Privacy Policy for Breeze

1. Introduction

Welcome to the Breeze platform. We value your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, and protect your personal information when you use our secure digital identity and credential management services.

2. Who We Are

This platform is operated by Sotera AS, provider of the Breeze platform — a secure digital identity and credential management system. For questions regarding this policy, you can contact your Breeze representative.

3. What Data We Collect

When you use our platform, we collect the following types of data:

Identity and Authentication Data:

• Login credentials (email, encrypted passwords)
• Multi-factor authentication codes (temporary)
• National identity information (when using eID services) - when you sign in via a national eID (BankID, MitID, etc.), your national identity number may be used in transit to verify your identity but is not stored by Breeze. Breeze only stores pseudonymous identifiers returned by the eID broker so future eID logins can be linked to your Breeze account.
• Identity Provider (IdP) information from external authentication services
• Session identifiers and access tokens

Technical and Security Data:

• IP address
• Browser type and version (via User-Agent headers)
• Device information
• Session data and authentication timestamps
• Security audit logs and access control records

Personal and Credential Data:

• Name, email, and contact details
• Profile information linked to digital Credentials
• Credential data collections (names, photos, employee numbers, etc.)
• Digital identity verification data
• Where your organization has configured a Credential Template to use external data lookup against a population register (such as Folkeregisteret in Norway or SPAR in Sweden), the data returned by that lookup is mapped into your Credential according to the Template. What is retained is determined by your organization's Template configuration. Sensitive fields can be marked accordingly in the Template, and Breeze applies application-layer encryption, masked display, and audit-log redaction to those fields automatically.

System and Usage Data:

• Event logs for system security and audit purposes
• Error tracking and monitoring data (via the third-party error monitoring service listed in section 6 - personal data is redacted before transmission)
• Platform usage statistics for security monitoring

Some of the technical and security data above (in particular IP addresses, session identifiers, and audit-log entries) is personal data under GDPR. We process it solely for the security and audit purposes described in section 5, on the legal basis of legitimate interests under Article 6(1)(f). See section 5a for our legal-basis disclosures and section 9 for your rights.

4. Cookies and Session Management

Our platform uses cookies and similar technologies solely for essential functionality:

Session Cookies (Required):

• credToken: JWT authentication token for secure user sessions
• connect.sid: Session identifier for platform communication
• signedIn: Basic authentication status indicator
• NEXT_LOCALE: Stores your preferred display language so the platform remembers it across sessions. Not used for any other purpose.

We do not use cookies for analytics, marketing, or tracking purposes. All cookies are essential for platform operation and security. You can manage cookie settings through your browser, but disabling them will prevent the platform from functioning properly.

5. How We Use Your Data

We use your personal data exclusively for:

• Platform Operation: Authenticating users, managing digital credentials, and maintaining secure access
• Security and Compliance: Monitoring for suspicious activity, maintaining audit logs, and ensuring platform integrity
• Identity Management: Creating, managing, and verifying digital identity credentials
• Technical Support: Providing user support and troubleshooting platform issues
• Legal Compliance: Meeting regulatory requirements and responding to lawful requests

5a. Legal Basis for Processing

We process your personal data on the following legal bases under the EU General Data Protection Regulation (GDPR) and the Norwegian Personal Data Act (personopplysningsloven):

• Performance of a contract (Article 6(1)(b)): processing personal data that is necessary to deliver the Breeze platform under the agreement between Sotera and your organization (or partner), including authenticating you, managing your Credentials, and providing support.
• Legitimate interests (Article 6(1)(f)): a narrow set of security-related processing activities necessary to keep the platform safe and available - specifically, security audit logging (including IP addresses), authentication-failure tracking and rate limiting, and operational error monitoring with personal data redacted. This basis is expressly recognized by Recital 49 of the GDPR for the purposes of network and information security.
• Legal obligation (Article 6(1)(c)): processing necessary to comply with applicable laws or lawful requests from authorities.
• Consent (Article 6(1)(a)): only where explicitly obtained, and only for processing that does not fit one of the bases above.

Where processing is based on legitimate interests, you have the right to object (Article 21). We will weigh your objection against the interests pursued and respond with reasons.

6. Sub-processors

We do not sell your personal data. We engage a small number of carefully selected sub-processors to deliver the platform. Each sub-processor is governed by a Data Processing Agreement with Sotera that imposes the GDPR processor obligations on them.

Hosting and infrastructure:

• Microsoft Azure (Microsoft Corporation) - application hosting (App Service), object storage (Blob Storage), and managed cache (Azure Cache for Redis). Region: Norway East. Processes: all operational customer data.
• MongoDB Atlas (MongoDB Inc.) - primary database (cluster). Region: Microsoft Azure Norway East. Processes: Tenant data, Credentials, Users, audit events.
• Vercel (Vercel Inc.) - frontend hosting and content delivery for the customer portal. The frontend is a static client-side application; no customer data is stored on or proxied through Vercel - only the application code itself.

Identity and authentication services:

• Signicat (Signicat AS, Norway) - when you sign in using a national eID (such as Norwegian BankID, Swedish BankID, or MitID), Signicat acts as the broker that relays your authentication request to the eID scheme. When your organization has configured a credential template that requires data from a population register, Signicat also performs lookups in Folkeregisteret (FREG, Norway) or SPAR (Sweden) on Sotera's behalf.
• Your organization's identity provider - when you sign in using Single Sign-On (SAML or OpenID Connect), authentication is performed by your organization's identity provider; we receive the authentication assertion and the attributes your organization has chosen to share.

Operational services:

• Brevo (Sendinblue SAS) - transactional email delivery for activation, password reset, and multi-factor authentication code messages. Region: EU. Processes: recipient email address and message content.
• Sentry (Functional Software, Inc.) - application error monitoring and stack-trace aggregation. Personal data (such as email addresses) is masked or omitted before transmission.
• Temporal - durable workflow orchestration for credential lifecycle automation. Processes workflow metadata only.

Legal Requirements:

• Compliance with legal obligations or lawful requests from authorities

A complete and current list of our sub-processors is also published in our public Trust Center, and material changes to the list are notified to customers in line with the Data Processing Agreement.

7. Data Security

We implement comprehensive security measures:

• Encryption: Industry-standard encryption including TLS for data in transit and AES-256 for sensitive data at rest
• Authentication: Multi-factor authentication (MFA) and role-based access control
• Audit Logging: Detailed audit trails for all system access and changes
• Sensitive Data Field protection: Fields that your organization has marked as sensitive (typically national identity numbers and similar identifiers) are encrypted at the application layer with AES, masked for users without access to read the value, and redacted to "[REDACTED]" in audit logs. If encryption is not possible for any reason, the write is aborted rather than store the value in plaintext.
• Session Security: Secure session management with automatic token expiration

8. Data Retention and Deletion

Active Data:

• User data is retained while your account is active and for legitimate business purposes
• Audit logs are maintained for security and compliance requirements

Data Lifecycle Management:

Breeze applies a three-stage user lifecycle. The time spent at each stage is configurable at the Domain level (set by the domain administrator and applied to all tenants in the domain) and can be overridden at the Tenant level by a tenant administrator. Out-of-the-box system defaults are:

• Registered users who never activate their account are deleted after 90 days. Email warnings are sent before deletion at a configurable schedule.
• Active users who do not log in are deactivated after 90 days of inactivity. Email warnings are sent on the same configurable schedule.
• Deactivated users are deleted 30 days after deactivation. Deactivated accounts can be reactivated by a tenant administrator within that window; once deleted, the account cannot be recovered.
• These figures are the system defaults. The values that actually apply to your data are whatever your organization has configured. For the specific retention periods that apply to your account, contact your organization's tenant administrator.

Backup retention is platform-managed at the database tier (continuous backup with point-in-time restore on the MongoDB Atlas cluster).

Anonymization:

• Personal data can be anonymized when no longer needed for identified purposes
• Anonymized data retains no personally identifiable information

9. Your Rights

Under applicable data protection laws (such as the GDPR), you have the right to:

• Access: Request access to the personal data we hold about you
• Correction: Request correction of inaccurate personal data
• Deletion: Request deletion of your personal data (subject to legal requirements)
• Restriction: Object to or restrict certain types of processing
• Portability: Request transfer of your data in a structured format
• Withdrawal: Withdraw consent where processing is based on consent

To exercise your rights, please contact your Breeze representative or administrator.

10. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we do, the revised policy will be posted with an updated effective date. We recommend reviewing this policy periodically.

11. Contact Information

For questions about this Privacy Policy or how we handle your personal data, please contact your designated Breeze representative or system administrator.