Description of your new file.
This document summarizes the data being stored by Cryptolens AB (“Cryptolens”) to provide the service Cryptolens (https://app.cryptolens.io) and the protection measures we have in place to safeguard against accidental loss and data breach.
It should be used for informational purposes only. If you are unsure, please consult a lawyer.
You have the right to [1]:
To exercise your rights, please contact us at [email protected].
Once you start distributing your software, you will most likely have users using it. Depending on if you sell to end users directly (eg. for desktop apps) or indirectly (eg. for SDKs), different steps have to be taken to ensure compliance.
These different cases are summarized below: on the left is the when the end users are your direct customers and on the right is when the end users are customers of your customers.
If you use Cryptolens as it is intended to be used, there is no need to include a consent in your agreement. The only personal data that Cryptolens needs is the IP address and Machine Code of the end user device. Both of these are needed to provide your customers the service.
If you want to use this information for any other purpose, you need to obtain a consent from your customers.
In short, we collect two types of data: data about you and data about your customers. In cases where your customers integrate your software (eg. a library/SDK) as a part of theirs, the end user is also their customers.
To make this as general as possible, we will go through the features in Cryptolens and describe who this data belongs to.
Products is a way of grouping licenses. Many of the parameters in a product such as name
, description
and licenses
belong to you directly. However, if you collect information in the notes
field or data objects
that can be linked, directly or indirectly to a person, this then becomes personally identifiable information.
Note, be very careful with the way you define personal data, since even IP address are considered personal identifiable information. Even primary keys in a table can be considered as such, if they can be used to link the data, directly or indirectly, to a person.
Always ask the question whether the data you put in these fields is necessary to provide the service. If you need additional data, the user has to give you an explicit consent.
In order to to be able to tell the difference between the computers/devices (we refer to them as machines) that have activated their license, we store an additional set of fields for each of those machines. This includes:
Machine Code
- a device identifierIP
- the IP of the client device that performed the activation.IP Proxy
- the IP of the proxy (Cryptolens backed) used to perform the activation.Time
- the time of the first activation.The machine code
and the IP address
constitute personal identifiable information. We also have a record that links this to a certain key, but this is never returned through the API.
Activated machines are can be thought of as up-to-date records of who is entitled to use a license. Once they stop using the service (eg. by deactivating), this record will be removed. However, for statistical purposes, it can be useful to have a history of all licensing activity related activity:
Pid
- the product idKey
- the key id of the key always returnedIP
- the IP address that called this method. this is the client user’s IP. The anonymized IP address is used with the last bits masked.Time
- the date and time when the activation was performed (the first time).Machine Code
- a device identifierState
- a number with a certain pattern that describes the request and its results.FriendlyName
- a identifier that you can pass to add a label to the device. It is used to help you and your clients to map a device to a certain user easier.FloatingExpires
- the time when the floating license should expire.DOIntValue
- the int value associated with the data object.DOId
- the id the data object that was involved in the request.Similar to activated machines, the machine code
and the IP address
constitute personal identifiable information. In addition, we store your user id in order to ensure that we only return your records.
To facilitate grouping of licenses that belong to the same customer, we use the notion of customers. A customer object contains the following:
Name
- the name of the customer.Email
- the email of the customer.CompanyName
- the company name of the company the customer belongs to.All of the fields above are personal identifiable information. In addition, there are other fields that are associated with a customer object, such as the maximum number of machines, the id of the associated reseller, etc. You can find the complete list in the API documentation.
To make sure that we can send you correct invoice, we store billing information such as the company name, address, VAT Id.
For security purposes, we store the history of IP addresses used to login on your account.
The list below shows the list of sub processors that we are using to deliver you the service:
When developing Cryptolens, we apply an assume breach policy. This means that we develop components in such a way as to ensure that if a breach occurs, we can minimize its damage.
Cryptolens strives to only store data that is needed to provide the service. Once such data is no longer needed, it will be removed or anonymized. To be more precise:
Access to your information is restricted to specific employees. All employees that need to access your information have signed a non disclosure agreement.
By default, none of our employees access your data unless you ask us for help with troubleshooting. In such cases, sensitive data is masked and we always strive to minimize access to the information to what is needed to help you with a certain query.
We use the built in feature of Azure SQL Server for encryption of data at rest.
Our database firewall is restricted so that only authorized services can access it. Moreover, we restrict the permission each service has and mask sensitive fields.
Automatic backups occur on a daily basis.
In order to safeguard customer data and ensure compliance, both you as a software vendor and us as the data controller have to cooperate. In this section, we have outlined several tips of how to increase safety when using Cryptolens.
It is important to create access tokens
that have very constrained scopes of permissions. For example, be specific by:
Methods such as Activate and GetKey allow you to mask certain fields to boost privacy. Masking is especially important if you are developing an SDK. We recommend that you mask:
Notes
, Data objects
- if you are storing data related to your customer, since it will be visible by all the end users.Activated Machines
- should always be masked since it reveals personal identifiable information about the customers.Always use a strong password and preferably one that you cannot remember, relying on a password manager.
Two-factor auth provides an additional layer of protection on top of the password. Please
On the security settings page, please makes sure we have your correct email address.
Please do not use Web API 2. It can be blocked on the security settings page.
You can add Object locks to prevent accidental deletion of objects, for example, products and access tokens.
Description of your new file.
This document summarizes the data being stored by Cryptolens AB (“Cryptolens”) to provide the service Cryptolens (https://app.cryptolens.io) and the protection measures we have in place to safeguard against accidental loss and data breach.
It should be used for informational purposes only. If you are unsure, please consult a lawyer.
You have the right to [1]:
To exercise your rights, please contact us at [email protected].
Once you start distributing your software, you will most likely have users using it. Depending on if you sell to end users directly (eg. for desktop apps) or indirectly (eg. for SDKs), different steps have to be taken to ensure compliance.
These different cases are summarized below: on the left is the when the end users are your direct customers and on the right is when the end users are customers of your customers.
If you use Cryptolens as it is intended to be used, there is no need to include a consent in your agreement. The only personal data that Cryptolens needs is the IP address and Machine Code of the end user device. Both of these are needed to provide your customers the service.
If you want to use this information for any other purpose, you need to obtain a consent from your customers.
In short, we collect two types of data: data about you and data about your customers. In cases where your customers integrate your software (eg. a library/SDK) as a part of theirs, the end user is also their customers.
To make this as general as possible, we will go through the features in Cryptolens and describe who this data belongs to.
Products is a way of grouping licenses. Many of the parameters in a product such as name
, description
and licenses
belong to you directly. However, if you collect information in the notes
field or data objects
that can be linked, directly or indirectly to a person, this then becomes personally identifiable information.
Note, be very careful with the way you define personal data, since even IP address are considered personal identifiable information. Even primary keys in a table can be considered as such, if they can be used to link the data, directly or indirectly, to a person.
Always ask the question whether the data you put in these fields is necessary to provide the service. If you need additional data, the user has to give you an explicit consent.
In order to to be able to tell the difference between the computers/devices (we refer to them as machines) that have activated their license, we store an additional set of fields for each of those machines. This includes:
Machine Code
- a device identifierIP
- the IP of the client device that performed the activation.IP Proxy
- the IP of the proxy (Cryptolens backed) used to perform the activation.Time
- the time of the first activation.The machine code
and the IP address
constitute personal identifiable information. We also have a record that links this to a certain key, but this is never returned through the API.
Activated machines are can be thought of as up-to-date records of who is entitled to use a license. Once they stop using the service (eg. by deactivating), this record will be removed. However, for statistical purposes, it can be useful to have a history of all licensing activity related activity:
Pid
- the product idKey
- the key id of the key always returnedIP
- the IP address that called this method. this is the client user’s IP. The anonymized IP address is used with the last bits masked.Time
- the date and time when the activation was performed (the first time).Machine Code
- a device identifierState
- a number with a certain pattern that describes the request and its results.FriendlyName
- a identifier that you can pass to add a label to the device. It is used to help you and your clients to map a device to a certain user easier.FloatingExpires
- the time when the floating license should expire.DOIntValue
- the int value associated with the data object.DOId
- the id the data object that was involved in the request.Similar to activated machines, the machine code
and the IP address
constitute personal identifiable information. In addition, we store your user id in order to ensure that we only return your records.
To facilitate grouping of licenses that belong to the same customer, we use the notion of customers. A customer object contains the following:
Name
- the name of the customer.Email
- the email of the customer.CompanyName
- the company name of the company the customer belongs to.All of the fields above are personal identifiable information. In addition, there are other fields that are associated with a customer object, such as the maximum number of machines, the id of the associated reseller, etc. You can find the complete list in the API documentation.
To make sure that we can send you correct invoice, we store billing information such as the company name, address, VAT Id.
For security purposes, we store the history of IP addresses used to login on your account.
The list below shows the list of sub processors that we are using to deliver you the service:
When developing Cryptolens, we apply an assume breach policy. This means that we develop components in such a way as to ensure that if a breach occurs, we can minimize its damage.
Cryptolens strives to only store data that is needed to provide the service. Once such data is no longer needed, it will be removed or anonymized. To be more precise:
Access to your information is restricted to specific employees. All employees that need to access your information have signed a non disclosure agreement.
By default, none of our employees access your data unless you ask us for help with troubleshooting. In such cases, sensitive data is masked and we always strive to minimize access to the information to what is needed to help you with a certain query.
We use the built in feature of Azure SQL Server for encryption of data at rest.
Our database firewall is restricted so that only authorized services can access it. Moreover, we restrict the permission each service has and mask sensitive fields.
Automatic backups occur on a daily basis.
In order to safeguard customer data and ensure compliance, both you as a software vendor and us as the data controller have to cooperate. In this section, we have outlined several tips of how to increase safety when using Cryptolens.
It is important to create access tokens
that have very constrained scopes of permissions. For example, be specific by:
Methods such as Activate and GetKey allow you to mask certain fields to boost privacy. Masking is especially important if you are developing an SDK. We recommend that you mask:
Notes
, Data objects
- if you are storing data related to your customer, since it will be visible by all the end users.Activated Machines
- should always be masked since it reveals personal identifiable information about the customers.Always use a strong password and preferably one that you cannot remember, relying on a password manager.
Two-factor auth provides an additional layer of protection on top of the password. Please
On the security settings page, please makes sure we have your correct email address.
Please do not use Web API 2. It can be blocked on the security settings page.
You can add Object locks to prevent accidental deletion of objects, for example, products and access tokens.