Comment on page
Here at JEM, your privacy is important to us and this policy provides an overview of how we employ, disclose, and process your personal data and Credentials.
Depending on the way in which your JEM installation is configured, JEM devices, applications, databases or servers may use, collect or store some combination of three kinds of user information:
- Encrypted Customer Vault Data
- Customer Account and Service Data
- Biometric Data
We strive to handle all data securely and with respect for your privacy and data confidentiality. The specific ways in which we treat and use each type of data is described below.
The services that JEM provides is made possible by data you store in an encrypted JEM Vault (“Encrypted Customer Vault Data”). This includes data about your login credentials that you enter into your JEM Vault manually, through the JEM Import feature, or automatically using one of various JEM Extensions for supported web browsers. Encrypted Customer Vault Data includes information such as such as Usernames and Passwords (together called “Credentials”), as well as the domains or websites to which these usernames and credentials pertain, e.g., google.com. Credentials stored in the JEM Password Manager Software are encrypted in such a manner that we are not capable of decrypting or deciphering them, even when they are stored in our systems. The cryptographic keys required for decrypting these Credentials remain always and solely in your possession and under your control. We do not have any way of accessing, viewing, using or providing decrypted Credentials on our systems. Your passwords that are stored in encrypted form in your JEM Vault can only be decrypted when:
- 1.You present your biometric data (e.g., your registered fingerprint) to your JEM device in conjunction when prompted to do so by a computer that you have previously paired to that JEM, OR
- 2.You present you biometric data (e.g., you fingerprint or you’re an image of your face) when prompted to do so by the JEM app on your supported mobile device or tablet, OR
- 3.You supply your Administrative Access Key to a JEM client app when prompted.
We never receive or store unencrypted Credentials on our systems. Information on the Domains for which you have stored Credentials in your JEM Vault is stored in unencrypted form on your devices and in our systems. Regardless of how it is stored, Encrypted Customer Vault Data belongs to the customer. We claim no rights to it beyond those necessary to provide services to you. You may add, modify, and delete Encrypted Customer Vault Data whenever you wish. If you do not wish to provide Encrypted Customer Vault Data to us, do not enter data into a JEM Vault; without such a Vault, you cannot provide us with Credential Vault Data. Please note that JEM has NO WAY to recover or restore your Credential Vault Data should you lose access to all your paired and personalized JEM devices and JEM Authenticator apps, and your Administrative Access Key. Store your Administrative Access Key in a safe place, e.g., with other critical and sensitive documents such as passports.
Your purchase and use of JEM Products will naturally result in our collection of some Customer Account and Service Data about you. Customer Account and Service Data includes data elements such as your name, address, phone numbers, email address, payment credential(s) and device IDs. We collect and retain only enough Customer Account Data to fulfill your orders and provide ongoing services, support and, at your option, periodic updates from JEM or its partners and affiliates. This data is never used for any other purpose. Customer Account and Service Data is kept confidential. It is visible to our staff. We retain the right to hold and use Customer Account and Service Data to provide our services, troubleshoot problems, analyze the performance and demands on our services, and to provide our payment processors with the information they need to process payments.
JEM uses Biometric Data about you, e.g., your fingerprint, to secure your Credentials in your Encrypted Customer Vault Data. JEM generates and stores images of your fingerprint on your JEM device. This Biometric Data is only generated and stored solely on your JEM device. Your Biometric Data never reaches our servers. JEM never extracts your Biometric Data from your JEM device. JEM also provides apps for mobile devices and tablets made by Apple, and in the future may provide apps for devices running Android as well. On such devices JEM apps do or will utilize biometric identity services provided by the device operating system (e.g., TouchID, FaceID). While we use the authentication and verification service provided by the device’s operating system, we do seek or use your biometric data that may be stored on such devices.
We understand and accept our responsibility to protect Encrypted Customer Vault Data, Customer Account and Service Data and Biometric Data. We do not collect Biometric Data in any central repository – it is stored and used solely in your JEM devices, which should remain in your control at all times. Encrypted Customer Vault Data transmitted to and stored our servers is encrypted using a Vault Encryption Token that based on your Administrative Passphrase. JEM has no access to your Administrative Passphrase or the Vault Encryption Token, and will never request this information. This is meant to ensure that JEM will never have the information required to decrypt your Vault data, even when it is stored in our servers. Customer Account and Service Data is treated as confidential data. We limit access to Encrypted Customer Vault Data and Customer Account Data to authorized personnel with a need to access the data. Encrypted Customer Vault Data cannot be decrypted even by those who do have access to it, as we do not have access to the decryption key, which is and should remain solely in your possession and control.
All Encrypted Customer Vault Data and Customer Account and Service Data is held on servers located within the United States. JEM Encrypted Customer Vault Data and Customer Account and Service Data is available to members of our worldwide staff. We may allow you to use a third party cloud storage solutions provider such as Google Drive and/or Dropbox. In such case, we shall only have and use the login data you provide us pursuant to the Terms of Service in order to interact with such third party cloud storage service providers which such providers shall be responsible for the security and storage of your Credentials, as further described in the Terms of Service.
Our customer support and email services are hosted primarily in the United States. Any information you choose send us through email or our customer support system may pass through and be stored on a variety of intermediate services.
We may use your contact information to communicate with you about your use of JEM Services, provide support, and send you other information such as product updates and announcements. You may choose to stop receiving communications from us, except certain important notifications such as billing and account security alerts.
When you create a JEM Profile you will receive or create a Secret Cloud Access Key and an Administrative Passphrase. Your Secret Cloud Access Key is specified by you or generated on your computer and your Administrative Passphrase is something you create yourself. For your protection, you should create a strong and unique Secret Cloud Access Key and an Administrative Passphrase that are not easily guessed by others. It is extremely important that you understand that anyone with both your Secret Cloud Access Key and an Administrative Passphrase can access your Secure Data. It is equally important that you keep a copy of these keys in a safe place for your own reference, because future access to your Secure Data depends on having access to BOTH your Secret Cloud Access Key and your Administrative Passphrase. We will not ask you for your Secret Cloud Access Key and your Administrative Passphrase, and you should never send either to us. Due to the nature of our design and the sensitivity of the information you entrust to us (even in encrypted form), it may not be possible for us to help you with certain customer service requests unless you are listed as an account owner and are communicating from your verified email address. In the event that you change your email address, is very important that you update your email on your JEM account(s) or you may eventually lose access.
You have the right to know what we know about you and to see how that data is handled. You may request a screenshot of what we can see about you in our back office systems. However, to protect customer privacy, such requests must be carefully authenticated beyond demonstrating control of the customer’s email address. Disaster recovery and data availability requirements mean that JEM has a legitimate interest in maintaining secure and immutable backups. Erasure requests will leave those backups untouched, and we will only remove data from backups if legally compelled to.
Those under the age of 18 may not use the services without the consent or authorization of their parent or legal custodian. Family account organizers and team owners are responsible for that authorization when they add someone under the age of 18 to an account.
We will comply with applicable law with respect to providing Service Data and encrypted Secure Data to law enforcement agencies. If permitted, we will notify you of such a request and whether or not we have complied. Your Secure Data remains encrypted with keys which we do not possess, and so we can only hand over Secure Data in encrypted form.
If the confidentiality of customer data is breached, we recognize our responsibility to our customers and to the public to disclose the nature of the risk and provide a transparent account of the events without undue delay. At a bare minimum, we must inform the applicable supervisory authorities as required by law and regulation.