• YubiKey as a Service Customer Portal Privacy Notice

    This privacy notice has been adopted by Yubico AB and applies to our and/or other companies’ in the Yubico group (together “Yubico”) processing of personal data relating to you as a user of Yubico’s Customer Portal (the “Console”). The Console is a service offered to our commercial customers, like businesses, institutions and agencies (individually an “Organization”), allowing them to manage product shipping and inventory. The service is not available to consumers. 

    1. Introduction
      1. Privacy is important to us and we strive for a high level of protection in all processing of personal data. Depending on geographic factors, like place of residency or business, different data protection, security and privacy regulations may apply to your interaction with the Console. 
      2. In accordance with applicable data protection legislation, Yubico AB is the data controller and responsible for the processing of your personal data as set out below. If you have any questions about this information, or if you wish to exercise any of your rights as set out below, contact Yubico via the contact information listed under Section 6.
    2. Processing of Personal Data
      1. General
        1. The term ‘personal data’ refers to such information which, directly or indirectly, may refer to an individual. Examples of such data are name, email address, contact details, IP address and user behaviour. Personal data processing refers to any action that we or a third party that we have engaged take with the personal data, such as collection, registration and storage. 
        2. We process personal data solely for the explicit and specified purposes stated below. We will not use personal data subsequently for any purpose that deviates from these original stated purposes.
      2. Your obligations under applicable data protection laws
        1. Please be aware that your Organization and you individually may be subject to distinct obligations under applicable data protection laws. Yubico cannot assume responsibility for such.
        2. In particular, please note that if you are uploading personal data of another individual to the Console, you represent and warrant that you have acquired and documented their prior consent or rely on another legal ground to do so. 
        3. If you are using the Console on behalf of an Organization, e.g. as the Organization’s admin, you represent and warrant that you are authorized to do so.
      3. Categories of Data and Purposes of Processing
        1. Registration. To set up an Organization’s Console account we require the Organization’s Name and Netsuite ID. We further require an email address used as credential for the Organization’s admin in order to log into the account and optionally invite further users via additional email addresses. These data points may include personal data, depending on the nature of the information you elect to submit.
        2. Delivery Services. If you or your Organization wants to take advantage of our Delivery Services, delivering individual YubiKeys to specific persons and/or addresses of your choice, we require a name, physical shipping address, and phone number in order to ship the YubiKey. You can also provide an additional email address to receive tracking information. These data points may include personal data, depending on the nature of the information you elect to submit.
        3. System integrity and auditing. We also collect data for system integrity and auditing purposes. The system maintains records of database changes, including the identity of the admin/user making the change, a timestamp, and the nature of the modification. We also track user account states (e.g., Active, Suspended, Deactivated) and the last login timestamp.
      4. Legal ground
        We rely on (i) performance of a contract where you request registration and delivery services and on (ii) legitimate interest where we process data for system integrity and auditory reasons. 

        In case your consent is required for any of the above purposes, we will obtain such consent before we process your personal data for such purpose (if you withdraw the consent, that will not affect the lawfulness of processing based on consent before its withdrawal).
      5. Retention and deletion.
        Personal data is kept only for the duration required to fulfil the specific purpose for which it was collected. After this period, the personal data is deleted, except where retention is necessary to meet statutory and regulatory obligations.
    3. Security for the protection of personal data

    We protect all personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage, by implementing appropriate technical and organizational security measures. For a full list of our technical and organizational security measures please reach out to your Organization’s account manager at Yubico.

    1. Restrictions on the Disclosure of Personal Data
      1. Where necessary to provide our services, we may appoint external partners to perform tasks on our behalf. We utilize third-party services for specific validation and compliance functions, including:
        1. Address Verification: System-submitted addresses are processed to generate metadata regarding deliverability.
        2. Security Screening: Recipient data is cross-referenced against security lists to identify matches against Denied Party Lists (DPL).
        3. Tax Calculation: Shipment data is processed to calculate and return correct tax amounts based on destination.
        4. Identity Management: We may utilize external domain services (such as Atlassian) for identity or login management.
        5. Shipping and Logistics: To facilitate deliveries, shipping data is processed for shipping logistics and labels, customs compliance, postage and delivery services. 
      2. The performance of these tasks may mean that our partners, both within and outside the EU/EEA, are able to gain access to your personal data. Companies that process personal data on our behalf must always sign an agreement with us so that we are able to ensure a high level of protection of your personal data even with our partners. Please request a comprehensive list of our current external partners from your Yubico account manager. 
      3. We take special safeguards in accordance with applicable data protection legislation with regard to international transfers, such as signing agreements with our external partners that include standardized model clauses for data transfers adopted by the EU Commission available on the EU Commission’s website, or similar modular clauses.
      4. We may also disclose your personal data to law enforcement or other public authorities, if we are required to disclose such data by law or public authority decision. We will not disclose your personal data to any extent other than described in this section.
    1. Your Rights and the Right to File a Complaint
      1. Under applicable data protection legislation you, and any other individual whose personal data has been submitted, are entitled, at any time, to request access to the personal data that is processed about you, to have erroneous personal data corrected, to request that we shall stop processing and delete your personal data, to request that the processing of your personal data is restricted, to exercise your right to data portability, to withdraw consent to particular processing (where such consent has been obtained) and to object to the processing of your personal data. In such an event, contact Yubico via the contact details listed below. You are also entitled, at any time, to file a complaint with the relevant supervisory authority, the Swedish Data Protection Authority, if you consider that your personal data has been processed in contravention of applicable data protection legislation.
    1. Data Controller and Contact Details
      1. Data Controller
        The Yubico Group company that provides the specific service and products is the data controller.
      2. Contact Details
        If you have any questions on how we process your personal data or want information about further contact details for the data controllers above, please contact us through your Organization’s account manager at Yubico, via email to our Privacy Department at privacy@yubico.com, or via post.

        Yubico AB, Kungsgatan 44, 111 35 Stockholm, Sweden
    1. Changes to the Privacy Notice Occasionally we may, in our discretion, make changes to this Privacy Notice e.g. by making new versions available within the Console or provide you with prominent notice as appropriate under the circumstances. You are encouraged to read any such update or notice carefully.

    Last updated: May 5, 2026