Privacy Policy

§ 1 Introduction

---

AuthKey ("we," "us," or "our") provides enterprise-grade, phishing-resistant authentication software designed for on-premise and private cloud deployment. This Privacy Policy outlines how we handle data in two distinct contexts: the data we collect directly from our business clients, and the data processed by our Software within a client's environment.

§ 2 The AuthKey On-Premise Data Model

---

AuthKey operates under a strict enterprise software deployment model. We do not host a SaaS platform, and we do not have access to the end-user data processed by the Software once deployed on your infrastructure. All transaction authorizations, risk evaluations, and data storage occur locally within the Client's controlled environment.

§ 3 Information Processed by the Deployed Software

---

When deployed within your infrastructure, the AuthKey Software processes and stores specific authentication data required to function. AuthKey personnel do not have access to this information. The data managed by the Software on your servers includes:

Data Type	Description
Cryptographic Keys On-premise only	Public keys generated during the FIDO2/WebAuthn registration process.
Authentication Factors On-premise only	User PINs (securely hashed/encrypted) and system-generated One-Time Passwords (OTPs) used for step-up authentication or fallback scenarios.
Transaction Context On-premise only	Transaction amounts, device fingerprints, behavioral patterns, IP addresses, and generalized location data used by the localized machine-learning risk engine.
Audit Logs On-premise only	Tamper-evident logs of authentication events for forensic analysis.

The Client acts as the Data Controller for all end-user data processed by the Software and is responsible for managing this data in accordance with applicable privacy laws.

§ 4 Information AuthKey Collects (B2B Context)

---

AuthKey only collects data strictly necessary to conduct business with our enterprise clients:

• Client Account Information When scheduling a demo, requesting support, or entering into a commercial contract, we collect business details including names, business email addresses, phone numbers, job titles, and company names.
• Telemetry and Licensing Data With explicit Client configuration and consent, the Software may transmit anonymized, high-level telemetry data (such as license utilization metrics or software version status) back to AuthKey solely for billing and maintenance purposes.

§ 5 How We Use Business Information

---

The B2B contact information collected is used exclusively to:

• Provide technical support and integration guidance to your development team.
• Manage licensing, billing, and commercial contracts.
• Notify clients of critical security patches, software updates, or changes to our services.

§ 6 Data Security for B2B Information

---

We implement robust technical and organizational security measures to protect the business contact information we retain. This includes encryption for data at rest and in transit, strict internal access controls, and regular security assessments.

§ 7 Third-Party Disclosures

---

We do not sell, rent, or trade your business information to third parties. Information is only shared with trusted infrastructure sub-processors strictly necessary for operating our corporate website and CRM systems, or when legally compelled by a valid legal request from authorized law enforcement.

§ 8 Updates to this Policy

---

We may update this Privacy Policy periodically to reflect changes in our business operations or legal obligations. We will notify active Clients of any material changes via direct communication.