Report: Digital Espionage and Innovation: Unpacking AgentTesla

Privacy Policy

Last updated: August 1, 2023.

This Privacy Policy (“Policy”) informs you of the types of information Fidelis Security, LLC, including all affiliates (“Fidelis,” “we,” “us,” “our,” or the “Company”) collects about you when you visit our website at https://fidelissecurity.com, https://portal.cloudpassage.com, and associated sub-domains (“Site”); download and install any of our products, or any installer or other applications we provide to you (collectively, “Software”); or utilize any of our services (the “Services”), and how we use that information. The term “Fidelis Services” means the Site, the Software, and the Services. By visiting the Site, downloading the Software, or utilizing our Services, you agree to the provisions of this Policy. Unless stated otherwise, our current Policy applies to all information that we collect from or about you.

This Policy does not apply to information collected by any third party, including through any application or content that links to or is accessible from the Fidelis Services. If you do not agree to the terms of this Policy, please do not use, access, download, install, or utilize (collectively, “use”) any Fidelis Services or otherwise provide us with any personal data.

Information We Collect and How We Use Your Information

Below we have outlined the categories of personal data that Fidelis will collect, and the applicable processing purposes associated with the Fidelis Services. Fidelis does not process personal data revealing religious beliefs, racial or ethnic origin, political opinions, philosophical beliefs, trade union membership, or sex life. Fidelis will only process personal data that is necessary for carrying out the purpose for it was collected. The legal basis for the processing purposes listed below is either (i) in connection with a contract, (ii) legitimate business interests (if such interest is not overridden by an individual’s fundamental rights and freedoms or interests), (iii) other applicable legal provisions, or (iv) an individual’s explicit consent. The legitimate business interests are mainly order fulfillment, responding to customer inquiries, communicating with customers and Site users who have requested communication from Fidelis, and promoting Fidelis’ business.

While Using the Fidelis Software and Services

As an integral part of its functionality, the Software will automatically collect, transmit, process, and store certain data and files (“Environment Data”). Such Environment Data is transmitted to our servers so that we can identify potential or actual malicious code, malware, or other intrusive artifacts or processes (collectively “Potentially Malicious Activity”); ensure that the environment being monitored is securely configured; track Software usage and performance; improve the detection, analysis, and response capabilities of the Software; and research emerging threats.

Fidelis supports multiple deployment configurations of the Software to meet our customer’s varying functional, security, privacy, and compliance requirements:

  • On-premise deployments: The Software is deployed within the customer’s IT environment and configured, operated, and maintained by customer personnel. Personal Data is retained within the customer’s IT environment and, unless authorized and enabled by the customer, Fidelis will not have access to Personal Data. The customer, at their sole discretion, may configure the on-premise processing systems to transfer select Environment Data from on-premise processing systems to value added, cloud-based software services operated and maintained by Fidelis (e.g., Fidelis’ malware analysis Sandbox service). When these external data transfers are enabled, the customer is responsible for ensuring that any such transfers are compliant with applicable data privacy policies and regulations.
  •  
  • Software-as-a-Service (SaaS) deployments: Fidelis processing capabilities are deployed within a cloud-based environment that is operated and maintained by Fidelis and delivered to the customer as software services. Software services interact with Fidelis sensors and agents deployed by customer personnel within the customer’s IT environment. To the extent necessary for Fidelis to perform services under the Agreement, the Fidelis sensors and agents may collect and transfer Environment Data to Fidelis software services that may contain Personal Data. Fidelis personnel responsible for operating and maintaining Fidelis software services may incidentally access Personal Data in conjunction with operating and maintaining the services.

The specific Environment Data collected by the Software differs for each Product and Service and depending on the Software deployed, may include network traffic samples; executable code; potentially malicious data files; the path and file name of potentially malicious code and files; file and system integrity information; system vulnerabilities; memory contents; user names and user account information; IP and MAC Addresses; network information; hardware type; model number; hard disk size; CPU type; disk type; RAM size; systems architecture; operating system versions; BIOS model and version; device ID and location; information about third-party products; and other configurations, settings, and artifacts that exist on, or are being introduced into the computer system, network, or cloud environment being monitored by the Software.

When Accessing the Fidelis Site and Services

We will automatically collect certain aggregate information and analytical data related to the use of the Fidelis Websites and Services (including visiting the Site – see “Tracking Technologies” below), including the date and time of the visit; the Internet Protocol (“IP”) address of the computer; information about the browser and operating system used; the state or country from which the Site was accessed; the Internet address visited before reaching the Site; error logs; the name of the domain and host used to access the Internet; the features of the Site that were accessed; and other hardware and software information. We will associate the data we automatically collect about you with personal data that you share with us. We use data automatically collected about you as described in this Policy and to manage traffic loads and information technology requirements for providing reliable service, as well as to enhance the Site by tailoring our content to your interests and needs.

Email & Marketing Communications

If you opt-in (online or in person) to our mailing list or to receive additional information, attend a webinar, or sign up to attend a live event, you will receive emails that include company news, updates, related product or service information, marketing materials, and other information related to Fidelis Services including any information that you have requested. In order to receive these communications, you must provide your name, company name, email address, and phone number. We will associate any personal data you submit to us with information collected about you through other means such as cookies, web beacons, or social media plugins. This will help us better tailor content delivered to you through a variety of ways, including online advertisements. Some of our third-party business partners provide Fidelis with services that require us to provide them with your personal data. These third-party business partners are not permitted to use the information collected on our behalf except to help us conduct business, improve, or provide the Fidelis Services. We include unsubscribe instructions at the bottom of each email if at any time you would like to unsubscribe from receiving future emails.

We will also send you notifications via email regarding Fidelis Services in order to keep you informed of any updates or changes to the Fidelis Services (e.g., product updates and support communications). These email communications are essential for the continued functionality of the Fidelis Services, and you will continue to receive these types of email communications even if you choose to opt-out of any other email communication from us.

If you would like to review your communication preferences, or if you do not want to receive further information or materials from us, you can update your information or opt-out by following the instructions contained within each communication from us. You can also contact us at [email protected] or write to us at the address listed at the end of this Policy.

Your Account Information

Information you provide when you create an account on our Site, register your Software, or in relation to the receipt of any other Service includes your name, company name, personal and/or business email address, phone number, and any other personal data you provide (“Account Information”). Your Account Information is stored securely with controlled access and used to inform you of updates, respond to inquiries for service requests, authenticate your use of the Software, manage the Site and the Software, assess the usage of the Services, and (where you have signed up to receive communication from us) send you email and marketing communications.

We will also collect and processes your personal and financial information (bank account information and business contact information) so that we can process your purchase of our Software and Services.

In connection with providing Fidelis Services to its clients, Fidelis collects personal data from employees and customers of our clients, users of our clients’ networks and systems, and individuals that connect to our clients’ networks and systems. The use of information collected as a result of providing Fidelis Services to our clients will be limited to the purposes for providing the Software or Services to the client. We will transfer personal data to other companies that help us provide our Software and Services to our clients. Transfers to subsequent third parties are covered by the service agreements with our clients.

Tracking Technologies

Fidelis and its partners use cookies or similar technologies to analyze trends, administer the Site, track users’ movements around the Site, and gather demographic information about our user base as a whole. The technologies we use for automatic data collection include, e.g., browser cookies, web beacons, and flash cookies. Cookies are used to:

  • Review and report total audience size and traffic.
  • Provide customized content.
  • Track any preferences you specify while you are using Fidelis’ products and services.
  • Conduct research to improve Fidelis’ content and services.
  • Provide targeted advertising in relevant contexts on external sites.
  • Keep track of preferences you specify while you are using third-party services.
  • Enable third parties to aggregate anonymous user behavior data and provide such research data to Fidelis.
  • Monitor and report on site and service usage across our website.

You may manage how your mobile device and browser handles cookies by adjusting its privacy and security settings. Mobile devices and browsers are different, so refer to instructions related to your device and browser to learn about cookie-related and other privacy and security settings that may be available. You can control the use of cookies at the individual browser level, but if you choose to disable cookies, it may limit your use of certain features or functions on our website or service. Currently, we do not alter our data collection and use practices in response to Do Not Track signals.

Third-Party Use of Cookies and Other Tracking Technologies

Some content or applications, including advertisements, on the Site are served by third-parties, including advertisers, ad networks and servers, content providers, and application providers. These third parties may use cookies (alone or in conjunction with web beacons or other tracking technologies) to collect information about you when you use our Site.

Outside Parties; Disclosure of Information

Except as provided in this Policy, we do not sell, trade, lease, rent, or otherwise transfer your personal data to third parties. We reserve the right to share your information with third-party business partners and service providers who assist us in operating our Site, conducting our business, and providing you with the Fidelis Services. Fidelis requires these third parties to take commercially reasonable steps to safeguard your personal data and not use your personal data for other purposes unless you consent.

We will also disclose your personal data as required by law, such as to comply with a subpoena or other legal process, when we believe in good faith that such disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, respond to a government request, or to conduct investigations of violations of our End User License Agreement. For example, if we conduct a fraud investigation and conclude that one side has engaged in deceptive practices, we may provide that person or entity’s contact information to victims who request it.

We may also provide access to, assign, or disclose information maintained by us, including your Account Information, in connection with a corporate transaction, such as a merger, acquisition, or purchase of all or substantially all of our assets.

Third-Party Links

The Site includes links to third-party sites, products, or services, and your access to these third-party sites, products, or services will result in the collection or sharing of your information. These third parties have separate and independent privacy policies. We are not responsible or liable for the content and activities of these linked sites, products, or services. The inclusion of these third-party sites, products, or services on our Site shall not be construed to be an endorsement or representation regarding any third-party sites, products, or services. We encourage you to review the privacy policies of such third parties. Your data may be used by third parties such as AdRoll to target advertising on other sites based on your online activity. Users can opt out of receiving targeted advertising by DAA, NAI, or EDAA (Europe only).

Your Rights With Regard to Your Personal Data

We remind you that you may at any time exercise the following rights:

  • The right to request access to your personal data, which includes the right to obtain confirmation from us as to whether or not personal data concerning you is being processed, and where that is the case, access to the personal data and information related to how it is processed.
  • The right to rectification or erasure of your personal data, which includes the right to have incomplete personal data completed, including by means of providing a supplementary statement, certain rights to request us to erase your personal data without undue delay.
  • The right to restrict to processing concerning your personal data, which includes restricting us from continuing to process your personal data under certain circumstances (e.g., where you contest the accuracy of your personal data, processing is unlawful, your personal data is no longer needed for the purposes of processing, or you have otherwise objected to processing related to automated individual decision-making).
  • The right to object to processing concerning your personal data, where your personal data is processed for direct marketing purposes, where processing is necessary for the performance of a task carried out in the public interest, or where processing is necessary for the purposes of the legitimate interests pursued by the Company or a third party, unless we demonstrate compelling legitimate grounds for the processing which override such interests.
  • The right to data portability, which includes certain rights to have your personal data transmitted from us to another controller.
  • Where data processing is based on your consent, the right to withdraw consent at any time.
  • The right to lodge a complaint with a supervisory authority.

Any requests related to the above rights may be made by contacting us at [email protected].

Fidelis acknowledges that you have the above rights regarding your personal data. However, Fidelis has no direct relationship with the individuals whose personal data it will process on behalf of Fidelis’ clients. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct their query to Fidelis’ client (the data controller).

Security

We have implemented measures designed to secure your personal data from accidental loss and from unauthorized access, use, alteration, and disclosure (such as identity an access management, password rotation, access control monitoring, and leading firewall technologies). Personal data provided to us in accordance with this policy will be encrypted in transit.

Cross-Border Transfers of Personal Data

The information we collect will be stored in the United States because our operations are primarily in the United States. As such, your information will be transferred to, used, processed, or maintained on computers located outside of your province, country, or other governmental jurisdiction, and privacy laws may not be as protective as those in your jurisdiction. In situations where you are located outside the United States and choose to provide information to us, we will transfer your information to the United States and process it there.

Where transfers of personal data are made outside of the European Economic Area (“EEA”) to countries that have different standards of data protection, we will ensure that appropriate safeguards to adequately protect the personal data are implemented to ensure such data transfers in compliance with applicable data protection laws. We have implemented international data transfer agreements based on EU Standard Contractual Clauses in order to provide appropriate and suitable safeguards for personal data being transferred to countries outside the EEA where an adequate level of protection is not already guaranteed. A copy can be obtained by contacting us (contact information provided below).

Children Under the Age of 16

We do not knowingly collect any information from anyone under 16 years of age, and the Fidelis Services are not intended nor are they directed to children under the age of 16. If you become aware that your child has provided us with personal data without your consent, please contact us at [email protected]. A parent or guardian of a child under the age of 16 may review and request deletion of such child’s personal data as well as prohibit the use thereof. If we become aware that a child under 16 has provided us with personal data, we will take steps to remove such information from our active systems and will terminate the child’s account.

Data Retention

Unless otherwise required by law, Fidelis will erase personal data when it is no longer necessary in relation to the purposes for which was collected or otherwise processed; when you withdraw your consent (where lawfulness of processing was based on your consent) and there is no other legal ground for the processing; when you object to the processing and there are no overriding legitimate grounds for the processing; when your personal data has been unlawfully processed; and when it is necessary to comply with legal obligations.

Terms of Service for Site Usage

Please also visit our Terms of Service section establishing the use, disclaimers, and limitations of liability governing the use of the Site at Terms of Service.

Additional Terms and Conditions for Software

This Policy applies only to information collected through our Site or by the use of our Software or the utilization of our Services and not to information collected offline. Your download and use of our Software is subject to additional terms and conditions that define your rights, as well as our rights, with respect to the Software and its use. Those additional terms and conditions are contained in the Evaluation Agreement or End User License Agreement that you are required to accept prior to downloading the Software.

Effective Date; Changes to Our Privacy Policy

Each time you use the Fidelis Services, the current version of this Policy will apply. We reserve the right to change this Policy at any time to reflect changes in the law, the Fidelis Services we provide, our business and technology, and our data collection and use practices. Accordingly, each time you use the Fidelis Services, you should check the date of this Policy (which appears at the top of the Policy) and review any changes since the last version. If we make any material changes, we will notify you by the email address specified in your Account Information or by means of a notice on the Site prior to the change becoming effective.

Your continued use of the Fidelis Services following the posting of changes to this Policy will mean you accept those changes.

Notice To California Residents

If you are a California resident, California Civil Code Section 1798.83 permits you to request and obtain from us once a year, free of charge, information regarding the disclosure of your personal data by the Company to third parties for the third parties’ direct marketing purposes. With respect to these entities, this Policy applies only to their activities within the State of California. If you are a California resident and would like to request this information, please send an email to [email protected] or write to us at the address below.

Contacting Us

If there are any questions regarding this Policy or our privacy practices, you may contact us using the information below:

Fidelis Security, LLC
Vice President & General Counsel
871 Marlborough Ave Suite 100
Riverside, CA, 92507
USA

If you are a resident in the European Economic Area, Fidelis Security, LLC is the data controller of your personal data, except where we are only acting as a processor on behalf of another controller.

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.