Does HID Global support SSO and/or SAML 2.0 for user authentication?
This is in pre-release, so we can make it available to a customer if required. This is currently limited to administrative users. Please contact your Sales representative if you have such a request.
Q: Does the application/service offer two-factor authentication for login?
Yes, a configuration option for two-factor authentication (OTP to mobile phone) for HID Origo Management Portal administrators exists.
Q: What categories of personal data are collected?
Personal data in the HID Origo services is divided into the following categories:
For detailed information regarding the type of data collected, as well as the purpose of the data collection, please read the privacy notices:
Q: For which purposes is the data collected?
How and why HID uses personal data is described in the data privacy notices (please see question “What categories of customer data are collected?”).
Furthermore, technical and usage information is collected for analysis of:
Q: Does the customer own their data?
The customer owns the administrator data and end user data for their web portal administrators and end users of the mobile app.
HID Global owns the technical and usage information to fulfil our obligations and provide customers with the licensed material and services.
Q: Would any third-party suppliers collect or have access to customer data?
HID leverages a limited number of third-party suppliers to provide the HID Origo services. Personal data is minimized, encrypted, pseudonymized and/or anonymized to limit direct third-party access. We also ensure data processing agreements and security agreements are in place with our suppliers. Please refer to the Security FAQ section above for more information about our third-party suppliers.
Q: How can the customer request access, rectification or erasure of personal data of a user?
Portal administrators are able to perform these actions in the HID Origo Management Portal. Customers can also email email@example.com for such requests. We will ask you to fill out a form and will fulfil your request within one month of receipt.
Q: Where is the data stored?
In the U.S and Europe. Please refer to the Security FAQ section above for more detailed storage information.
Q: Is HID certified under the EU-US Privacy Shield?
Yes, HID has self-certified to the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework. For more information, please read our Privacy Shield Statement at https://www.hidglobal.com/about/privacy.
Q: How long is personal data retained?
Personal data is retained as long as the customer is using the service(s). Upon contract termination, personal data is returned and purged within 30 days.
Technical and usage information in the data analytics platform is de-identified and retained for 10 years.
De-identified location data (GPS coordinates) has a retention period of 3 years.
Please see question “How is the collected data de-identified?” for more information regarding de-identification.
Backup retention time is 20 days.
Q: How is the collected data de-identified?
In the data analytics platform, user ID fields are replaced with a hashed identifier upon import, to ensure that no linkage can be performed back to the original data source. Some ID fields that can identify a person need to be possible to link to personal data in the source system. To ensure that the platform does not contain any such linkages, the identifiers are replaced with one-way hashes.
Q: Does the user have to enable location-based services for the app usage?
Enabling location services is voluntary. It is however recommended to enable this as it improves the performance of the app and provides a quicker opening time.
To disable/enable in iOS: Open the Mobile Access app and select Settings > Open system settings > Location > Never/While Using the App/Always
To disable/enable in Android: Open Settings > Apps > HID Mobile Access > Permissions > Toggle Location On/Off
Q: Does HID collect mobile app data beyond accessing the building?
GPS position and location data are tracked when the mobile ID is presented to the reader inside the building, as the user indicates an intention to unlock a door. However, if a user does an action indicating opening attempt (e.g. twist or clicking the app widget) when outside of the range of a reader, the gesture will result in a usage log and GPS position will be recorded. This data is de-identified (please see question “How is the collected data de-identified?”) and stored separately from any personal information. The user can choose to disable location-based services when the app is not in use, as described above.