Ping Identity’s Commitment to 
GDPR Compliance

Ping Identity has a comprehensive global privacy and security program to enable compliance with the GDPR and other applicable privacy laws worldwide. Our policies, procedures, and controls are designed to reflect fair information principles, such as collection limitation, data quality and purposes specification, and provide the foundation for our enterprise privacy and data protection program. Transparency and accountability are core to our program.

Ping Identity is a leading provider of enterprise identity and access management (IAM) products and related security solutions to large enterprises. Our products enable customers to provide secure access to their networks and systems for their employees and customers. Our products range from fundamental single sign-on solutions to fully orchestrated risk-based, adaptive authentication workflows that support different IAM use cases, such as fraud detection, identity proofing, and authorization. 

In order to provide IAM services, personal data pertaining to our customers’ employees and/or customers may be routinely transferred to and processed by Ping Identity. This data is processed as needed to provide the services, verify, and authenticate user identities, manage access rights and privileges, and for compatible security and access management purposes. 

Ping Identity solutions generally only require non-sensitive data elements such as the person’s first and last name, title, position, employer, contact information (company, email, phone, physical business address), ID and device data, connection data, and localisation data. Some products provide customers and end users with the capability to process biometric data for authentication and multi-factor authentication:

• For the PingID Service: The service itself does not process biometric data but does allow users to authenticate using the biometric capabilities of their devices (such as TouchID).  

• For the PingOne Verify Service: If implemented by our customer, biometric data (facial recognition) is processed for authentication. The end user uploads a photo to enable this functionality. 

• For the PingOne DaVinci Service: The orchestration platform allows customers to process and store additional categories of data, which may include special categories of data—these are determined by the customer and are not required by Ping Identity.

While Ping Identity primarily serves as a data processor for GDPR purposes, we do further process customer data as permitted by law for specific, limited internal business purposes, namely: 

• Detecting security breaches and protecting against malicious, deceptive, fraudulent, or illegal activity.

• Debugging to identify and repair errors that impair intended functionality of our products and other activities needed to maintain the quality and/or safety of the products and platforms.

• Internal operational activities, such as responding to data subject requests, making back-ups as part of disaster recovery/business continuity programs, and confirming usage quantities.

• Processing required for legal or regulatory compliance.

The confidentiality, accuracy, integrity, and availability of the data we process is of paramount importance for Ping Identity. As a leader in the enterprise security industry, our products are engineered for unparalleled security. Comprehensive information about Ping Identity’s information security program can be found by viewing Security at Ping Identity and our Security Exhibit.  

Ping Identity maintains SSAE18 SOC 2 and ISO/IEC 27001:2013 certifications. ISO 27001 is the international standard outlining best practices for information security management systems. Compliance with these standards demonstrates our commitment to a repeatable, continuously improving, risk-based security program. The management system was inspected by an independent third party accredited through the ANSI-ASQ National Accreditation Board (ANAB).

Ping Identity also uses strong encryption for data in transit and at rest to enhance the security and privacy of customer data.

Ping Identity’s IAM products and solutions have received numerous awards for IT security, API security, and platform excellence. A list of our awards is provided here.

Yes, Ping Identity uses strong encryption for data in transit and at rest to enhance the security and privacy of customer data.

Our security breach response program is designed to enable us to (1) detect possible security breaches, (2) mitigate risk of harm from the breach, and (3) comply with applicable laws and our contracts. As a processor, if we determined that a security breach impacted customer data, we would notify the customer without undue delay. 

Yes, Ping Identity’s EEA affiliates have appointed a Data Protection Officer (DPO). Ping Identity’s DPO may be contacted via dpo_privacy@pingidentity.com

In the event that we receive a request from an individual in our capacity as a processor, we would refer the individual to our customer.

Yes. Where we act as a data processor for customers, Ping Identity includes the mandatory terms in our contracts as required by the provisions of Article 28(3) of the GDPR. Our Customer Data Privacy Addendum (DPA) is available here. Legally mandated terms are also included in our contracts with our suppliers and service providers.

As detailed in our customer Data Privacy Addendum, when personal data is no longer necessary for the purposes set forth in the customer agreement or at an earlier time as a customer request in writing, we will (at the customer’s request) either return the customer’s data to it or delete the customer’s data—except for backups and monitoring data which will be deleted per Ping Identity’s data retention policy. Any Personal Data that is not immediately deleted will continue to be protected in accordance with GDPR and our DPA. Our Customer DPA can be found here.

Ping Identity is happy to help its customers complete DPIAs as required by law. As a practical matter, processing activities associated with our IAM services themselves are generally not “high risk” for users. As a processor, Ping Identity is not generally engaged in profiling, automated decision-making, or other activities that trigger DPIA requirements. Ping Identity may provide further information upon request.

Ping Identity has formal third-party risk management programs to manage risks associated with its third-party service providers. These programs include procedures for supplier qualification, contracting, ongoing oversight, and off-boarding at the end of the term. All suppliers that handle personal data are required to accept appropriate contract terms, and those that access EEA personal data are bound by contractual terms that reflect Article 28 of GDPR. A list of third-party processors that may have access to customer personal data is provided here.

Customer data is physically stored in Google Cloud Platform (GCP) and Amazon Web Services (AWS) secure data centers at the locations listed in our Data Supplement. Each customer selects its hosting region during implementation, and EEA/UK/Swiss customers may elect to have their data stored within the EEA, in the AWS colocation centers in Germany and Ireland. However, this data may be accessed remotely by Ping Identity workers as needed to provide the contracted services and 24/7 support. Remote access to EEA/UK/Swiss data may occur from our operations centers located in our Data Supplement. 

We generally use approved Standard Contractual Clauses such as the EU Standard Contractual Clauses approved by the European Commission (and the equivalent standard contractual clauses for the UK or Switzerland where appropriate) to assure that Personal Information is adequately protected when it is transferred out of the European Economic Area or Switzerland, but we may also make transfers to recipients with approved Binding Corporate Rules or other approved mechanism. We also participate in the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). Please see the Ping Identity Privacy Policy for additional information on our cross-border transfer safeguards.

Ping Identity has established guidelines related to Government Agency Requests for Personal Data. We also publish a detailed transparency report that summarizes any governmental requests for access to data using subpoenas, search warrants, court orders, national security requests, and international requests, along with the kind of reply provided, insofar as publication is allowed by local law.

No. Ping Identity has not and does not expect to receive government agency requests for access to customer data. Ping Identity does not provide telecommunications or electronic messaging services. For purposes of clarity, some of our products allow customers to communicate with Ping Identity services as part of multi-factor authentication processes (such as text-to-verify). These features rely on third party telecommunications providers (namely the user’s carrier or ISP), and these third parties may be subject to laws such as FISA. These features are optional, and the communications with Ping Identity services do not result in any processing of any sensitive data or other information that is likely to qualify as “foreign intelligence information” under 50 USC § 1801(e).

Ping Identity’s Policy and the current Transparency Report are available here.

Ping Identity has assessed the risks associated with cross-border transfers and we are happy to help customers document the appropriateness of allowing Ping Identity to process data in a non-adequate jurisdiction. We can provide additional information upon request.

We are always happy to receive privacy-related questions or comments. You can contact Ping Identity’s Global Privacy Office with any questions via email to privacy@pingidentity.com.