Akamai Privacy Program and Certified Practices

Privacy Program: Akamai has implemented a privacy program for its Identity Cloud Services as a framework to help us maintain compliance with the laws applicable to our business and to meet our privacy-related contractual commitments. The program is also aimed at building and retaining the trust of our customers, website users, employees, and partners based on respect for their privacy concerns and our protection of information with reasonable security safeguards.

Contractual Protections: Our contracts include confidentiality provisions that prohibit us from disclosing customer confidential information, including customer data, except under certain circumstances, such as when required by law. We also agree to restrict our access to customer data to the extent necessary to provide our services and in connection with a customer support issue or where required by law. We require all of our employees and contractors to sign confidentiality agreements to protect customer information, including hosted personal data.

Privacy Statement: Our Akamai Privacy Statement describes our practices regarding the personal information we process when providing our Identity Cloud services to our customers. The statement also describes — under the heading "Operation of our Business" — our role and practices in connection with personal information we may host on behalf of our customers.

Privacy Shield: Akamai participates in the EU-US Privacy Shield Framework regarding the collection, use, and retention of personal data from European Union member countries. We have certified with the Department of Commerce that we adhere to the Privacy Shield Principles. To learn more about the Privacy Shield Principles, click here.

People

Akamai’s Global Data Protection Office is responsible for Akamai’s privacy program, including compliance with applicable privacy and data-protection laws. Akamai’s Information Security team is responsible for service related security matters, certifications, and Akamai’s ISO 27001:2013-based Identity Cloud information security program. Additionally, all Akamai personnel are required to follow Akamai’s confidentiality, privacy, and information security policies.

Training and Awareness

Akamai provides training about confidentiality, privacy, and information security for all new employees as part of its new hire onboarding training. We communicate with all personnel about privacy and information security awareness through regular newsletters. We also address privacy topics of interest to our customers in company blog posts and special customer communications.

Compliance-Facilitating Technology

Individuals may submit personal data to our customers through the use of the website registration and login services we provide. This personal data is submitted with notice to, and the consent of, the individual user via identity providers’ permission screens, or voluntarily provided by the user at registration. In addition, email opt-out/opt-in options are configurable as part of our user registration flows.

FICAM: Akamai leverages identity providers (IdPs) who support the Provider Authentication Policy Extension (PAPE) to offer turnkey authentication that is compliant with the Federal Identity, Credential, and Access Management (FICAM) framework of the Federal Chief Information Officers Council.

  • Supported IdPs: Google, PayPal, and Verisign
  • When FICAM support is requested by a website at user login, all API calls to IdPs request that FICAM policies are applied to the authentication and returned user data
  • User data can be filtered to remove personally identifiable information stored in the user’s social or commerce identity before completing the authentication transaction

HIPAA: Authentication with IdPs supporting PAPE and FICAM support also acts as an enabling technology for compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by filtering out personally identifiable information (PII) data as described above. OAuth 2.0 data access scoping further protects PII by restricting access to particular data fields by unauthorized persons. Data is encrypted in transit, and customers may order encryption of data at rest.

COPPA: To facilitate COPPA compliance by a customer, Akamai offers a specialized version of its registration solution for child registration, which includes a workflow that eliminates the collection of personally identifiable information for users under 13 years of age.