| > I read their Privacy Policy. They are quite explicit about what they plan to do to you. OK, well, I've skimmed it and I can't see anything that suggests they are going to spy on our employees and sell the data to advertisers. I hate to drop it back on you but which passages make you think they do that? These things do often sound terrifying because things like "I'm going to use Google Analytics to see which parts of the product people aren't using so we can email them reminders" get turned into passages like "We will upload all your activity to a third-party advertising company for marketing purposes". > I have worked with computer security at an advanced level ... A hostile agent would decrease the security on my network. That was my first thought when I got that awful email. I believe you! 100%! But you are unusual, and without verification a control such as "All laptops should have screens that lock after 5 minutes" won't be followed by everyone. NOT EVEN CLOSE to everyone. > Also, I don't get it why that need such a thing on my PC. I don't have credentials to production systems or production data. I am a software developer. I work with code and documentation. That's it. Sure. Another commenter in the thread has said that because of that this isn't strictly required for SOC2. I'm sure they're right.. but I'm not sure I want anyone working on our codebase at all who doesn't have basic security settings set on on their laptop (Again, I know YOU do :) ) Back to the using your own computer thing again - this is why I think lots of companies say "You use our hardware for all company work but IF you really really want to do BYOD then you have to accept some of these agents". Not sure if that's the attitude at your firm, but that seems reasonable. |
"We, our service providers and our third-party advertising partners may collect and use your personal information for marketing and advertising purposes: ... Interest-based advertising. ... We may also share information about our users with these companies to facilitate interest-based advertising ... We may create anonymous, aggregated or de-identified data from your personal information and other individuals whose personal information we collect ... and share it with third parties for our lawful business purposes"
Such "de-identified data" is often trivial to re-identify. There are research papers about that. It's well known in the security and privacy community.
Also, they use dark anti-patterns for opting out from them even using your personal data for their own advertising. "You may opt out of marketing-related emails by following the opt-out or unsubscribe instructions at the bottom of the email, or by contacting us at ..."
If Drata intended to be a nice, trustworthy security partner, use of any personal data for targeted marketing, or sale of any personal information would be opt in, not "out out if you can figure out how ...".
I have not read their terms of conditions or even their glossy information about the agent. I never got that far, as I declined to accept the terms and conditions for using their website. Already at that point, I saw red flags the size of Australia.
I don't believe for one second that Drata has any intention of showing any decency or that they act in good faith towards their customers or anyone else. If they did, they would have developed reasonable terms and conditions. What they have don't even distinguish clearly between the roles of a customer and an employee or contractor for their customers. Hell, they don't even define the term "Customer".