GDPR and Privacy
In May 2018 the EU General Data Protection Regulation (GDPR) replaces the existing patchwork of EU National Data Protection legislation and brings a level of consistency to data and privacy protection in the EU. Even prior to the implementation of GDPR, Arlo recognized the worldwide importance of privacy, security, and data protection to our customers, partners, and employees.
We have a cross-functional approach to privacy governance, which covers all areas of the company and includes customer, partner, and employee data. The legal, customer care, IT, HR and Engineering teams meet on a regular basis to help guide, design, and develop products and systems from the ground up to protect data and privacy. Arlo has a Board of Directors' Cybersecurity Committee that is tasked with the oversight and monitoring of Arlo's privacy and data security and regularly engages with outside experts regarding various privacy issues including privacy by design and encryption. Arlo has an active cybersecurity program and to make sure information is secure, we strictly enforce privacy safeguards within the company. This means we use access management and access controls commensurate with the risk to data to ensure access to data is associated with a business need, such as providing customers with support.
Specifically, as part of our EU General Data Protection Regulation (GDPR) work, we have assessed, and continue to assess, our major processes, products, and services. In particular, we have:
-Rewritten our privacy policy;
-Improved processes to help ensure data transparency, accuracy, accessibility, completeness, security, and consistency;
-Mapped our data and identified what we have, what we are doing with it, where it is, where it flows, and who has access to it;
-Assessed the privacy and data security risks and strengths in our enterprise systems and products;
-Implemented data incident response teams and processes;
-Implemented additional third-party controls, vendor oversight, monitoring, audit, and remediation requirements;
-Embedded privacy and security requirements in the product development cycle.
In addition, all Arlo employees are required to take training on Privacy and Security.
Finally, Arlo complies with all applicable laws that require notification about data security incidents. That means we conduct prompt investigations and analysis, so that we can provide notification in a timely manner if necessary. We are also committed to providing customers that have been impacted by an incident with appropriate assistance, which may include information about support from Arlo or advice on steps customers can take to reduce the risk of harm.
Other Arlo System Security Measures
Arlo wire-free cameras connect to the Arlo base station camera network using WiFI Protected Setup (WPS) and WPA2-AES data encryption. The WiFI connection is protected by a random, unique, long password that is not physically visible on the product. This password is programmed at the factory in the base station and re-generated upon factory-reset.
The base stations’ public WAN interface is wired to a home router using an Ethernet cable. The base stations never route unfiltered network traffic between the public interface and the internal camera network. In addition, the base stations do not have any active listening port on the public interface, further protecting it from LAN-based security threats.
Personal information: The data is collected in a secure fashion, and Secure Socket Layer (SSL) is used during the transportation of data. Accounts are authenticated using a secure login mechanism. We use one-way hashing in combination with salt for all passwords. Finally, we do not access or share any data unless required to by law or with your permission to help resolve system problems.
Payments: All supplied sensitive/credit information is transmitted via secure communication methods and then securely stored into our payment gateway provider’s database only to be accessible by those authorized with special access rights to such systems. The payment gateway provider must keep the information confidential. Arlo does not store payment information, instead such information is kept with our payment providers who are PCI compliant.
Audits Performed on Arlo
Independent internal audits from IT teams that are not part of product engineering include regular penetration testing and PCI compliance audits.
Arlo Subprocessors
What is a Subprocessor?
A subprocessor is an external service or provider used by Arlo to deliver our service to you. As part of that service delivery, we may be required to share personal information we have collected about you with these providers. Arlo subprocessors meet the requirements and obligations under GDPR.
Third parties (Subprocessors):
| Subprocessor | Processing Done Internally at Arlo or Externally at Subprocessor | Is data transferred out of the EU? If yes, where? | If data is transferred out of the EU', where is the data transferred? | Description of the purpose |
|---|---|---|---|---|
| Appsee | Internally at Arlo | US | US | Determines use behavior of Arlo Applications – Personal Information is anonymized. |
| Aria | Internally at Arlo | No, for EU customers | Bill Payments System for Subscriptions, Sales etc. | |
| Amazon Web Services | Externally at AWS | NO, for EU customers | Arlo uses to store/host/collect/manage Personal Information, including videos, or provide other infrastructure that helps with delivery of the Arlo Service. These are secure environments that are controlled by the Arlo team and are protected by Data Processing Agreements. | |
| Salesforce.com | May be External | Yes | Concentrix -Costa Rica, Philippines Convergys – Ireland, Poland CSS Corp – India, Philippines, United States Tech Mahindra – India Arlo -United States, Canada |
Support Services -3rd Pty Call Centre to manage Support calls – Personal Data may be received during these support calls |
| Salesforce.com Marketing Cloud (SFMC) | Internal | Yes -San Jose, California | US | Marketing Database used to marketing and promotion |
| Google Analytics | Internal | Yes -San Jose, California | US | Measures website and application data to gain use insight |
| Swrve | Internal | Yes -San Jose, California | US | Marketing engagement engine for mobile marketing |
Content Delivery Channels:
Arlo also uses certain providers to assist and support operations. These providers do not have direct access to data that you have shared with us, but we may collect personal information you have shared with us via these services, as part of delivering the wider Arlo Services.
For example: If you contact us for support via our Facebook, Twitter or Instagram page, we will pass on your contact details and questions to other services that we use to provide support (see Service Specific Subprocessors above.
Facebook Cloud-based Social Network, United States
Instagram Cloud-based Social Network, United States
Twitter Cloud-based Social Network, United States
Change and Updates
As our business grows and evolves, the third-parties and subprocessors that we engage with may also change over time. We will provide the account owner with notice of any changes by sending a notification to the registered account holder's email address, along with posting any changes here. Please check back here to stay in the loop.
Transparency Report
Arlo publishes a bi-annual Transparency Report that provides additional information on the types and volume of information requests we processed during the reporting period.