Privacy Policy

1. Overview

MYID Self Verify ("MYID," "we," "us," or "our") is an enterprise identity and access management (IAM) security platform operated by Software Productivity Strategists, Inc. ("SPS"). This Privacy Policy explains how we collect, use, disclose, and protect information in connection with our platform, website, and related services (collectively, the "Services").

MYID operates primarily as a data processor on behalf of its enterprise customers ("Clients"). Clients are the data controllers responsible for the personal data of their end users (employees, contractors, and authorized personnel) processed through our platform. Our obligations to those individuals are governed by our Data Processing Agreement (DPA) with each Client.

This Policy applies to:

• Visitors to myidselfverify.com
• Prospective and current Client contacts and account holders
• End users whose data is processed through the MYID platform, to the extent applicable

2. Information We Collect

2a. Information You Provide Directly

• Contact information (name, business email, phone number, job title, company name) submitted via demo requests, contact forms, or account setup
• Account credentials for Client administrator accounts
• Communications with our support or sales team

2b. Information Collected Automatically (Website)

• IP address, browser type, device type, and referring URLs
• Pages visited, time on page, and click behavior via cookies and web analytics tools
• For full details, see our Cookie Policy at myidselfverify.com/cookies

2c. Data Processed on Behalf of Clients (Platform)

When Clients deploy MYID Self Verify, we process the following categories of end-user data as a data processor under Client instructions:

• Identity attributes: usernames, employee IDs, email addresses, department, and role
• Authentication events: login attempts, timestamps, device identifiers, IP addresses, and geolocation data
• MFA and push notification responses
• Session data: active sessions, session duration, and termination events
• Credential lifecycle events: password resets, account lockouts, provisioning and deprovisioning actions
• Security incident data: anomaly scores, threat alerts, and automated incident response actions
• Training and awareness records: MYID Learn completion status and audit logs
• Administrative audit logs: all administrator and privileged user actions within the platform

We do not store cleartext passwords. We do not access Client data except as required to deliver, secure, and support the Services.

3. How We Use Information

Website and prospecting data is used to respond to inquiries and schedule product demonstrations, deliver marketing communications where consent or legitimate interest applies, and analyze and improve our website and marketing effectiveness. Website inquiry and lead data is retained for 12 months from date of collection, or until a Client relationship is established or formally declined, whichever comes first.

Platform data is used solely to deliver the Services as configured and instructed by the Client; detect, investigate, and respond to security threats in real time; generate tamper-evident audit logs and compliance evidence; power MYID Autopilot, MYID Agent, and AI-driven response capabilities; provide technical support at Client request; and improve platform performance and security using aggregated, de-identified data only.

We do not sell, rent, or trade personal data. We do not use Client end-user data for advertising, profiling, or any purpose unrelated to the Services.

4. Our Role as Data Processor

For personal data processed through the MYID platform on behalf of Clients:

• The Client is the data controller — it determines the purposes and means of processing
• MYID is the data processor — it processes data only on documented Client instructions
• We execute a Data Processing Agreement (DPA) with each Client that governs processor obligations, sub-processor disclosure, data subject rights assistance, breach notification, and data deletion
• Sub-processors used in service delivery are listed in the DPA Appendix and updated with advance notice of material changes

5. Data Sharing and Disclosure

We do not sell personal data. We share data only as follows:

• Infrastructure and sub-processors: Microsoft Azure and other vendors used to operate the platform (detailed in the DPA sub-processor list)
• Identity platform integrations: IBM ISIM/ISAM, IBM Verify, Okta, Microsoft Entra ID, Ping Identity, Active Directory, and other identity providers configured by the Client — data is shared only at Client direction, as part of delivering the Services
• SIEM/XDR integrations: IBM QRadar, Splunk, and other security platforms configured by the Client for threat monitoring — data shared only under Client instruction
• Legal compliance: When required by applicable law, regulation, court order, or to protect the rights and safety of SPS, Inc., its Clients, or the public
• Business transfers: In connection with a merger, acquisition, or sale of assets — Clients will be notified in advance and their rights under the DPA preserved

6. Data Retention

Clients may request data export or deletion at any time through their account administrator or by contacting privacy@ext.myidselfverify.com. Extended retention may apply where required by applicable law or expressly agreed in a Client contract.

7. Security

We maintain an enterprise-grade security program designed to protect the sensitivity of the identity data we process. Key controls include:

• Encryption in transit (TLS 1.2 minimum) and at rest (AES-256)
• Multi-factor authentication enforced for all platform and administrative access
• Role-based access controls with least-privilege enforcement
• Continuous 24/7 monitoring and automated anomaly detection
• Tamper-evident audit logging of all access and administrative actions
• Annual third-party penetration testing
• Azure-managed infrastructure with 99.99% uptime SLA

Full details are available in our Security Disclosure.

8. Your Rights

Depending on your jurisdiction, individuals may have the right to access personal data held about them; correct inaccurate or incomplete data; request deletion of personal data; object to or restrict processing; receive data in a portable format; and lodge a complaint with a relevant supervisory or data protection authority.

For Client end users: Rights requests should be directed to your employer or the organization that deployed MYID (the data controller). We will support Clients in fulfilling such requests under our DPA obligations.

For website visitors and Client contacts: Submit requests to privacy@ext.myidselfverify.com. We will respond within 30 days.

California residents may exercise rights under the CCPA including the right to know, delete, and opt out of sale. We do not sell personal data. We do not discriminate against individuals who exercise their privacy rights.

Clients and end users located in the United Arab Emirates are subject to the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (PDPL). Data stored in our UAE-North region remains within that region unless otherwise agreed.

9. International Data Transfers

SPS, Inc. is based in the United States. Data processed through the MYID platform is stored in our US-East and UAE-North Azure regions. Transfer of data between regions occurs only at Client instruction or as required to deliver the Services, and is subject to appropriate contractual safeguards as specified in the DPA.

10. Children's Data

Our Services are designed exclusively for enterprise use by employed adults. We do not knowingly process personal data of individuals under the age of 18.

11. Changes to This Policy

We will notify Clients of material changes to this Policy at least 30 days in advance via email or platform notice. The current version will always be available at myidselfverify.com/privacy. Continued use of the Services after the effective date of an updated Policy constitutes acceptance.

12. Contact