Privacy

Last Modified: July 19, 2024

This Privacy Data Sheet describes the processing of personal data (or personally identifiable information) by Proof+Geist.

Ottomatic is a cloud hosting and services platform made available by Proof+Geist to companies or persons who acquire it for use by their authorized users. Proof+Geist will process personal data from Ottomatic in a manner that is consistent with this Privacy Data Sheet. In jurisdictions that distinguish between Data Controllers and Data Processors, Proof+Geist is the Data Controller for the personal data processed to administer and manage the customer relationship. Proof+Geist is the Data Processor for the personal data processed by OCC in order to provide its functionality.

This is an addendum to the Proof+Geist master privacy policy.

Overview of Ottomatic Capabilities 

Ottomatic is a cloud-based management platform that provides customers with management features and additional services to use in conjunction with Claris FileMaker Server Software as well as other types of servers. Ottomatic features Include:

  • Deploying new Ottomatic servers by the click of a button.
  • Add servers from any cloud provider or even on-prem, for management.
  • Quick access buttons to launch OttoFMS and the FileMaker Admin Console.
  • Keep an eye on stats like CPU, Memory, Storage, and Network throughput.
  • Seamlessly deploy Single Sign-On and manage users and groups.
  • Quickly deploy Cloud Object Storage and connect it to your OttoFMS Offsite Backups.
  • Invite devs and colleague’s to work in your OCC Org.

You may be asked to provide your personal data in order to use the service. The following paragraphs describe Proof+Geist’s processing of personal data in connection with the delivery of Ottomatic, and how it is secured in accordance with privacy principles, laws, and regulations. If you choose to use the Ottomatic services, you will need to disclose personal data to Proof+Geist. Proof+Geist will use your personal data consistent with this Privacy Data Sheet.

Note that this Privacy Data Sheet is a supplement to the Proof+Geist Privacy Statement.

Please see the following link for more details on Ottomatic: https://www.ottomatic.cloud/cloud-console.

The following paragraphs describe which personal data OCC processes to deliver its services, the location of that data, and how it is secured in accordance with privacy principles, laws, and regulations.

Personal Data Processing

The table below lists the personal data used by OCC to carry out the services and describes why we process that data.

 

Personal Data Category

Types of Personal Data

Purpose of Processing

End-User Registration/ Authentication Information
  • Username
  • Full Name
  • Telephone number
  • Email address
  • Organization name
  • Account creation and activation
  • Service authentication and login
  • Deliver, support, improve security functionality, upgrade and improve the services

Administrator Registration

Information
  • Name
  • Username
  • Telephone number
  • Email address
  • Billing and delivery address
  • One-way hashed representations of password(s) for the OCC Administrator Panel
  • Job title
  • Organization name
  • Account creation and activation
  • Service authentication and login
  • Sending communications to you, including for marketing or customer satisfaction purposes, either directly from Proof+Geist or from our partners
  • Deliver, support, improve security functionality, upgrade and improve the service

End-User On-Prem Server Metadata
  • Server operating system
  • Otto version
  • Otto port
  • Otto API Key
  • FileMaker server version
  • The server’s fully qualified domain name
  • SSL Certificate Expiration Date
  • Broad geographic area (country or city-level location)
  • Provide and maintain the services
  • Improve user experience
  • Improve security functionality
  • Improve quality of the services
  • Ensure secure devices and/or applications
  • Verifying server is secure
  • Authenticate server
  • Conduct statistical analysis with pseudonymized and/or aggregate usage data to improve the services

End-User Ottomatic Managed Services Metadata
  • Server operating system
  • Otto version
  • Otto port
  • Otto API Key
  • FileMaker server version
  • The server’s fully qualified domain name
  • SSL Certificate Expiration Date
  • Broad geographic area (country or city-level location)
  • Security and Access Keys/Tokens
  • Provide and maintain the services
  • Improve user experience
  • Improve security functionality
  • Improve quality of the services
  • Ensure secure devices and/or applications
  • Verifying server is secure
  • Authenticate server
  • Conduct statistical analysis with pseudonymized and/or aggregate usage data to improve the services
  • Prevent, detect, respond and protect against potential or actual claims, liabilities, prohibited behavior, security risks, and criminal activity

Events and Usage Data
  • How end-users access the services
  • Dates and times of access
  • IP address for determining where the services are accessed
  • Site events (e.g., crashes, system activity, api errors)
  • Provide and maintain the services
  • Improve user experience
  • Improve security functionality
  • Improve quality of the services
  • Conduct statistical analysis with pseudonymized and/or aggregate usage data to improve the services
  • Prevent, detect, respond and protect against potential or actual claims, liabilities, prohibited behavior, security risks, and criminal activity

Authentication and Activity Logs
  • Which end-users access the services
  • Time when the services are accessed
  • End-user IP address when accessing the services
  • Provide and maintain the services
  • Improve user experience
  • Improve security functionality
  • Improve quality of the services
  • Conduct statistical analysis with pseudonymized and/or aggregate usage data to improve the services
  • Prevent, detect, respond and protect against potential or actual claims, liabilities, prohibited behavior, security risks, and criminal activity

 

Access by Proof+Geist Employees

On-Prem and Other Cloud Servers

Employees of Proof+Geist do not have access to end-user servers or databases. The Ottomatic Cloud Console stores a key, which is revocable by the end-user through the OttoFMS or Otto Interface and API access is securely proxied using that key.

Ottomatic Managed Services

Employees do have access to Ottomatic managed services in order to provide support and monitoring. End-users give us permission to access Ottomatic Managed Services for support, or if we are required to access them as part of an active abuse or fraud investigation or where access is necessary to comply with a valid legal process.

Cross-Border Data Transfer Mechanisms

Proof+Geist’s support staff throughout the world may have access to personal data stored in the United States or elsewhere. Additionally, certain personal data (e.g. phone numbers) may be transferred across borders to Proof+Geist’s third party vendors for purposes related to providing the Services, such as sending text messages with authentication codes or making automated VOIP-based calls that verify logins wherever the end-user is located.

Personal Data Security

Proof+Geist has implemented appropriate technical and organizational measures designed to secure personal data from accidental loss and unauthorized access, use, alteration, and disclosure. Our datacenter & cloud provider offers robust controls to maintain security and data protection. Physical security controls include, but are not limited to, perimeter controls such as fencing, walls, security staff, video surveillance, intrusion detection systems, and other electronic means. More information can be requested by contacting support@proofgeist.com and signing an NDA.

Proof+Geist uses multiple techniques to protect customer data, including, but not limited to: network segmentation between datastores and other components of the Ottomatic platform, least privilege access to datastores based upon roles or responsibilities, and hardening of production assets to minimize attack surface.

Information Security Incident Management

Breach and Incident Notification Processes

The Information Security team within Proof+Geist coordinates the Data Incident Response Process and manages the platform wide response to data-centric incidents. The Incident Commander directs and coordinates Proof+Geist’s response, leveraging diverse teams including the Ottomatic Security Incident Response Team (OSIRT) and the Proof+Geist Security

Incident Response Team (PGSIRT).

Proof+Geist’s security team, in collaboration with the Ottomatic OSIRT team, manages the receipt, investigation, and public reporting of security vulnerabilities related to Proof+Geist products and networks. The team works with Customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Proof+Geist products and networks.