Collavate Advanced Security Policies

Terms Of Service


  1. General.  These Terms and Conditions of Use (the “Terms”) govern the access and use  of the website, (the “Website”), which is owned by Collavate, Inc., and the services provided on or through the Website (the “Services”) and the content uploaded by users of the Website and/or Services (the “Content”).  Your access or use of the Website, Services and/or Content signifies that you have read, and you understand, acknowledge and agree to be bound by, all of these Terms and any policies related to the Website, Services and/or Content as may be adopted by Collavate from time to time.  These Terms define the respective rights and obligations between you, the user of the Website and Services (“you,” “your” or “User”) and Collavate in relation to the Website, the Services and/or Content and your access and use thereof.

  1. Accounts.  In order to access and use some of the Services, you will have to create an account (an “Account”) with Collavate.  You represent and warrant to Collavate that all of the information you submit when you create your Account is accurate, current and complete, and that you will keep your Account information accurate, current and complete.  If Collavate has reason to believe that your Account information is untrue, inaccurate, out-of-date or incomplete, Collavate reserves the right, in its sole and absolute discretion, to suspend or terminate your Account.  You are solely responsible for the activity that occurs on your Account, whether authorized by you or not, and you must keep your Account information secure, including, without limitation, your customer number/login, password, payment method(s), and PIN.  For security purposes, Collavate recommends that you change your password and PIN at least once every six (6) months for each Account you have with Collavate.  You must notify Collavate immediately of any breach of security or unauthorized use of your Account.  Collavate will not be liable for any loss you incur due to any unauthorized use of your Account.

  1. User’s Covenants, Representations and Warranties.  The User hereby covenants, represents and warrants to Collavate as follows:

3.1. The User is a legal entity or an individual over the age of 18 years that is capable of entering into binding agreements.  If User is a legal entity, then you represent and warrant that you represent and are acting on behalf of the legal entity, and you have the express authority to bind the legal entity to the Terms.  User hereby acknowledges and agrees that if Collavate finds that User does not have the legal authority to bind such legal entity, the User will be personally responsible for the obligations contained in these Terms.  Collavate shall not be liable for any loss or damage resulting from Collavate’s reliance on any instruction, information, data, notice, document or communication reasonably believed by Collavate to be genuine and originating from an authorized representative of your legal entity.  If there is reasonable doubt about the authenticity of any such instruction, information, data, notice, document or communication, Collavate reserves the right (but assumes no duty) to require additional authentication from you.  User further acknowledges and agrees that if User is not a legal entity or otherwise able to enter into binding contracts under applicable law, User is not permitted to use the Services, and User hereby covenants and agrees that in that event User will not use the Services.

3.2. The User acknowledges and agrees to comply with all of the terms and conditions set forth in these Terms, all applicable laws, statutes, rules and regulations of any applicable jurisdiction, and any rules and procedures that may be established or adopted by Collavate from time to time (collectively, the “Relevant Rules”).  User acknowledges and agrees that any material breach of this Section 3.2 by User may result in immediate suspension or termination of Services at Collavate’s sole discretion.

3.3. The use by the User of the domain name, Website, Services and/or Content shall comply in all materials respects to all Relevant Rules without infringing the legal rights of any third party.  If the User becomes aware of any use of a domain name, Website, Services and/or Content that may cause a dispute or claim from a third party, the User shall use his, her or its best efforts to avoid or resolve any such dispute or claim in compliance with the Relevant Rules, these Terms and any policies, rules and procedures that Collavate may establish from time to time.

3.4. The User shall provide to Collavate only information that is complete, correct and accurate.  User shall, further, provide to Collavate the User’s most current contact information, which shall be updated by User promptly upon the occurrence of any changes to such contact information.  In any event, User is solely responsible for any Content uploaded by User.

3.5. The User shall securely keep and maintain User’s passwords, ID’s, usernames, and any other information for the use of the Services (hereinafter, “User’s Confidential Information”).  Collavate shall not be responsible for any loss, misappropriation, or misuse of the User’s Confidential Information.

3.6. The User acknowledges and agrees that User must comply with all Relevant Rules as may be established by regulatory authorities from time to time.  The User further acknowledges and agrees that User shall not have nor make any claims of any kind against Collavate in any way related to issues required, prescribed or proscribed by any regulatory authority and the Relevant Rules, or to Collavate’s compliance the Relevant Rules.

3.7. The User acknowledges and agrees that, as a condition prior to the commencement of the Services, Collavate will undertake certain validation tests in order to filter potential fraudulent orders.  User further acknowledges and agrees that fully validated Services shall not be provided unless User passes the validation tests.

3.8. Unless Collavate specifically agrees in writing, User will not, and will use commercially reasonable efforts to make sure a third party does not: (a) sell, resell, lease or the functional equivalent, the Services to a third party (unless expressly authorized in this Agreement); (b) attempt to reverse engineer the Services or any component; (c) attempt to create a substitute or similar service through use of, or access to, the Services; (d) use the Services for high risk activities; or (e) use the Services to store or transfer any User Data that is controlled for export under applicable export control laws.

3.9. Except as expressly set forth herein, this Agreement does not grant either party any rights, implied or otherwise, to the other’s content or any of the other’s intellectual property.  As between the parties, User owns all Intellectual Property Rights in User’s Data and Collavate owns all Intellectual Property Rights in the Services.

3.10. Collavate may display those User’s trademarks, brands and/or logos within designated areas of the Website.  Collavate may also display Collavate’s trademarks, brands and/or logos to indicate that the Services are provided by Collavate.  Neither party may display or use the other party’s Brand Features beyond what is allowed in this Agreement without the other party’s prior written consent.

3.11. User agrees that Collavate may include User’s name and/or logo in a list of Collavate customers, online or in promotional materials.  User also agrees that Collavate may verbally reference User as a user of the Collavate products or Services that are the subject of these Terms.

  1. Collavate’s Registration Policy.

4.1. Collavate shall provide the Services pursuant to these Terms on a “First Come, First Served” basis.

4.2. User’s right to use the Website, Services and/or Content is contingent on User’s compliance with these Terms, the Relevant Rules, and any rules and procedures established by Collavate regarding the use of the Website, the Services and Content.

4.3. Collavate shall keep the User’s information confidential and make it publicly available only as may be required or pursuant to these Terms and/or Collavate’s Privacy Policy.  Such User information may include the User’s contact details, its domain name, the expiry date, contact details of its name server etc. to the extent permitted or required by all Relevant Rules, these Terms and Collavate’s Privacy Policy.

4.4. Unless otherwise required by the Relevant Rules, Collavate shall not be required to nor be responsible for monitoring or investigating User’s use of the Website, Services, and/or Content, User’s use of its own website, domain name, or any of User’s Content.

  1. Service Fees and Payments.

5.1. The prices, fees and payment terms payable by the User for the Services shall be posted by Collavate on its Website.  Such prices, fees and payment terms may be changed by Collavate from time to time by posting any such changes on its Website.  Collavate will try to provide advance notice of any such change, but regardless of whether or not such notice is timely given, any such changes shall become immediately effective upon posting, unless otherwise stated in the posting on the Website.  In principle, the fees shall be payable in advance and are non-refundable, unless otherwise expressly stated in writing.

5.2. Any fees charged by an independent service provider may be passed through to the User provided, that Collavate shall provide User with advance notice of such fees.  If User objects to such fees or fails or refuses to make payment therefore, then Collavate may terminate the User’s access to and use of the Website and Services.

5.3. User shall be solely responsible for the timely payment of any applicable fees and for maintaining and renewing User’s domain name registration, and Collavate shall have no responsibility or obligation of any kind or nature with respect thereto.  All payments shall be made in U.S. dollars unless otherwise set forth in writing by Collavate.

5.4. All prices and fees are non-refundable once the Services have been initiated by the User’s activation of User’s Collavate account regardless of whether the Services are subsequently suspended, terminated, or transferred prior to the end of the expiration of the registration, provided, however, that such suspension, termination or transfer is not caused by the gross negligence of Collavate.

5.5. Delinquent payments may bear interest at the rate of one-and-one-half percent per month (or the highest rate permitted by law, if less) from the payment due date until paid in full.  User will be responsible for all reasonable expenses (including attorneys’ fees) incurred by Collavate in collecting such delinquent amounts except where such delinquent amounts are due to Collavate’s billing inaccuracies.

5.6. User is responsible for any and all taxes related in any way to User’s access and use of the Website, Services and/or Content, and User will pay Collavate for the Services without any reduction for any such taxes.  If Collavate is obligated to collect or pay any taxes, such taxes will be invoiced to User unless User provides Collavate with a valid, applicable tax exemption certificate authorized by the appropriate taxing authority.  If User is required by law to withhold any taxes from its payments to Collavate, User must provide Collavate with an official tax receipt or other appropriate documentation to support such payments.



  1. Term, Suspension and Termination.

8.1. These Terms shall commence and become effective upon User’s first access of the Website and Services and, except for those provisions that are intended to survive the User’s use of the Website, Services and/or Content, will continue to be in full force and effect until the User’s Account with Collavate and User’s use of the Website and Services shall expire or be terminated.

8.2. Collavate may terminate or cancel the Terms and terminate or cancel User’s access to and use of the Website and Services, with or without prior notice to the User, if the User breaches any material term or condition of the Terms or otherwise violates any material provision of the Relevant Rules.

8.3. If Collavate becomes aware of a violation of the Agreement, then Collavate may specifically request that User suspend the applicable account.  If User fails to comply with Collavate’s request to suspend the violating account, then Collavate may do so. The duration of any suspension by Collavate will be until the violating account has cured the violation or breach that caused the Suspension.

8.4. Notwithstanding the foregoing, if there is an emergency security Issue, then Collavate may automatically suspend the offending use.  Suspension will be to the minimum extent and of the minimum duration required to prevent or resolve the emergency security Issue.  If Collavate suspends an account for any reason without prior notice to User, at User’s request, Collavate will provide User the reason for the suspension as soon as is reasonably possible.

8.5. For purposes of this Agreement, the term “emergency security issue” shall mean either: (a) User’s use of the Services in violation of these Terms, which could disrupt: (i) the Services; (ii) other user’s use of the Services; (iii) the Collavate network or servers used to provide the Services; or (b) unauthorized third party access to the Services.

8.6. Collavate will have no obligation to retain any archived User Content or information beyond the retention period specified by User (other than for any legal holds) unless User’s right to use the Services is earlier terminated or expires.  If the User does not renew its Account or the Account expires or is terminated, or the User otherwise loses the right to use the Website and Services, Collavate will have no obligation to retain any archived User information.

8.7. At the end of each period for which User has signed up and paid for Services, all of the paid for Services will automatically renew for an additional term of twelven (12) months by default.  Customer will pay Collavate the then-current fees for each renewed User Account unless User and Collavate mutually agree otherwise.  User may alter the number of end users to be renewed by communicating the appropriate number of accounts to be renewed to Collavate via the Admin Console.  If for any reason Collavate does not want the Services to renew, then it will provide User written notice to this effect at least fifteen (15) days prior to the end of the then current Services term.  This notice of non-renewal will be effective upon the conclusion of the then current Services term.  The automatic renewal feature may be disabled by the User.

8.8 If this Agreement terminates, then: (i) the rights granted by one party to the other will cease immediately (except as set forth in this Section); (ii) Collavate will provide User access to, and the ability to export User’s Content, information and/or data for a commercially reasonable period of time at Collavate’s then-current rates for the applicable Services; (iii) after a commercially reasonable period of time, Collavate will delete Customer Data by removing pointers to it on Collavate’s active servers and overwriting it over time; and (iv) upon request each party will promptly use commercially reasonable efforts to return or destroy all other Confidential Information of the other party.

  1. Indemnity.  You agree to protect, defend, indemnify and hold harmless Collavate and its officers, directors, employees, representatives and agents, from and against any and all claims, demands, costs, expenses, losses, liabilities and damages of every kind and nature (including, without limitation, reasonable attorneys’ fees) imposed upon or incurred by Collavate directly or indirectly arising from (i) your use of and access to this Website or the Services; (ii) your violation of any provision of these Terms or the policies or agreements which are incorporated herein; (iii) your violation of or noncompliance with any of the terms and conditions of the Relevant Rules; and/or (iv) your violation of any third-party right, including without limitation any intellectual property or other proprietary right.  The indemnification obligations under this section shall survive any termination or expiration of these Terms or your use of this Website or the Services.

  1. Governing Laws and Dispute Resolution.

10.1. These Terms shall be governed by and construed under the federal laws of the United States of America and the laws of the State of California, whichever may be applicable, without the application of any conflict of law principles.

10.2. You agree that any action relating to or arising out of these Terms shall be brought in the state or federal courts of Santa Clara County, California, and you hereby consent to, and waive all defenses of lack of personal jurisdiction and forum non conveniens with respect to jurisdiction and venue in the state and federal courts of Santa Clara County, California.  You agree to waive the right to trial by jury in any action or proceeding that takes place relating to or arising out of these Terms.

10.3. Any disputes that cannot be resolved amicably between the parties shall be submitted for arbitration under the rules of the American Arbitration Association, as amended, and venue for such arbitration shall be in Santa Clara County, State of California, United States of America.

  1. Modifications.  User acknowledges and agrees that Collavate, in its sole discretion, may change or modify these Terms, and any policies or agreements which are incorporated herein, at any time, and such changes or modifications shall be effective immediately upon posting to the Website.  If you do not agree to be bound by these Terms as last revised, do not use (or continue to use) the Services.  Any access or use of the Website, Services and/or Content after changes or modifications are made of the Terms, policies and agreements shall be deemed your acceptance of such changes or modifications.

  1. Assignment and Delegation.  User may not assign or delegate any of User’s rights, obligations and duties under these Terms without Collavate’s express written consent, which consent may be withheld for any reason or for no reason at Collavate’s sole discretion.  Any attempted assignment or delegation shall be deemed invalid, unenforceable and ineffective.  Notwithstanding the foregoing, Collavate may in its discretion transfer its rights and obligations under the Terms to any third party upon prior written notice to the User, provided that such transfer is permitted under the Relevant Rules.

  1. Severability.  If any provision of these Terms is determined to be illegal or unenforceable, that provision shall be deemed severed from these Terms and the other remaining provisions shall remain in full force and effect, and such remaining provisions shall be interpreted as much as legally possible as was originally intended.

  1. Notice.  Except for changes or modification of the Terms and/or any policies or agreements incorporate herein, which changes and modifications will be posted on the Website, all other notices required under the Terms shall be given in writing sent to, in the case of the User, the email address of record (the latest email address provided to Collavate by the User as User’s contact email), and in the case of Collavate, at  Such notice shall be deemed to have been given at the time it is sent or posted as the case may be in accordance with these Terms.

  1. Force Majeure.  Collavate shall not be liable for any cessation or interruption of Services nor for any losses or damages of any kind or nature resulting from events beyond the control of Collavate, including, but not limited to, acts of God and naturally occurring disasters or conditions, wars, riots, terrorist attacks, cyber virus attacks, hacking, strikes, work stoppages, and government action that prevents or hinders the delivery and/or performance of the Services.

  1. Transfer of Data Abroad.  If you are accessing the Website and using the Services from a country other than where our servers are located, your communication with Collavate may result in the transfer of information across international borders.  By accessing this Website and/or using the Services, you consent to such transfers of information.

  1. No Spam Policy.  Collavate has a “No Spam” policy, and you acknowledge and agree that Collavate may immediately terminate your account and block you from using any Services in Collavate’s sole discretion if Collavate believes in good faith that you are transmitting or involved with in any way spam or other unsolicited bulk-mail.

  1. Successors and Assigns.  These Terms shall be binding upon and inure to the benefit of the parties and their respective heirs, successors and assigns.

Privacy Policy

Collavate, Inc. respects your concerns about privacy. References in this Privacy Policy to “Collavate”, “we”, “us”, and “our” are references to the Collavate entity responsible for the processing of your personal information, which generally is the Collavate entity that collects your personal information.

This Privacy Policy describes the types of personal information we obtain, how we may use that personal information, with whom we may share it and how you may exercise your rights regarding our processing of that information. The Privacy Policy also describes the measures we take to safeguard the personal information we obtain and how you can contact us about our privacy practices.

This Privacy Policy applies to the personal information we obtain through Collavate properties, including websites, products, services, desktop and mobile apps, and other tools offered by Collavate that reference this Privacy Policy (“Online Services”); offline collection, including Collavate events, surveys, questionnaires, customer user research and evaluations (“Offline Channels”); and third-party sources, including business partners, ad networks and vendors (collectively, the “Offerings”). This Privacy Policy does not apply to other Collavate products and services that post separate privacy policies.

In connection with providing support, cloud and other services, Collavate processes certain data maintained in environments that Collavate may access to perform cloud, consulting and support services (“Customer Content”) on behalf of and at the direction of its customers and partners, as well as log data (e.g., regarding access and authentication requests) that we collect for analysis and security purposes across our services. Our use of such Customer Content and log data is subject to the terms of our customer agreements and is not governed by this Privacy Policy. In contrast, the information we collect through our customers’ and partners’ use of our websites (such as names, addresses, billing information and employee contact information) and through our offline interactions with customers and partners is subject to the terms of this Privacy Policy.

The Online Services may provide links to other third-party websites and features. Some of these third-party websites may be co-branded with a Collavate logo even though they are not owned, controlled, operated or maintained by Collavate. Collavate does not share your personal information with those websites and is not responsible for their privacy practices. These websites are subject to their respective privacy policies. In some cases, we may provide the Offerings jointly with other businesses. For these co-branded offerings in which a third party is involved in your transactions, we will sometimes share or jointly collect customer data related to those transactions with that third party.

Personal Information We Obtain

The data we obtain varies based on the Offerings you use. We obtain personal information through your interaction with the Offerings, such as when you:

  create an account in an Online Service;

register or apply to a Collavate partner program;

sign up for an online program, event, seminar, promotion or sweepstakes;

request products (including product evaluations, trials, tech preview and beta downloads), services or information;

participate in Collavate events, surveys, questionnaires, research or evaluations;

or correspond with us or request information from us.


The types of personal information we obtain include:

contact information (such as name email address, telephone number, postal or other physical address) for you or for others (e.g., principals in your business or billing contacts);

information used to create your online account (such as username and password);

biographical and demographic information (such as gender, job title/position and occupation);

business profile and practices information used to evaluate you as a partner;


billing and financial information (such as name, billing address, payment card details and bank account information and purchase history);

information you submit in connection with a career opportunity at Collavate,

such as contact details, information in your résumé (including work history,

education and language skills) and details about your current employment;

location data (such as data derived from your IP address, country and zip code);

clickstream data and other information about your online activities (such as information about your devices, browsing actions and usage patterns), including across the Online Services and third-party websites, that we obtain through the use of cookies, web beacons and similar technologies (see our description of Cookies and Similar Technologies below);

personal information contained in forums, blogs, and testimonials you provide or that we obtain from publicly available sources (such as social media channels);

information related to participation in classroom or online training, including programs completed and certifications achieved;

information necessary to provide support or other paid consulting services (such as contact details, chat services, support details, and event history);

personal information contained in content you submit to us (such as through our “Contact” feature or other in-product or in-service messaging); and other personal information we obtain through our Offerings.

Please note that providing personal information to us is voluntary on your part. If you choose not to provide us certain information, we may not be able to offer you certain products and services, and you may not be able to access certain features of the Online Services.

How We Use Personal Information We use the information we obtain to:

provide and administer our products and services (including websites and apps for which you have registered);

process and fulfill orders in connection with our products and services and keep you informed about the status of your order;

help you complete a transaction or order and provide customer support;

bill you for products and services you purchased;

provide training, support and consulting services;

manage career opportunities, including for recruitment purposes, employee onboarding and other Human Resources purposes;

create and manage your account with Collavate;

operate, evaluate and improve our business (such as by administering, developing, enhancing and improving our products and services; managing our communications and customer relationships; and performing accounting, auditing, billing, reconciliation and collection activities);

perform data analytics (such as research, trend analysis, financial analysis and customer segmentation);

communicate with you about your account and orders (including sending emails relating to your registration, account status, order confirmations, renewal or expiration notices and other important information);

conduct marketing and sales activities (including sending you promotional materials, generating leads, pursuing marketing prospects, performing market research, determining and managing the effectiveness of our advertising and marketing campaigns and managing our brand);

communicate with you about, and administer your participation in, events, programs, promotions and surveys;

connect employees with their enterprise account administrator;

verify your identity and protect your account against unauthorized use or abuse of our services;

protect against, identify and prevent fraud and other unlawful activity, claims and other liabilities;

comply with and enforce relevant industry standards, contractual obligations and our policies;

maintain and enhance the security of our Online Services, products, services,

network services, information resources and employees; and respond to your inquiries.

Depending on the purposes for which personal information is used, and the context in which the data is obtained, we may rely on one or more of the following legal bases:

performance of a contract with you or a relevant party;

our legitimate business interests;

compliance with a legal obligation, a court order, or to exercise or defend legal claims; or your consent to the processing, which you can revoke at any time.

We may combine data collected from you with other sources to help us improve the accuracy of our marketing and communications as well as to help expand or tailor our interactions with you. This includes combining personal information we obtain through Online Services with information we obtain through Offline Channels, as well as other information (such as referral programs), for the purposes described above. We may anonymize or aggregate personal information and use it for the purposes described above and for other purposes to the extent permitted by applicable law. We also may use personal information for additional purposes that we specify at the time of collection. We will obtain your consent for these additional uses to the extent required by applicable law.

Where required by applicable law, we will obtain your consent for the processing of your personal information for direct marketing purposes.

Cookies and Other Technologies

Collavate uses cookies, web beacons (including pixels and tags), and similar technologies on our Online Services that collect certain information about you by automated means. A “cookie” is a text file that websites send to a visitor’s computer or other Internet-connected device to uniquely identify the visitor’s browser or to store information or settings in the browser. A “web beacon,” also known as an Internet tag, pixel tag or clear GIF, links web pages to web servers and their cookies and may be used to transmit information collected through cookies back to a web server.

We use these automated technologies to collect information about your equipment, browsing actions, and usage patterns. The information we obtain in this manner includes IP address and other identifiers associated with your devices, types of devices connected to our Offerings, device characteristics (such as operating system), language preferences, referring/exit pages, navigation paths, access times, browser preferences and characteristics, installed plugins, local time zones, local storage preferences, clickstream data and other information about your online activities. We use on our Online Services both first-party cookies (served directly by our website domain when you visit our Online Services) and third-party cookies (served by a third-party website when you visit our Online Services and certain third-party websites with whom we have partnered). Some of these cookies are session cookies (which are automatically deleted when you close your browser) and others are persistent cookies (which remain on your computer or other Internet-connected device for a period of time after you end your browsing session, unless you delete them).

The cookies we use on our Online Services include (1) essential and functional cookies; (2) analytics cookies; and (3) targeting/advertising cookies, as described below.

Essential and Functional Cookies

We use cookies on our Online Services that are necessary for us to provide you with our products and services. This includes essential cookies (such as those used to authenticate you to our website and identify you after you have logged in), functional cookies (such as those that remember what you added to your shopping cart or the language preference you selected), and user-centric security cookies used to increase the security of the products and services we provide to you (such as to detect authentication abuses). Given the necessary functionality of these cookies, they typically may not be disabled on our Online Services.

Analytics Cookies

We use analytics cookies to collect information on how users navigate and use our Online Services, such as how the users traverse our Online Services, the pages they view, how long they stay on a page and whether the page is displayed correctly or whether errors occur. Such cookies help us to improve the performance of our Online Services and make the Online Services more user-friendly. These cookies are provided by third-party analytics providers, including Google Analytics and Marketo. To learn more about Google Analytics and how to opt out, please visit Google Analytics. To learn more about these analytics services and how to opt out, please view our Cookie Consent Tool here.

How We Share Your Personal Information

We do not sell or otherwise disclose personal information about you except as described here or at the time of collection. Collavate may share personal data in the following ways:

if sharing your data is necessary to provide a product, service or information you have requested;

as part of a joint sales promotion or to pass sales leads to our business partners;

to keep you up to date on the latest product announcements, software updates, special offers or other information we think you would like to hear from our business partners;

within Collavate (including among affiliates and subsidiaries) for the purposes described in this Privacy Policy;

for the purposes of validating employment, training completed or product certifications achieved;

to connect employees with their company administrator(s);

with our customers to report and help manage issues requiring support or as    part of consulting services;

with our customers and partners to inform them about their users’ use of our services (such as when a user has obtained credentials or completed a course);

with service providers we have engaged to perform services on our behalf (such as payment processing, order fulfillment, customer support, customer relations management and data analytics). These service providers are contractually required to safeguard the information provided to them and are restricted from using or disclosing such information except as necessary to perform services on our behalf or to comply with legal requirements;

with approved Collavate partners, to offer and provide our products and services to you; and

with our joint marketing and sales partners and other business partners who help us with our business operations or other aspects of our business and for the purposes described in this Privacy Policy

We also may disclose personal information about you (1) if we are required or permitted to do so by applicable law, regulation or legal process (such as a court order or subpoena), (2) to law enforcement authorities or other government officials to comply with a legitimate legal request, (3) when we believe disclosure is necessary to prevent physical harm or financial loss to Collavate, its users or the public as required or permitted by law, (4) to establish, exercise or defend our legal rights, and (5) in connection with an investigation of suspected or actual fraud, illegal activity, security or technical issues.

In addition, we reserve the right to transfer to relevant third parties information we have about you in the event of a potential or actual sale or transfer of all or a portion of our business or assets (including in the event of a merger, acquisition, joint venture, reorganization, divestiture, dissolution or liquidation) or other business transaction.

We also may share the information in other ways for which we provide specific notice at the time of collection and obtain your consent to the extent required by applicable law.

International Data Transfers

We transfer the personal information we collect through the Channels to, and store such data in, other countries in which Collavate and its service providers operate, including the U.S., which may have different data protection laws than the country in which the information was provided. If we do so, we will transfer the personal information only for the purposes described in this Privacy Policy. To the extent required by applicable law, when we transfer your personal information to recipients in other countries, we will take measures to protect that information including, as appropriate, by executing data transfer agreements based on the European Commission’s Standard Contractual Clauses pursuant to article 46 of the General Data Protection Regulation (GDPR), or by selecting data recipients that are certified to the EU-U.S. and Swiss-U.S. Privacy Shield frameworks described below.

EU-U.S. and Swiss-U.S. Privacy Shield

With respect to transfers of personal information from the EU and Switzerland to the U.S., Collavate is certified under the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce and the European Commission regarding the transfer of personal information from the EU to the U.S., pursuant to article 45 of the GDPR (each a “Privacy Shield Framework” and collectively the “Privacy Shield Principles”). If there is any conflict between the terms of this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit

Collavate is responsible for the processing of personal information it receives, under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Collavate complies with the Privacy Shield Principles for all onward transfers of personal information from the EU and Switzerland, including the onward transfer liability provisions.

With respect to personal information received or transferred pursuant to a Privacy Shield Framework, Collavate is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Collavate may be required to disclose personal information in response to lawful requests by public authorities, including to satisfy national security or law enforcement requirements.

Under certain conditions, more fully described on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

In compliance with the Privacy Shield Principles, Collavate commits to resolve complaints about our collection or use of your personal information. If you have questions or complaints regarding our Privacy Policy or practices, please contact us.

EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Collavate. If you have an unresolved compliant that has not been addressed to your satisfaction, please contact or visit (a U.S.-based alternative dispute resolution provider) for more information or to file a complaint. The services are provided at no cost to you.

Collavate has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU and Switzerland in the context of the employment relationship.

Your Rights and Choices

We offer you certain choices in connection with the personal information we obtain about you, such as how we use the information and how we communicate with you. To update your preferences, limit the communications you receive from us or submit a request, please contact us as specified in the How to Contact Us section of this Privacy Policy. You can also unsubscribe from our mailing lists by following the “Unsubscribe” link in our emails.

To the extent provided by the law of your jurisdiction, you may request access to the personal information we maintain about you or request that we correct, update, amend or delete your information, or that we restrict the processing of such information by contacting us as indicated below or by accessing MyAccount. To help protect your privacy and maintain security, we may take steps to verify your identity before granting you access to the information. To the extent permitted by applicable law, a charge may apply before we provide you with a copy of any of your personal information that we maintain. Depending on your location, you may have the right to file a complaint with a government regulator if you are not satisfied with our response.

We support the Self-Regulatory Principles for Online Behavioral Advertising (“Principles”) of the Digital Advertising Alliance in the U.S., the Digital Advertising Alliance of Canada, and the European Digital Advertising Alliance in the EU. If you live in the United States, Canada, or the European Union, you can visit Ad Choices, Ad Choices Canada or Your Online Choices to find a convenient place to indicate your preferences, including the option to make one “universal” opt-out of interest-based advertising with participating entities. These websites also provide detailed information about interest-based advertising and tips for managing your privacy online and in applications. Opting out of interest-based advertising does not mean you will no longer see advertisements from us or on the Online Services; rather, opting out means that the online ads that you do see will not be based on your interests. When you opt-out of receiving interest-based advertisements through the links above, cookies and other technologies on the Online Services may still collect information about your use of the Online Services, including for analytics, fraud prevention and any other purpose permitted under the Self- Regulatory Principles.

When you use our Online Services, both we and certain third parties (such as our advertising networks, digital advertising partners and social media platforms) may collect personal information about your online activities, over time and across third-party websites. Certain web browsers allow you to instruct your browser to send Do Not Track (“DNT”) signals to websites you visit, informing those sites that you do not want your online activities to be tracked.

Where provided by law, you may withdraw any consent you previously provided to us or object at any time on legitimate grounds to the processing of your personal information, and we will apply your preferences going forward. This will not affect the lawfulness of our use of your information based on your consent before its withdrawal.

How We Protect Personal Information

We maintain administrative, technical and physical safeguards, consistent with legal requirements where the personal information was obtained, designed to protect against unlawful or unauthorized destruction, loss, alteration, use or disclosure of, or access to, the personal information provided to us through the Channels.

Retention of Personal Information

To the extent permitted by applicable law, we typically retain personal information we obtain about you for as long as it is needed (1) for the purposes for which we obtained it, in accordance with the terms of this Privacy Policy, which generally means that we will keep your personal information for the duration of our relationship or as long as you keep your account open with us; or (2) to take into account applicable statute of limitation periods and comply with applicable laws, resolve disputes and enforce our agreements. As described in the “Your Rights and Choices” section above, to the extent provided by the law of your jurisdiction, you may request that we delete your information or restrict the processing of such information by contacting us as indicated below.

Notice to California Residents

Subject to certain limits under California law, California residents may ask us to provide them with (1) a list of certain categories of personal information we have disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year and (2) the identity of those third parties. To obtain this information, please send an email to with “California Shine the Light Privacy Request” in the subject line and in the body of your message.

Children’s Personal Information

The Online Services are designed for a general audience and are not directed to children under the age of 13. We do not knowingly collect or solicit personal information from children under the age of 13 through the Online Services. If we become aware that we have collected personal information from a child under the age of 13, we will promptly delete the information from our records. If you believe that a child under the age of 13 may have provided us with personal information, please contact us as specified in Contact Us section of this Privacy Policy.

Changes to Our Privacy Policy

This Privacy Policy may be updated periodically and without prior notice to you to reflect changes in our information practices. We will indicate at the top of this Privacy Policy when it was most recently updated. We encourage you to periodically review this Privacy Policy for the latest information on our privacy practices.

How to Contact Us

If you have any questions or comments about this Privacy Policy or if you would like us to update information we have about you or your preferences, please contact us by email at or write to us at:

Collavate, Inc.

Attn: Chief Privacy & Digital Risk Officer / Data Protection Officer

4320 Stevens Creek Blvd. STE 211 San Jose CA95129

United States

Asset Management Policy


There are so many vendors offering various cloud based solutions, users may find their intellectual property assets in multiple locations, making searches, permission control and overall document management more difficult. This can also cause document duplication and increased handling and storage costs. We replaced all third party applications within a unified Google cloud environments.

  • Unified Storage (Google Cloud Storage)
  • Universal Search powered by Google search
  • Reliable and secure platform


  • Document Asset Management

    ○ TAGS: Use shared or personal Tags to better manage documents, and enhance searches.

    ○ Cross-search documents across the domain, subject to applicable security level clearance.

    ○ Manage documents, files, and folders by assigning security levels for users and documents. Protect documents while providing selective access to them.

    ○ Upload email attachments in one easy step regardless of the number of attachments.

  • Automated Workflow

    ○ Write, edit, and approve any file types supported by Google Drive.

    ○ Determine the number and sequence of approvals.

    ○ Automatic transfer of document ownership to designated domain administrator.

    ○ Archive documents after approval; restrict access.

    ○ Create, save, and reuse templates for frequently used approvals.

    ○ Examples: Contracts / Quotations / Invoices / Presentations / Expense Reports.

  • Document Archiving

    ○ Archive document activities in real time.

    ○ Archived data can be stored for any length of time to meet any compliance requirements.

    ○ Admin can search across the entire domain by users and archived documents.

    ○ Google Drive activities can be exported as CSV files.

Collavate license key

Collavate is software and its license key is managed by Collavate, Inc. Collavate manages and distributes customer license keys(Intangible assets) at its own Google Cloud Platform.

Customer data

Collavate company does not store nor access customer data as collavate will be installed on customer’s own google cloud platform. Collavate company cannot access customer data.

Tangible asset management program

Collavate developed its own management program to successfully manage

tangible IT assets such as computers, phones, tablet PCs, etc.

Business Continuity & Disaster Recovery Policy

Business Continuity

We believe that business continuity is the ability to maintain operations/services in the face of a disruptive event. This requires the availability of computing, application services, physical network access, and network services, as well as user/client access to this infrastructure. Collavate maintains continuity in operations and services, including systems such as Web servers, email, critical databases, and so forth, requires specific technology. This technology and infrastructure can include Cloud, virtualization, clustering/failover/failback, server hardware, network and networking services, remote datacenter facilities, replication services, and redundant shared storage. Depending on the type of event, continuity of a give application is achieved by failing over its services and user/client access locally within the same datacenter or to remote, physically disparate data center which is provided by Google Cloud Platform(GCP).

With Collavate business continuity plan, the failover of a service is measured in seconds or less. Backup technologies, including those that rely on disk as a backup target, cannot provide this level of continuity of services. Backups, in order to be used, require a restoration process and are typically used for disaster recovery purposes.

Our business impact analysis template(above this one) is designed for companies to establish a clear plan of action after a disruption in normal business processes. Through both qualitative and quantitative business operation variables, a BIA collects information to develop a targeted recovery strategy to maintain productivity and business continuity. These variables include recovery time objective (RTO), recovery point objective (RPO), and maximum tolerable downtime (MTD). By identifying severity of impact, resource requirements, and recovery priorities, a company can minimize its recovery time. After these initial components are established, the BIA can assess the financial and operational impacts based on the levels of severity afflicted on business units, departments, and processes.

Disaster Recovery

Phase I – Data Collection

1. Project should be organized with timeline, resources, and expected output

2. Business impact analysis should be conducted at regular intervals

3. Risk assessment should be conducted regularly

4. Onsite and Offsite Backup and Recovery procedures should be reviewed

5. Alternate site location must be selected and ready for use

Phase II – Plan Development and Testing

1. Development of Disaster Recovery Plan

2. Testing the plan

Phase III – Monitoring and Maintenance

1. Maintenance of the Plan through updates and review

2. Periodic inspection of DRP

3. Documentation of changes

4. If Only I had Known!

5. IT Network Disaster Recovery


The statement of the objective including project details, Onsite/Offsite data, resources, and business type Disaster Recovery Plan Criteria A documentation of the procedures as to declaring emergency, evacuation of site pertaining to nature of disaster, active backup, notification of the related officials/DR team/staff, notification of procedures to be followed when disaster breaks out, alternate location specifications, should all be maintained. It is beneficial to be prepared in advance with sample DRPs and disaster recovery examples so that every individual in an organization are better educated on the basics.

DR Team – Roles and Responsibilities

Documentation should include identification and contact details of key personnel in the disaster recovery team, their roles and responsibilities in the team. Contingency Procedures The routine to be established when operating in contingency mode should be determined and documented. It should include inventory of systems and equipment in the location; descriptions of process, equipment, software; minimum requirements of processing; location of vital records with categories; descriptions of data and communication networks, and customer/vendor details. A resource planning should be developed for operating in emergency mode. The essential procedures to restore normalcy and business continuity must be listed out, including the plan steps for recovering lost data and to restore normal operating mode.

Testing and Maintenance

The dates of testing, disaster recovery scenario, and plans for each scenario should be documented. Maintenance involves record of scheduled review on a daily, weekly, monthly, quarterly, yearly basis; reviews of plans, teams, activities, tasks accomplished and complete documentation review and update. The disaster recovery plan developed thereby should be tested for efficiency. To aid in that function a test strategy and corresponding test plan should be developed and administered. The results obtained should be recorded, analyzed, and modified as required. Organizations realize the importance of business continuity plans that keep their business operations continuing without any hindrance. Disaster recovery planning is a crucial component of today’s network-based organizations that determine productivity, and business continuity.

Collavate adapts Google’s Disaster Recovery Guideline

When it comes to disaster recovery, there’s no silver bullet—that is, no single recovery plan can cover all use cases. This article provides guidance for handling a variety of disaster recovery scenarios using Google’s cloud infrastructure.

Note: This document addresses targeted disaster recovery scenarios. The viability of each suggested approach is subject to your specific compliance requirements. For general advice for developing a disaster recovery plan on Google Cloud Platform, see Designing a Disaster Recovery Plan with Google Cloud Platform.


This article uses the following terms:

● The recovery time objective (RTO), which is the maximum acceptable length of time that your application can be offline. This value is usually defined as part of a larger service level agreement (SLA).

● A recovery point objective (RPO), which is the maximum acceptable length of time during which data might be lost due to a major incident. Note that this metric describes the length of time only; it does not address the amount or quality of the data lost.

For a broader discussion of these concepts, as well as general principles for designing a disaster recovery plan, seeDesigning a Disaster Recovery Plan with Google Cloud Platform.


This section explores common disaster recovery scenarios and provides recovery strategies and example implementations on Google Cloud Platform for each.

Historical data recovery

Historical data most often needs to be archived for compliance reasons, but it is also commonly archived for use in future historical analysis. In both cases, it’s important to archive relevant log and database data in a durable way using an easily accessible and transformable format. Typically, historical data has a medium or large RTO. However, as it is expected to be complete and accurate, historical data tends to have a small RPO.

Archiving log data

Log data is usually used for historical trend analysis and for potential forensic analysis. Generally, this data does not need to be stored for years. However, as noted earlier, it’s important that this data can be easily imported into a format that lends itself to analysis.

Google Cloud Platform provides several options for exporting log data, including:

● Stream to Google Cloud Storage bucket, which periodically writes your logs to Cloud Storage. The files are timestamped, encrypted, and stored in appropriately-named folders, making it simple to locate logs from a given time period.

● Stream to BigQuery dataset, which streams your logs to a BigQuery dataset. BigQuery stores data in an immutable, read-only manner. For details on exporting logs, see Exporting Your Logs. 

Archiving database data

Note: This section discusses archiving and retrieving relational database records. However, the methodology described can be applied to non-relational databases, such as NoSQL datastores, as well. Relational database backups often use a multitiered solution, where the live data is stored on a local storage device and backups are stored on progressively “colder” storage solutions. In this solution, a cron job (or similar) backs up the live data to the second tier at regular intervals, and another job is used to back up data from that tier to another tier at slightly wider intervals. One possible implementation of this strategy on Google Cloud Platform would be to use persistent disk for the live data tier, a standard Cloud Storage bucket for the second tier, and a Cloud Storage Nearline bucket for the final tier. 

In this implementation, the tiers would be connected as follows:

1. Configure your application to back up data to the persistent disk attached to the instance.

2. Set up a task, such as a cron job, to move the data to the standard Cloud Storage bucket after a defined period of time.

3. Finally, set up another cron job or use Cloud Storage Transfer Service to move your data from the standard bucket to the Nearline bucket.

4. Note: You can find Python example code for Cloud Storage Transfer Service in Cloud Platform’s GitHub repository.

To make this a complete disaster recovery solution, you must also implement some method of restoring your backups to a compatible version of the database. 

Three viable approaches are as follows:

● Create a custom image that has the proper version of the database system installed.

● You can then create a new Compute Engine instance with this image to test the import process. Note that this approach requires regular and rigorous testing.

● Take regular snapshots of your database system.

● If your database system lives on a Compute Engine persistent disk, you can take snapshots of your system each time you upgrade. If your database system goes down or you need to roll back to a previous version, you can simply create a new persistent disk from your desired snapshot and make that disk the boot disk for a new Compute Engine instance. Note that, to avoid data corruption, this approach requires you to freeze the database system’s disk while taking a snapshot.

● Export the data to a highly-portable flat format such as CSV, XML, or JSON, and store it in Cloud Storage Nearline.

● This approach will provide maximum flexibility, allowing you to import the data into any database system you choose to use. In addition, JSON and CSV can be easily imported into BigQuery, which will make future analysis simple and straightforward.

● Note: This approach’s viability is subject to your specific compliance requirements.

Archiving directly to BigQuery

If your use case permits, you can archive real-time event data directly into BigQuery by using streaming inserts. This approach is particularly useful for performing big data analytics. To prevent accidental overwrites, you should use IAM to manage who has update and delete access to the data written to the tables.

Data corruption recovery

When database data has been corrupted, your data will need to be recovered easily and made available quickly. A good approach here is to use backups in combination with transactional log files from the corrupted database to roll back to a known-good state.

If you have chosen to use Cloud SQL, Google Cloud Platform’s fully-managed MySQL database, you should enable automated backups and binary logging for your Cloud SQL instances. This will allow you to easily perform a point-in-time recovery, which restores your database from a backup and recovers it to a fresh Cloud SQL instance. For more details, see Cloud SQL Backups and Recovery.

If you manage your own relational databases with Compute Engine, the principles remain the same, but you are responsible for managing the database service and implementing an appropriate backup process.

 If you are using an append-only data store like BigQuery, there are a number of mitigating strategies you can adopt:

● Export the data from BigQuery, and create a new table that contains the exported data but excludes the corrupted data.

● Store your data in different tables for specific time periods. This method ensures that you will need to restore only a subset of data to a new table, rather than a whole dataset.

● Store the original data on Cloud Storage. This will allow you to create a new table and reload the uncorrupted data. From there, you can adjust your applications to point to the new table.

● Note: This method provides good availability, with only a small hiccup as you point your applications to the new store. However, unless you have implemented application-level controls to prevent access to the corrupted data, this method can result in inaccurate results during later analysis.

Additionally, if your RTO permits, you can prevent access to the table with the corrupted data by leaving your applications offline until the uncorrupted data has been restored to a new table.

Application recovery

It’s important to maintain high levels of uptime—if your service is unavailable, you’re losing business. This section will examine ways of failing your application over to another location as quickly as possible.

Note: The solutions in this section focus on applications running entirely on Google Cloud Platform. For advice on handling remote recovery use cases, such as on-premises-to-cloud or cloud-to-cloud, see the Remote recovery section below.

Hot standby server failover

In this solution, you have a continuously online server on standby. This server does not receive traffic while the main application server is functional. If your service is running entirely on Google Compute Engine, you can streamline application failover by using Compute Engine’s HTTP load balancing service. The HTTP load balancer accepts traffic through a single global external IP address, and then distributes it according to forwarding rules you define. Properly configured, this service will automatically fail over to your standby server in the event that a main instance becomes unhealthy.

Important: The HTTP load balancing service can direct traffic only to Compute Engine instance groups; it cannot be used to send traffic to IPs outside your Compute Engine network.

Warm standby server failover

This solution is identical to hot standby server failover, but omits use of Compute Engine’s HTTP load balancing service in favor of manual DNS adjustment. Here, RTO is determined by how quickly you can adjust the DNS record to cut over to the standby server.

Cold standby server failover

In this solution, you have an offline application server on standby that is identical to the main application server. In the event that the main application server goes offline, the standby server is instantiated. Once it is online, traffic fails over to it.

In this example, you would run the following:

● A serving instance. This instance is part of an instance group, and said group is used as a backend service for an HTTP load balancer.

● A minimal instance that performs the following functions:

○ Runs a cron job to snapshot the serving instance at regular intervals

○ Checks the health of the serving instance at regular intervals

This minimal instance is part of a managed instance group, and this group is controlled by a Compute Engine autoscaler. The autoscaler is configured to keep exactly one minimal instance running at all times, utilizing an instance template to create a new instance in the event that the current running instance becomes unavailable.

If the minimal instance detects that the serving instance has been unresponsive for a specified period of time, it instantiates a new instance using the latest snapshot and adds the new instance to the managed instance group. When the new instance comes online, the HTTP load balancer begins directing traffic to it.

Warm static site failover

In the unlikely event that you are unable to serve your application from Compute Engine instances, you can mitigate service interruption by having a Cloud Storage-based static site on standby. This solution is very economical, and can be particularly effective if your website has few or no dynamic elements—in the event of failure, you can simply change your DNS settings, and you will have something serving immediately.

The following diagram illustrates an example implementation:

Remote recovery

If your production environment is on-premises or on another cloud provider, Google Cloud Platform can be useful as a target for backups and archives. Using Carrier Interconnect, Direct Peering, and/or Compute Engine VPN, you can easily adapt the previously described disaster recovery strategies to your own situation. This section discusses methods for integrating Google Cloud Platform into your remote disaster recovery strategies.

Replicating storage with Google Cloud Platform

If you are replicating from an on-premises storage appliance, you can use Carrier Interconnect or Direct Peering to establish a connection with Google Cloud Platform, then copy your data to the storage solution of your choice. Data can then be restored to your on-premises storage or to a storage location on Google Cloud Platform.

Replicating application data with Google Cloud Platform

In this scenario, production workloads are on-premises and Google Cloud Platform is the disaster recovery failover target. One possible solution is to set up a minimal recovery suite—a cold standby application server and a hot/active database—on Google Cloud Platform, configuring the former to quickly scale up in the event that it needs to run a production workload. In this situation, the database must be kept up-to-date; however, the application servers would only be instantiated when there is a need to switch over to production. Depending on your RTO, the appropriate image starting point would be used to start and configure a working instance. 

The diagram below illustrates how a multitiered application can run on-premises while using a minimal recovery suite on Google Cloud Platform:

To reduce costs, you can run the database on the smallest machine type capable of running the database service. When the on-premises application needs to fail over, you can make your database system production-ready as follows:

1. Destroy the minimal instance, making sure to keep the persistent disk containing your database system intact. If your system is on the boot disk, you will need to set the auto-delete state of the disk to false before destroying this instance.

2. Create a new instance, using a machine type that has appropriate resources for handling a production load.

3. Attach the persistent disk containing your database system to the new instance.

In the event of a disaster, your monitoring service will be triggered to spin up the web tier and application tier instances in Google Cloud Platform. You can then adjust the Cloud DNS record to point to the web tier or, if you are using the Compute Engine HTTP load balancing service, to the load balancer’s external IP.

The following diagram illustrates the state of the overall production environment after the disaster recovery plan has been executed:

Maintaining machine image consistency

If you choose to implement an on-premises/cloud or cloud/cloud hybrid solution, you will most likely need to find a way to maintain consistency across production environments.

For a discussion of how to create an automated pipeline for continuously building images with Packer and other open source utilities, seeAutomated Image Builds with Jenkins, Packer, and Kubernetes.

If a fully-configured image is required, consider something like Packer, which can create identical machine images for multiple platforms from a single configuration file. In the case of Packer, you can put the configuration file in version control to keep track of what version is deployed in production.

As another option, you could use configuration management tools such as Chef, Puppet, Ansible, or Saltstack to configure instances with finer granularity, creating base images, minimally-configured images, or fully-configured images as needed. 

For a discussion of how to use these tools effectively, see Compute Engine Management with Puppet, Chef, Salt, and Ansible.

You can also manually convert and import existing images such as Amazon AMIs, Virtualbox images, and RAW disk images to Compute Engine.

Collavate Security Whitepaper



Collavate fully understands the security implications of the cloud software model. Our cloud Software are designed to deliver better security than many traditional on-premises solutions. We make security a priority to protect our own operations, but because Collavate runs on the same software that we make available to our customers, your organization can directly benefit from these protections. That’s why we focus on security, and protection of data is among our primary design criteria. Security drives our organizational structure, training priorities and hiring processes. It shapes our data and the technology they house. It’s central to our everyday operations and disaster planning, including how we address threats. It’s prioritized in the way we handle customer data. And it’s the cornerstone of our account controls, our compliance audits and the certifications we offer our customers.

This paper outlines Collavate’s approach to security and compliance for Collavate Cloud Software and services. Used by organizations worldwide, from large enterprises and retailers with hundreds of thousands of users to fast-growing startups. This whitepaper focuses on security including details on organizational and technical controls regarding how Collavate protects your data.


Collavate Has a Strong Security Culture

Collavate has created a vibrant and inclusive security culture for all employees. The influence of this culture is apparent during the hiring process, employee onboarding, as part of ongoing training and in company-wide events to raise awareness.


Employee background checks

Before they join our staff, Collavate will verify an individual’s education and previous employment, and perform internal and external reference checks. Where local labor law or statutory regulations permit, Collavate may also conduct criminal, credit, immigration,

and security checks. The extent of these background checks is dependent on the desired position.


Security training for all employees

All Collavate employees undergo security training as part of the orientation process and receive ongoing security training throughout their Collavate careers. During orientation, new employees agree to our Code of Conduct , which highlights our commitment to keep customer information safe and secure. Depending on their job role, additional training on specific aspects of security may be required. For instance, the information security team instructs new engineers on topics like secure coding practices, product design and automated vulnerability testing tools. Engineers also attend technical presentations on security-related topics and receive a security newsletter that covers new threats, attack patterns, mitigation techniques and more.


Internal security and privacy events

Collavate hosts regular internal conferences to raise awareness and drive innovation in security and data privacy, which are open to all employees. Security and privacy is an ever-evolving area, and Collavate recognizes that dedicated employee engagement is a key means of raising awareness. One example is “Privacy Week,” during which Collavate hosts events across global offices to raise awareness of privacy in all facets, from software development, data handling and policy enforcement to living our privacy principles . Collavate also hosts regular “Workshop” focusing on subjects that often include security and privacy.


Our dedicated security team

Collavate employs security and privacy professionals, who are part of our software engineering and operations division. Our team includes Collavate CEO one of foremost security expert in information, application and network. This team is tasked with maintaining the company’s defense systems, developing security review processes, building security infrastructure and implementing Collavate’s security policies. Collavate’s dedicated security team actively scans for security threats using commercial and custom tools, penetration tests, quality assurance (QA) measures and software security reviews.


Within Collavate, members of the information security team review security plans for all networks, systems and services. They provide project-specific consulting services to Collavate’s product and engineering teams. They monitor for suspicious activity on Collavate’s networks, address information security threats, perform routine security evaluations and audits, and engage outside experts to conduct regular security assessments.


Our dedicated privacy team

The Collavate privacy team operates separately from product development and security organizations, but participates in every Collavate product launch by reviewing design documentation and performing code reviews to ensure that privacy requirements are followed. They help release products that reflect strong privacy standards: transparent collection of user data and providing users and administrators with meaningful privacy configuration options, while continuing to be good stewards of any information stored on our platform. After products launch, the privacy team oversees automated processes that audit data traffic to verify appropriate data usage. In addition, the privacy team conducts research providing thought leadership on privacy best practices for our emerging technologies.


Internal audit and compliance specialists

Collavate has a dedicated internal audit team that reviews compliance with security laws and regulations around the world. As new auditing standards are created, the internal audit team determines what controls, processes, and systems are needed to meet them. This team facilitates and supports independent audits and assessments by third parties.


Operational Security

Far from being an afterthought or the focus of occasional initiatives, security is an integral part of our operations.


Vulnerability management

Collavate administrates a vulnerability management process that actively scans for security threats using a combination of commercially available and purpose-built in-house tools, intensive automated and manual penetration efforts, quality assurance processes, software security reviews and external audits. The vulnerability management team is responsible for tracking and following up on vulnerabilities. Once a vulnerability requiring remediation has been identified, it is logged, prioritized according to severity, and assigned an owner. The vulnerability management team tracks such issues and follows up frequently until they can verify that the issues have been remediated.



Collavate’s security monitoring program is focused on information gathered from internal network traffic, employee actions on systems and outside knowledge of vulnerabilities. At many points across our global network, internal traffic is inspected for suspicious behavior, such as the presence of traffic that might indicate botnet connections. This analysis is performed using a combination of open-source and commercial tools for traffic capture and parsing. A proprietary correlation system built on top of Collavate technology also supports this analysis.


Network analysis is supplemented by examining system logs to identify unusual behavior, such as attempted access of customer data. Collavate security engineers place standing search alerts on public data repositories to look for security incidents that might affect the company’s infrastructure. They actively review inbound security reports and monitor public mailing lists, blog posts, and wikis. Automated network analysis helps determine when an unknown threat may exist and escalates to Collavate security staff, and network analysis is supplemented by automated analysis of system logs.


Incident management

We have a rigorous incident management process for security events that may affect the confidentiality, integrity, or availability of systems or data. If an incident occurs, the security team logs and prioritizes it according to its severity. Events that directly impact customers are assigned the highest priority. This process specifies courses of action, procedures for notification, escalation, mitigation, and documentation. Collavate’s security incident management program is structured around the NIST guidance on handling incidents (NIST SP 800–61). Key staff are trained in forensics and handling evidence in preparation for an event, including the use of third-party and proprietary tools. Testing of incident response plans is performed for key areas, such as systems that store sensitive customer information. These tests take into consideration a variety of scenarios, including insider threats and software vulnerabilities. To help ensure the swift resolution of security incidents, the Collavate security team is available 24/7 to all employees. If an incident involves customer data, Collavate or its partners will inform the customer and support investigative efforts via our support team.


Technology with Security at Its Core

Cloud Software runs on a technology platform that is conceived, designed and built to operate securely. Collavate is an innovator in software, network and system management technologies. We use Google’s custom- designed servers, proprietary operating system, and geographically distributed data centers. Using the principles of “defense in depth,” we’ve created an IT infrastructure that is more secure and easier to manage than more traditional technologies.


Hardware tracking and disposal

Collavate uses Google Data Center which meticulously tracks the location and status of all equipment within the data centers from acquisition to installation to retirement to destruction, via barcodes and asset tags.

A global network with unique security benefits

Collavate uses Google’s IP data network consists of it’s own fiber, public fiber, and undersea cables. This allows us to deliver highly available and low latency services across the globe for the service.

This is Google’s white paper about Google’s IP data network.

In other cloud services and on-premises solutions, customer data must make several journeys between devices, known as “hops,” across the public Internet. The number of hops depends on the distance between the customer’s ISP and the solution’s data center. Each additional hop introduces a new opportunity for data to be attacked or intercepted. Because it’s linked to most ISPs in the world, Google’s global network improves the security of data in transit by limiting hops across the public Internet.


Defense in depth describes the multiple layers of defense that protect Collavate’s network from external attacks. Only authorized services and protocols that meet our security requirements are allowed to traverse it; anything else is automatically dropped. Industry-standard firewalls and access control lists (ACLs) are used to enforce network segregation. All traffic is routed through custom GFE (Collavate Front End) servers to detect and stop malicious requests and Distributed Denial of Service (DDoS) attacks. Additionally, GFE servers are only allowed to communicate with a controlled list of servers internally; this “default deny” configuration prevents GFE servers from accessing unintended resources. Logs are routinely examined to reveal any exploitation of programming errors. Access to networked devices is restricted to authorized personnel. —


Securing data in transit

Data is vulnerable to unauthorized access as it travels across the Internet or within networks. For this reason, securing data in transit is a high priority for Collavate. The Collavate Front End (GFE) servers mentioned previously support strong encryption protocols such as TLS to secure the connections between customer devices and Collavate’s web services and APIs. Cloud customers can take advantage of this encryption for their services running on Collavate Cloud Software by using the Google Cloud Load Balancer. Google Cloud Platform also offers customers additional transport encryption options, including Collavate Cloud VPN for establishing IPSec virtual private networks.


Low latency and highly available solution

Collavate designs the components of our platform to be highly redundant. This redundancy applies to our server design, how we store data, network and Internet

connectivity, and the software services themselves. This “redundancy of everything” includes the handling of errors by design and creates a solution that is not dependent on a single server, data center, or network connection. Google’s highly redundant infrastructure also helps customers protect themselves from data loss. Cloud Platform resources can be created and deployed across multiple regions and zones. Allowing customers to build resilient and highly available systems.


Simply put, when Collavate needs to service or upgrade software, users do not experience downtime or maintenance windows.


Service availability

Some of Collavate’s services may not be available in some jurisdictions. Often these interruptions are temporary due to network outages, but others are permanent due to government-mandated blocks.


Data Usage, Data Access and Restrictions, Administrative access

To keep data private and secure, Collavate is installed to each customer’s Google Cloud Platform. Collavate employees have no access permission to customer data by default. For Collavate employees, special access rights and levels are based on customer’s special approval and their job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. Collavate employees are only granted a limited set of default permissions to access company resources, such as activity and error logs. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as dictated by Collavate’s security policies. Approvals are managed by Google’s workflow tools that maintain audit records of all changes.


These tools control both the modification of authorization settings and the approval process to ensure consistent application of the approval policies. An employee’s authorization settings are used to control access to all resources, including data and systems for Cloud Software products. Support services are only provided to authorized customer administrators whose identities have been verified in several ways. Collavater access is monitored and audited by our dedicated security, privacy, and internal audit teams.


For customer administrators

Within customer organizations, administrative roles and privileges for Collavate Cloud Software are configured and controlled by the project owner. This means that individual team members can manage certain services or perform specific administrative functions without gaining access to all settings and data.


Law enforcement data requests

The customer, as the data owner, is primarily responsible for responding to law enforcement data requests; however, like other technology and communications companies, Collavate may receive direct requests from governments and courts around the world about how a person has used the company’s services. We take measures to protect customers’ privacy and limit excessive requests while also meeting our legal obligations. Respect for the privacy and security of data you store with Collavate Cloud Software remains our priority as we comply with these legal requests. When we receive such a request, our team reviews the request to make sure it satisfies legal requirements and Collavate’s policies. Generally speaking, for us to comply, the request must be made in writing, signed by an authorized official of the requesting agency and issued under an appropriate law. If we believe a request is overly broad, we’ll seek to narrow it, and we push back often

and when necessary.


Regulatory Compliance

Our customers have varying regulatory compliance needs. Our clients operate across regulated industries, including finance, pharmaceutical and manufacturing.

Collavate Governance Policy



COLLAVATE Security Council has three teams to protect customer information. Collavate Security Council



  1. Dedicated Security Team: YE____, JI______, VI___
  2. Dedicated Privacy Team: KE____, AL__
  3. Internal Audit Team: S. Jung CEO/Founder, HA___, JE_____




Dedicated security team

Collavate employs security and privacy professionals, who are part of our software engineering and operations division. Our team includes Collavate CEO one of foremost security expert in information, application and network. This team is tasked with maintaining the company’s defense systems, developing security review processes, building security infrastructure and implementing Collavate’s security policies. Collavate’s dedicated security team actively scans for security threats using commercial and custom tools, penetration tests, quality assurance (QA) measures and software security reviews.


Within Collavate, members of the information security team review security plans for all networks, systems and services. They provide project-specific consulting services to Collavate’s product and engineering teams. They monitor for suspicious activity on Collavate’s networks, address information security threats, perform routine security evaluations and audits, and engage outside experts to conduct regular security assessments.


Dedicated privacy team

The Collavate privacy team operates separately from product development and security organizations, but participates in every Collavate product launch by reviewing design documentation and performing code reviews to ensure that privacy requirements are followed. They help release products that reflect strong privacy standards: transparent collection of user data and providing users and administrators with meaningful privacy configuration options, while continuing to be good stewards of any information stored on our platform. After products launch, the privacy team oversees automated processes that audit data traffic to verify appropriate data usage. In addition, the privacy team conducts research providing thought leadership on privacy best practices for our emerging technologies.


Internal audit team

Collavate has a dedicated internal audit team that reviews compliance with security laws and regulations around the world. As new auditing standards are created, the internal audit team determines what controls, processes, and systems are needed to meet them. This team facilitates and supports independent audits and assessments by third parties.

Physical & Environmental Security Policy

Physical Security Policy and Procedure Physical Security


If you’re not careful, people may steal your stuff. Always secure your laptop, important equipment, and your personal belongings, even while on Collavate’s premises. Always wear your badge visibly while on site. Don’t tamper with or disable security and safety devices. Watch people who “tailgate” behind you through our doors. If you don’t see a Collavate badge, please ask for it (and, as appropriate, direct the person to a receptionist for assistance). Promptly report any suspicious activity to Collavate Security.


Use of Collavate’s Equipment and Facilities

Anything you do using Collavate’s corporate electronic facilities (e.g., our computers, mobile devices, network, etc.) or store on our premises (e.g., letters, memos, and other documents) might be disclosed to people inside and outside the company. For example, Collavate may be required by law (e.g., in response to a subpoena or warrant) to monitor, access, and disclose the contents of corporate email, voicemail, computer files, and other materials on our electronic facilities or on our premises. In addition, the company may monitor, access, and disclose employee communications and other information on our corporate electronic facilities or on our premises where there is a business need to do so, such as protecting employees and users, maintaining the security of resources and property, or investigating suspected employee misconduct.


Employee Data

We collect and store personal information from employees around the world. Access this data only in line with local law and Collavate internal policies, and be sure to handle employee data in a manner that is consistent with Collavate’s Data Classification and Employment Data Guidelines and other Collavate policies.