Privacy Policy

1. Introduction

This Privacy Policy describes how Oten ("we," "us," or "our") collects, uses, discloses, and protects information in connection with our Key Management Service ("Oten KMS" or the "Service"). This policy applies to all users of our Oten KMS platform, including administrators, developers, and end-users.

We are committed to protecting your privacy and ensuring the security of all data processed through our Service.

2. Information We Collect

2.1 Account Information

  • Organization name and contact details

  • Administrator names and email addresses

  • Billing information (processed by third-party payment providers)

  • Authentication credentials (hashed credentials, public keys, or identity tokens; passwords are never stored in plaintext)

2.2 Service Usage Data

  • API call logs and timestamps

  • Key creation, rotation, and management activities

  • Authentication events and access logs

  • Error logs and diagnostic information

2.3 Cryptographic Metadata

  • Key identifiers (Key IDs)

  • Key configurations and policies

  • Key version information

  • Access control settings and conditions

  • Cryptographic metadata does not include key material, key derivation secrets, or plaintext cryptographic parameters.

2.4 Integration Data

  • Google Workspace CSE configuration data

  • Google Drive integration metadata

  • Third-party service connection details

  • TEE (Trusted Execution Environment) attestation data is used solely to verify trusted execution environments and is not used for profiling or tracking users.

2.5 Technical Information

  • IP addresses

  • Device identifiers

  • Browser type and version

  • Operating system information

3. Information We Do NOT Collect or Access

Important: Our Oten KMS is designed with zero-knowledge principles for customer-managed cryptographic material (CMKs), including plaintext keys and encrypted customer content.

  • We do NOT have access to your plaintext encryption keys

  • We do NOT store or access data encrypted using your Customer Managed Keys (CMKs)

  • We do NOT retain the content of wrap/unwrap operations

  • We do NOT access files stored in your Google Drive or other integrated services

4. How We Use Your Information

4.1 Service Provision

  • Authenticate users and manage access controls

  • Process key management operations

  • Maintain and improve Service performance

  • Provide customer support

4.2 Security and Compliance

  • Detect and prevent fraudulent or unauthorized activities

  • Monitor for security threats and vulnerabilities

  • Comply with legal obligations and regulatory requirements

  • Generate audit logs for compliance purposes

4.3 Service Improvement

  • Analyze usage patterns to improve Service features

  • Identify and fix technical issues

  • Develop new features and capabilities

4.4 Communication

  • Send Service-related notifications

  • Provide security alerts and updates

  • Respond to inquiries and support requests

5. Data Sharing and Disclosure

5.1 We Do NOT Sell Your Data

We do not sell, rent, or trade your personal information or cryptographic data to third parties.

5.2 Limited Sharing

We may share information only in the following circumstances:

Service Providers: With trusted third-party vendors who assist in operating our Service, subject to confidentiality agreements.

Legal Requirements: When required by law, court order, or governmental authority.

Security Incidents: To investigate, prevent, or take action regarding potential security breaches or fraud.

Business Transfers: In connection with a merger, acquisition, or sale of assets, with appropriate confidentiality protections.

With Your Consent: When you explicitly authorize sharing with specific parties.

6. Data Security

6.1 Security Measures

We implement industry-leading security measures including:

  • End-to-end encryption for data in transit (TLS 1.3)

  • AES-256 encryption for data at rest

  • Hardware Security Modules (HSM) for key storage

  • TEE (Trusted Execution Environment) integration

  • Multi-factor authentication support

  • Regular security audits and penetration testing

  • SOC 2 readiness and controls aligned with SOC 2 Trust Services Criteria

6.2 Access Controls

  • Role-based access control (RBAC)

  • Principle of least privilege

  • Regular access reviews and audits

  • Automated session management

6.3 Incident Response

We maintain a comprehensive incident response plan and will notify affected users promptly in case of any security breach that may impact their data.

7. Data Retention

7.1 Active Data

  • Account information: Retained while account is active

  • Cryptographic keys: Retained according to your key lifecycle policies

  • Audit logs: Retained for the minimum period required to meet legal, security, and compliance obligations.

7.2 Deleted Data

  • Upon account termination, we will securely delete your data within 30 days

  • Cryptographic keys are securely destroyed using industry-standard methods

  • Some data may be retained longer if required by law

7.3 Backup Data

Backup copies are retained for disaster recovery purposes and are subject to the same security controls as primary data.

8. Your Rights and Choices

8.1 Access and Portability

You have the right to:

  • Access your account information

  • Export your key metadata and configurations

  • Obtain copies of audit logs

8.2 Correction and Deletion

You may:

  • Update your account information

  • Request correction of inaccurate data

  • Request deletion of your account and associated data

8.3 Data Processing Controls

You can:

  • Configure key lifecycle policies

  • Set access conditions and restrictions

  • Manage integration permissions

8.4 Opt-Out

You may opt out of:

  • Marketing communications

  • Non-essential data collection

  • Certain analytics features

  • Opt-out does not apply to data required for security, compliance, fraud prevention, or core Service operations.

9. International Data Transfers

9.1 Data Location

  • Primary data centers are located in regions selected by Oten, including Asia-Pacific and North America.

9.2 Transfer Safeguards

For international transfers, we implement:

  • Standard Contractual Clauses (SCCs)

  • Appropriate security measures

  • Compliance with applicable data protection laws

10. Compliance

10.1 Regulatory Compliance

Our Service is designed with security and privacy principles aligned to widely recognized regulatory and compliance frameworks. While formal certifications or contractual arrangements may not yet be in place, Oten KMS is architected to support customer compliance efforts, including:

  • GDPR (General Data Protection Regulation)

  • CCPA (California Consumer Privacy Act)

  • HIPAA (support planned; requires execution of a Business Associate Agreement)

  • SOC 2 (controls designed to align with Trust Services Criteria)

  • ISO 27001 (controls aligned; certification planned)

10.2 Industry Standards

We adhere to:

  • NIST Cybersecurity Framework

  • OWASP Security Guidelines

  • Industry best practices for key management

11. Third-Party Integrations

11.1 Google Workspace CSE

When using Google Workspace Client-side Encryption integration:

  • We provide key management and cryptographic authorization services used by Google Workspace Client-Side Encryption.

  • Google's privacy policy applies to data within Google services

  • We only access encryption key metadata, not encrypted content

11.2 Google Drive Integration

  • We facilitate key management for encrypted files

  • File content remains encrypted and inaccessible to us

  • Access is governed by your configured policies

11.3 Other Integrations

Third-party integrations are subject to their respective privacy policies. We recommend reviewing those policies before enabling integrations.

12. Children's Privacy

Our Service is not intended for use by individuals under 18 years of age. We do not knowingly collect information from children.

13. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by:

  • Posting the updated policy on our website

  • Sending email notifications to account administrators

  • Displaying in-app notifications

Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact Us

For privacy-related inquiries, please contact: support@oten.live

15. Additional Information for Specific Regions

15.1 European Union (GDPR)

  • Legal basis for processing: Contract performance, legitimate interests, legal obligations

  • Data Protection Authority: You may lodge complaints with your local supervisory authority

15.2 California (CCPA)

  • Categories of personal information collected: Identifiers, commercial information, internet activity

  • No sale of personal information

  • Right to know, delete, and opt-out

15.3 Other Jurisdictions

Contact us for information about rights specific to your jurisdiction.

Previousv1.0.0 - Nov 07, 2025NextTerms of Service

Last updated