CelerData's Security and Privacy Statement
Effective Date: September 26th, 2024
Table of Contents
- Introduction
- Security Controls
- Data Protection
- Product Security
- Enterprise Security
- Vendor Security
- Privacy Practices
- Data Protection Officer
- How we collect and use (process) your personal information
- Legal Basis for Use of Your Information
- Use of the CelerData.com website
- Cookies and tracking technologies
- Use of the CelerData services
- When and how we share information with third parties
- Transferring personal data to the U.S.
- Data Subject rights
- Security of your information
- Data storage and retention
- Children's rights
- Data privacy framework
- Questions, concerns, or complaints
Introduction
CelerData is a unified analytics platform that delivers timely insight to all stakeholders inside and outside of the enterprises. Built on the Open Source database called StarRocks, CelerData has a performance of 3 to 5 times faster than other solutions and reduces operating costs by up to 80%. Over 300 enterprise customers choose CelerData as their analytics platform, and hundreds of developers worldwide are actively working on the StarRocks project led by CelerData. CelerData is headquartered in Menlo Park, CA, in the United States.
Security and privacy are at the core of what we do at CelerData because we understand that trusting us with your data is a privilege. The team at CelerData has established policies and controls, monitors compliance, and demonstrates our commitment to security and privacy compliance through third-party audits. Additionally, CelerData understands that you are aware of and care about your own personal privacy interests, and we take that seriously.
Our policies are based on the following principles
- Access should be limited to only those with a legitimate business need and granted based only on the need to provide the best possible service to our clients and customers.
- Privacy and security controls are applied consistently across all areas of the company.
- Controls should be implemented, practiced, audited, and revised to demonstrate the worthiness of your trust in CelerData in addition to the ever changing technology landscape.
As we undertake new data practices or adopt new privacy and security policies, we will from time to time update this page.
Security Controls
Celerdata has a multi-prong approach to our security controls which includes data protection, product security, enterprise security, vendor reviews and privacy practices.
We maintain SOC 2 Type I and Type II attestation in partnership with our auditing firm, Prescient Assurance, LLC who completes annual audits. CelerData's business operations are gobal and therefore we also comply with international controls including compliance with GDPR standards, verified by our EU/UK rep at GDPR Local. The team at CelerData continues to expand our controls as we grow as an organization.
Data Protection
CelerData is built on data and our customers trust us with access to their data so we take the following steps to procect data.
- Data at rest - All datastores with customer data are encrypted at rest following AWS Key Management System (KMS) best practices.
- Data in transit - CelerData uses TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. We also use features such as HSTS (HTTP Strict Transport Security) to maximize the security of our data in transit. Server TLS keys and certificates are managed by AWS and deployed via Application Load Balancers.
- Secret management - Encryption keys are managed via AWS KMS. KMS stores key material in Hardware Security Modules (HSMs), which prevents direct access by any individuals, including employees of Amazon and CelerData. The keys stored in HSMs are used for encryption and decryption via Amazon’s KMS APIs. Application secrets are encrypted and stored securely via AWS Secrets Manager and Parameter Store, and access to these values is strictly limited.
Product Security
To ensure product security, we have engaged Kobalt.io to conduct annual penetration testing with follow-up retesting to ensure any documented incidents have been resolved in a timely matter. CelerData commitment includes vulnerability scanning at each step of the product lifecycle which includes:
- Static analysis (SAST) testing of code during pull requests and on an ongoing basis
- Software composition analysis (SCA) to identify known vulnerabilities in our software supply chain
- Malicious dependency scanning to prevent the introduction of malware into our software supply chain
- Network vulnerability scanning on aperiod basis
- External attack surface management (EASM) continuously running to discover new external-facing assets
Enterprise Security
CelerData values the importance of our employees and their commitment to security. As an organization we have the following in place for our team
- All employees are required to undergo annual security training, security policy reviews, and up-training when any new threats are identified. This training is maintained by Hook Security in conjunction with Kobalt.io.
- All corporate devices are centrally managed and are equipped with MDM software and anti-malware protection. Endpoint security alerts are monitored continuously. We use MDM software to enforce secure configuration of endpoints, such as disk encryption, screen lock configuration, and software updates.
- CelerData uses Rippling to secure our identity and access management.
- Employees are granted access to applications based on their role, and automatically deprovisioned upon termination of their employment. Further access must be approved according to the policies set for each application.
Vendor Reviews
Celerdata uses a risk-based approach to vendor security that includes review of vendor security and compliance audits and/or attestations. Factors which influence the risk rating of a vendor include:
- Access to customer and corporate data
- Integration with production environments
- Potential damage to our brand and our customers
Once the risk review has been conducted, the security of the vendor is assigned risk rating and review frequency.
Copies of our most recent SOC2 audit and Penetration testing results can be requested by contacting Alyssa King at alyssa.king@celerdata.com
Privacy Practices
This Privacy Notice describes CelerData's policies and practices regarding its collection and use of your personal data, and sets forth your privacy rights.
Data Protection Officer
CelerData has appointed an internal data protection officer for you to contact if you have any questions or concerns about CelerData’s personal data policies or practices. If you would like to exercise your privacy rights, please direct your query to CelerData’s data protection officer. CelerData’s data protection officer’s name and contact information are as follows:
Alyssa King
101 Jefferson Dr
Suite 230
Menlo Park, CA 94025
alyssa.king@celerdata.com
650.609.2009
Our EU Representative:
Under Article 27 of the GDPR, we have appointed an EU Representative to act as our data protection agent. Our nominated EU Representative is: Instant EU GDPR Representative Ltd.
Adam Brogden contact@gdprlocal.com
Tel +35315549700
INSTANT EU GDPR REPRESENTATIVE LTD
Office 2,
12A Lower Main Street, Lucan Co. Dublin
K78 X5P8
Ireland
Our UK Representative:
Under Article 27 of the UK Data Privacy Act, we have appointed a UK Representative to act as our data protection agent. Our nominated UK Representative is: GDPR Local Ltd.
Adam Brogden contact@gdprlocal.com
Tel +44 1772 217800
1st Floor Front Suite
27-29 North Street, Brighton
England
How we collect and use (process) your personal information
CelerData collects personal information about its website visitors and customers. With a few exceptions, this information is generally limited to:
- name
- job title
- employer name
- work address
- work email
- work phone number
We use this information to provide prospects and customers with services.
While the information above is, in most cases, collected directly, CelerData also collects additional data via cookies and tracking codes on our domains with Google Analytics, Microsoft Clarity, and HubSpot. All of this data is collected via tracking codes and Google Tag Manager tags deployed across our domains. This data can be combined with the data listed above that has been directly provided. Data that can be collected includes:
Specific webpage visits
Content downloaded from our website
Geographic and regional location based on IP
Time on CelerData webpages
Clicks on links on our website
Mouse scrolls
Keystrokes in search fields
Conversations that take place using CelerData.com's chatbot
For more information on cookies and tracking used by these services we employ, use the links below:
Google Analaytics: https://business.safety.google/adscookies/
Microsoft Clarity: https://learn.microsoft.com/en-us/clarity/setup-and-installation/cookie-list
We do not sell personal information to anyone and only share it with third parties who are facilitating the delivery of our services.
From time to time, CelerData receives personal information about individuals from third parties. Typically, information collected from third parties will include further details on your employer or industry. We may also collect your personal data from a third party website (e.g. LinkedIn)
Legal Basis for Use of Your Information
The information we collect listed above is processed under the following legal basis: CelerData's legitimate interests. This includes:
- To enable CelerData to provide our products and services to you
- For marketing to customers, users, and subscribers, to inform them of new product updates, company activities, and to follow up with contacts who have requested outreach from us or in situations where a users interaction with our product demands we communicate with them (such as signing up for our SaaS product)
- For analytics, to gather metrics to better understand how users use the CelerData's Sites, to evaluate and improve CelerData's Sites, and to provide CelerData's users with this information, where applicable
- To prevent fraud and other illegal activity
- The legitimate interests of others (for example, to ensure the security of our website)
- To comply with legal obligations, as part of our general business operations, and for other internal business administration purposes
Contractual obligations. For the performance of contractual obligations between you and CelerData, including CelerData's Terms of Use.
Consent. Where required by law, we may process your personal information in some cases for marketing purposes on the basis of your consent (which you may withdraw at any time after giving it, as described in this privacy policy). Otherwise, email communication will be sent on an opt out basis to any recipient who has registered or signed up to CelerData's services and did not opt out.
Use of the CelerData Website
As is true of most other websites, CelerData’s website collects certain information automatically and stores it in log files. The information may include internet protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system and other usage information about the use of CelerData’s website, including a history of the pages you view. We use this information to help us design our site to better suit our users’ needs. We may also use your IP address to help diagnose problems with our server and to administer our website, analyze trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences.
For more information on how we use cookies to collect this information, please review our CelerData Cookie Policy here: https://celerdata.com/celerdata-cookie-policy
CelerData has a legitimate interest in understanding how members, customers and potential customers use its website. This assists CelerData with providing more relevant products and services, with communicating value to our sponsors and corporate members, and with providing appropriate staffing to meet member and customer needs.
Sharing information with third parties
The personal information CelerData collects from you is stored in one or more databases hosted by third parties located in the United States. These third parties do not use or have access to your personal information for any purpose other than cloud storage and retrieval. On occasion, CelerData engages third parties to send information to you, including information about our products, services, and events.
We do not otherwise reveal your personal data to non-CelerData persons or businesses for their independent use unless: (1) you request or authorize it; (2) it’s in connection with CelerData-hosted and CelerData co-sponsored conferences as described above; (3) the information is provided to comply with the law (for example, compelled by law enforcement to comply with a search warrant, subpoena, or court order), enforce an agreement we have with you, or to protect our rights, property or safety, or the rights, property or safety of our employees or others; (4) the information is provided to our agents, vendors or service providers who perform functions on our behalf; (5) to address emergencies or acts of God; or (6) to address disputes, claims, or to persons demonstrating legal authority to act on your behalf. We may also gather aggregated data about our services and website visitors and disclose the results of such aggregated (but not personally identifiable) information to our partners, service providers, advertisers, and/or other third parties for marketing or promotional purposes. CelerData maintains liability in cases of onward transfers to third parties when individuals have made requests regarding the usage and distribution of their data.
CelerData uses HubSpot, Google Analytics, and Microsoft Clarity to collect information about how users interact with our website and services. This may include personally identifiable information such as name, email address, country, and state. If you choose to share information from CelerData through these services, you should review the privacy policy of that service. If you are a member of a third-party service, the aforementioned connections may allow that service to connect your visit to our site to your personal data.
Transferring personal data to the U.S.
CelerData has its headquarters in the United States. Information we collect about you will be processed in the United States. By using CelerData’s services, you acknowledge that your personal information will be processed in the United States. The United States has not sought nor received a finding of “adequacy” from the European Union under Article 45 of the GDPR. Pursuant to Article 46 of the GDPR, CelerData is providing for appropriate safeguards by entering binding, standard data protection clauses, enforceable by data subjects in the EEA and the UK. These clauses have been enhanced based on the guidance of the European Data Protection Board and will be updated when the new draft model clauses are approved.
Depending on the circumstance, CelerData also collects and transfers to the U.S. personal data with consent; to perform a contract with you; or to fulfill a compelling legitimate interest of CelerData in a manner that does not outweigh your rights and freedoms. CelerData endeavors to apply suitable safeguards to protect the privacy and security of your personal data and to use it only consistent with your relationship with CelerData and the practices described in this Privacy Statement. CelerData also enters into data processing agreements and model clauses with its vendors whenever feasible and appropriate. Since it was founded, CelerData has received zero government requests for information.
For more information or if you have any questions, please contact us at privacy@CelerData.com
Security of your information
As a company, we are dedicated to safeguarding the personal data of our customers and employees. In accordance with this commitment, we comply with the principles of the General Data Protection Regulation (GDPR) when collecting, utilizing, and handling personal data. This includes adherence to principles of legality, fairness, and transparency; limiting data collection to specific purposes; minimizing the amount of data collected; ensuring accuracy; limiting data storage; maintaining integrity and confidentiality; and being accountable for data protection. In order to protect your data, CelerData has taken several steps to ensure compliance with globally-recognized security best practices and has adopted additional security measures and tools to ensure a more robust level of protection around your data. This includes:
- Requiring two-factor authentication for user accounts that have access to customer and user data.
- SOC 2 Type I certification and continued compliance.
- Annual security training for all CelerData employees.
- Required security software installed on all work machines used to access customer and user data.
- Granular access to customer and user data assigned to CelerData employees based on the requirements of their role.
- Only partnering with vendors that help handle customer and user data who are GDPR compliant and who have passed any relevant security certifications.
Data subject rights
The European Union’s General Data Protection Regulation (GDPR) and other countries’ privacy laws provide certain rights for data subjects. Data Subject rights under GDPR include the following:
- Right to be informed
- Right of access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right of data portability
- Right to object
- Rights related to automated decision making including profiling
This Privacy Notice is intended to provide you with information about what personal data CelerData collects about you and how it is used.
If you wish to confirm that CelerData is processing your personal data, or to have access to the personal data CelerData may have about you, please contact us.
You may also request information about: the purpose of the processing; the categories of personal data concerned; who else outside CelerData might have received the data from CelerData; what the source of the information was (if you didn’t provide it directly to CelerData); and how long it will be stored. You have a right to correct (rectify) the record of your personal data maintained by CelerData if it is inaccurate. CelerData will make a concerted effort to limit the use and disclosure of personal data upon request of the individual. You may request that CelerData erase that data or cease processing it, subject to certain exceptions. You may also request that CelerData cease using your data for direct marketing purposes. In many countries, you have a right to lodge a complaint with the appropriate data protection authority if you have concerns about how CelerData processes your personal data. When technically feasible, CelerData will—at your request—provide your personal data to you.
Reasonable access to your personal data will be provided at no cost. If access cannot be provided within a reasonable time frame, CelerData will provide you with a date when the information will be provided. If for some reason access is denied, CelerData will provide an explanation as to why access has been denied.
For questions or complaints concerning the processing of your personal data, you can email us at privacy@CelerData.com. Alternatively, if you are located in the European Union, you can also have recourse to the European Data Protection Supervisor or with your nation’s data protection authority.
Data storage and retention
Your personal data is stored by the CelerData on its servers, and on the servers of the cloud-based database management services the CelerData engages, located in the United States. The CelerData retains service data for the duration of the customer’s business relationship with the CelerData and for a period of time thereafter, to analyze the data for CelerData’s own operations, and for historical and archiving purposes associated with CelerData’s services. CelerData retains prospect data until such time as it no longer has business value and is purged from CelerData systems. All personal data that CelerData controls may be deleted upon verified request from Data Subjects or their authorized agents. For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact us at: privacy@CelerData.com
Children’s data
We do not knowingly attempt to solicit or receive information from children.
The Children's Online Privacy Protection Act ("COPPA") protects the online privacy of children under 13 years of age. We do not knowingly collect or maintain Personally-Identifying Information from anyone under the age of 13, unless or except as permitted by law. Any person who provides Personally-Identifying Information through our Website represents to us that he or she is 13 years of age or older. If we learn that Personally-Identifying Information has been collected from a user under 13 years of age on or through our website, then we will take the appropriate steps to cause this information to be deleted.
If you are the parent or legal guardian of a child under 13 who has signed up on CelerData's website or has otherwise transferred Personally-Identifying Information to CelerData, please contact us using our contact information below to have that child's account terminated and information deleted.
Data Privacy Framework
CelerData complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. CelerData has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. CelerData has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.
To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/. CelerData is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF,, CelerData commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact CelerData at privacy@celerdata.com. Under certain conditions, individuals may invoke binding arbitration by delivering notice to CelerData and following the procedures and subject to conditions set forth in Annex I of Principles.
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, CelerData commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC), with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.
Questions, concerns or complaints
If you have questions, concerns, complaints, or would like to exercise your rights, please contact us at:
CelerData Inc
101 Jefferson Dr
Suite 230
Menlo Park, CA 94025
United States
privacy@celerdata.com
https://celerdata.com/contact-celerdata
650.609.2009
If you remain dissatisfied, you can make a complaint about the way we process your personal information to the supervisory authority