Privacy Policy

Thank you for taking the time to read our privacy policy. At Surge Security, Inc. ("Surge", "we", or "us"), your privacy is of the utmost importance. We want you to be fully informed about the information we collect, how it is used, disclosed, and protected, and the choices you have with it and explain the privacy and data practices at Surge.

This privacy policy sets out how we collect, use, process, store, and disclose Personal Data in providing the Service and on https://surge.security, https://app.surge.security, and https://us.surge.security (collectively, the "Website"). Capitalized terms used but not defined in this Privacy Policy have the meaning given to them in our Terms and Conditions at https://app.surge.security/terms/.

Our Role

Surge provides (a) the Website and related marketing, sales, and support activities, and (b) the Service, which may include an option for Customers to collect and analyze certain data from their systems using the Agent.

For purposes of applicable data protection laws, Surge generally acts as a controller (or equivalent term under applicable law) when we determine the purposes and means of processing Personal Data — such as for Website analytics, account management, billing, and our own marketing, sales, and security operations.

When a Customer deploys the Agent or otherwise uploads data to the Platform in connection with the Service, Surge processes any Personal Data contained in that data solely on behalf of the Customer and in accordance with our agreement with that Customer and this Privacy Policy. In that context, the Customer is the controller (or equivalent), and Surge is a processor (or equivalent).

Personal Data We Collect

Personal Data we collect as a controller:

Employee information including your name, company email, company name, company website URL. Account information including username and password. Correspondence, which may include any Personal Data provided during an email correspondence or customer service engagement. Billing and administrative finance information.

Information about how our Customers use our Website and Service, including time spent on our applications, behavioral activity, and metadata associated with software interactions.

Metadata and analytics for your use of our Website and Service, including IP address, device information, date/time of visits, new or returning visits, products viewed, page response times, URL clickstreams, how long you stay on our pages, what you do on those pages.

We may use cookies, beacons, pixel tags, and other similar technologies to collect additional information automatically as you interact with the Website and Service and to personalize your experience. Learn more about our cookie use below.

When you interact with our brand or community forums on a social media platform, we may collect certain information that you or the platform make available to us such as Website metadata analytics, your social media account ID, your social media 'likes', click-throughs to our Website, or custom interactions.

Personal Data we process as a processor on behalf of Customers:

Customers may configure the Service, including the Agent, to collect data from their own environments ("Customer Data") or manually upload the Customer Data to the Service. Customer Data is generally controlled by the Customer, and Surge processes it only as a processor on the Customer's behalf. Depending on how the Customer configures the Service, Customer Data may include:

Network identifiers such as IP addresses and device identifiers associated with Customer-managed endpoints or systems. Account information including username. Limited metadata about devices or systems (for example, hostnames or user or asset identifiers) that may incidentally relate to an identifiable person. Any additional Personal Data that the Customer chooses to include in Customer Data when using the Service.

How We Use Personal Data

Subject to the terms of our Customer agreements, we may use Personal Data for the following purposes:

To provide our Website and Service. Customer support, including email and chat. To process payments securely. To improve our Website and Service. To send our Customers marketing and promotional communications in accordance with individual marketing preferences. To authenticate, verify or otherwise ensure compliance with Customer written instructions or to mitigate the risk of fraud. To ensure our Service is serving their intended purposes and for product improvements. For any legal purpose necessary, including IP protection, or if Surge is required to process information as a result of a court order or other legal or regulatory proceeding.

How We Disclose Personal Data

We may disclose information with select vendors in order to:

Provide customer support, including payments (through Stripe, subject to their privacy policy), call centers, and email service providers. Manage our customer relationship management systems. Engage with customers or prospects through various social media platforms. Manage and optimize our Website and Service. Process payments.

In addition, we may disclose information in order to: protect the legal rights of our company, our employees, our agents, and our affiliates; protect the safety and security of those who access and use our Service; detect and protect against fraud; comply with law or legal process; and complete a legal transaction related to the sale of our business or any assets.

Surge may disclose aggregate or anonymous information for any purpose. This means that the information we disclose does not identify specific individuals, nor is it combined with other data to protect your privacy.

Privacy Choices

We provide you with the following choices with our use of your Personal Data:

Access the Personal Data we maintain about you.

Delete the Personal Data we maintain about you.

Correct inaccurate Personal Data we maintain about you.

Export your data. You may request a copy of your data in a structured, commonly used, machine-readable format (JSON) through the account settings page in the Service or by emailing privacy@surge.security. Exports are provided within thirty (30) days of the request.

Delete your account. You may request complete deletion of your account and all associated data through the account settings page in the Service or by emailing privacy@surge.security. Upon deletion, all Customer Data will be permanently removed within thirty (30) days, except for billing and tax records which may be retained for up to seven (7) years as required by law, and anonymized aggregate data.

Opt out of certain uses of your Personal Data, notably: Marketing Emails; Tailored advertising using cookies (you may reject or delete cookies through your browser settings).

If we process your Personal Data as a controller, you can exercise these rights by contacting us at privacy@surge.security.

When we process Personal Data on behalf of a Customer as a processor (for example, Personal Data contained in Customer Data collected through the Service or Agent), we generally do so only on the Customer's instructions. In those cases, we may be legally required to forward your request to the relevant Customer or ask you to contact that Customer directly to exercise your privacy rights, because the Customer is the controller of your Personal Data.

Cookies and Other Tracking Technology

We may use cookies, embedded scripts, and other similar tracking technologies ("Tracking Technologies") to collect additional personal data automatically as you interact with the Website and the Service. These technologies help us recognize you, customize or personalize your experience, market additional products or services to you, and analyze the use of our Service to make them safer and more useful to you.

Cookies: We use first-party and third-party cookies for the following purposes: to make our Website function properly, to improve our Website and Service, to make login easier, to recognize you when you return, to track your interaction with the Website, to enhance your experience, to remember information you have already provided, to collect information about your activities over time and across third party websites or other online services in order to deliver content tailored to your interests, and to provide a secure browsing experience. Session cookies stay on your device until you stop browsing. Persistent cookies stay on your device until they expire or are deleted.

Changing Your Cookie Settings: Most browsers allow you to block or delete cookies. If you disable necessary cookies, you may be unable to use certain features of the Website or the Service. Where required by law, we will request your consent before installing non-essential cookies.

Google Analytics: We currently use Google Analytics on our Website and within our web-based Service to understand how visitors interact with our pages, features and content. You can prevent Google Analytics from collecting your data by installing the opt-out browser add-on available at https://tools.google.com/dlpage/gaoptout.

Product Analytics and Operational Data: We may collect product-usage information (such as feature usage, event logs, performance metrics, and session duration) to operate, secure, and improve the Service.

Email Analytics: We may use email-analytics tools to understand whether emails sent through or relating to the Service are delivered, opened, or interacted with. You may opt out of email engagement tracking by disabling images in your email client or contacting us at privacy@surge.security.

Security

We maintain reasonable safeguards to protect against unauthorized access, use, modification, and disclosure of Personal Data in our custody and control.

In the event of a confirmed unauthorized access to or disclosure of personal information in Surge's custody or control, Surge will notify affected Customers without undue delay and no later than seventy-two (72) hours after confirmation, to the extent practicable and as required by applicable law.

Despite our efforts, we cannot guarantee that unauthorized access or use will never occur. It is important that you take steps to keep your information safe and secure.

Retention

We will retain your information for as long as your customer account or inquiry is active or as needed to provide you with the Website or any requested services, and for a reasonable time thereafter in accordance with our standard procedures or as necessary to comply with our legal obligations, to resolve disputes, and to enforce our agreements.

Specific retention periods include:

Account Deletion: Upon a valid account deletion request, all Customer Data will be permanently deleted within thirty (30) days.

Billing and Tax Records: May be retained for up to seven (7) years after account closure as required by applicable tax and financial regulations.

Anonymized Data: Aggregated and anonymized data that does not identify any individual or Customer may be retained indefinitely.

Legal Holds: Information subject to a valid legal hold, litigation, regulatory investigation, or other legal process may be retained for the duration of such hold or process.

U.S. State-Specific Notice

Some U.S. states have enacted comprehensive privacy laws, including the CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, OCPA, TXDPSA, MTCDPA, IACDPA, DEPDPA, NEDPA, NHPA, NJDPA, TNIPA, MNCDPA, MDODPA, INCDPA, KYCDPA, and RIDTPPA. These laws create additional privacy obligations for businesses and provide their residents with additional privacy rights.

Additional Privacy Rights: If you are a resident of the above states, you may have the right to opt out of the 'sale' or 'share' of your Personal Data for the purpose of targeted advertising. We do not 'sell' or 'share' your Personal Data for monetary benefit. However, some third party cookies placed on our Website may be considered a 'sale' or 'share' under these privacy laws. You can exercise these rights by emailing us at privacy@surge.security.

EEA/UK Notice

The European Economic Area ("EEA") and the United Kingdom ("UK") have each enacted privacy laws. The European Union's ("EU") and the UK's General Data Protection Regulation (collectively, the "GDPR") provide EU and UK residents with additional privacy rights.

Legal Basis: Under the GDPR, we process personal data under the following legal bases:

Providing and improving the Website and Service: Contract Fulfillment, Legitimate Interest. Payment processing: Contract Fulfillment. Customer Support: Contract Fulfillment. Ensure compliance with written instructions and mitigate risk of fraud: Contract Fulfillment, Legitimate Interest. Product or Service-Related Communications to Customers: Contract Fulfillment, Legitimate Interest. Placement of cookies on our Website: Consent. Marketing and promotional communications: Legitimate Interest.

Cross-Border Data Transfers: If you are a resident of the EEA, UK, or Switzerland, we may transfer to, and store the data we collect about you, to countries other than the country in which the data was originally collected, including the United States. We rely on Standard Contractual Clauses ("SCCs") for the transfer of personal data to countries that have not received an applicable adequacy decision and where applicable, the UK's International Data Transfer Addendum to the SCCs. For more information on cross-border transfers, contact us at privacy@surge.security.

Additional Rights for UK or EEA Residents:

Right to Erasure (Article 17): You may request deletion of your personal data through the self-service account deletion feature in the Service's account settings or by emailing privacy@surge.security. We will process your request within thirty (30) days.

Right to Data Portability (Article 20): You may request a copy of your personal data in a structured, commonly used, machine-readable format through the self-service data export feature or by emailing privacy@surge.security. We will provide the export within thirty (30) days.

You also have the right to lodge a complaint against us with your local data protection authority. You can find your data protection authority at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

Children's Privacy

We do not intentionally collect any Personal Data from children under the age of 16. If you believe we have obtained Personal Data associated with children under the age of 16, please contact us at privacy@surge.security and we will delete it.

Third-Party Links

The Website and Service may contain links to other sites. Please be aware that we are not responsible for the content or privacy practices of such other sites. We encourage our users to be aware when they leave our sites and to read the privacy statements of any other site that collects personally identifiable information.

We strongly recommend that you do not share any sensitive, confidential, or security-related information through third-party platforms.

Governing Law

All disputes arising out of or relating to the Privacy Policy or the purchase, registration, or use of any Surge product or Service shall be governed by Delaware law regardless of where you access the Website or the Service, and notwithstanding any conflicts of law principles.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time as we update or expand our Website and/or Service. If we make material changes, we will post the updated Privacy Policy on this page with a 'Last Updated' effective date of the revisions. We encourage you to look for updates and changes to this Privacy Policy by checking this page when you access our Website or Service.

Contact Us

If you have any questions about our privacy or security practices, or if you are a Surge Customer and would like to request access to or correction of your Personal Data, you can contact us by email at privacy@surge.security or at:

Surge Security, Inc.
3790 El Camino Real #1173
Palo Alto, CA 94306
United States