Legal & Privacy
Guidelines for legal requests for information
1. Introduction
Devolutions provides privileged access management, password management and remote connection management software for organizations and individuals.
These guidelines (the “Guidelines”) provide information to law enforcement officials wishing to request customer information or customer content data from Devolutions in the context of investigations or enforcement of applicable laws. Our Customers and Users may also find this document relevant to understand what information we share with law enforcement and under what circumstances when we receive such legal requests.
For first-party requests (i.e. if you are seeking your own information), please consult our Privacy Policy for more information about your right of access.
In the context of these Guidelines:
- “Customer” refers to an organization or individual purchasing a software license from Devolutions or subscribing to a Software-as-a-Service offered by Devolutions.
- “Customer Data” refers to the content data that a Customer or its Users may store with Remote Desktop Manager or Devolutions Server on their local systems or in our cloud-based services such as Devolutions Password Hub, Devolutions Account and RDM Online Services.
- “User” refers to an individual who is duly authorized by a Customer to install, use or access our software products and services.
We may from time to time change our practices for responding to legal requests for information, in which case these Guidelines will be updated.
2. Basic principles
Devolutions recognizes the importance of helping law enforcement serve their legitimate interest in protecting the public, while also being committed to protecting the privacy rights of its Customers and Users, and of anyone else who entrusts us with their personal information.
Having to balance and deal with these often competing interests is not always easy. This is why hope that these Guidelines will help to set expectations on both sides, as well as to add transparency to our internal processes when we receive legal requests for information from law enforcement.
Below are the basic principles that Devolutions will apply when responding to such legal requests:
Legal requirement
When the legal request concerns identifiable non-public information, we will not share this information unless we obtain the prior written consent of the affected individuals or entities, or unless we reasonably believe that we are legally required to do so under the laws that apply to us. In all cases we reserve the right to object to any requests for non-public information, especially where production is prohibited by privacy laws or where the process served is insufficient to compel production of the requested data.
Jurisdiction and authority
We will generally refuse to disclose non-public information if the legal request or court order is issued by a requesting body that lacks jurisdiction over Devolutions, or that does not have the legal authority to issue and to enforce the relevant request, subpoena, or court order.
Notification to affected persons
We will notify affected individuals and entities before we produce information about them, and provide them with an opportunity to object to the disclosure 7-10 days prior to production, unless we are legally prohibited from doing so. We may shorten the notice period in our discretion, but we generally only do so in emergency situations. Public authority or law enforcement officials who believe that such notification would jeopardize an investigation should obtain an appropriate court order or other process that specifically prohibits such notification, and should specifically mention this requirement in their request.
Minimum information
We will only provide information directly related to the activity addressed in the request and we will limit the information that we disclose to the minimum that is necessary to satisfy the legally enforceable request. We will seek to limit or object to requests that are overbroad or seek a large amount of information or affect a large number of Customers or Users.
3. How to submit a legal request for information
Legal requests for information must be made by completing this form.
It is important that you fill in all required fields in our form with detailed information and provide all relevant supporting legal documents (such as a subpoena, court order, or a warrant) when submitting a legal request. An incomplete form or the lack of supporting documents may delay or prevent the processing of your request.
You will need to fill in the following required fields to submit your request:
- Your official email address and contact phone number;
- Your name and badge/ID;
- The nature of your request (by selecting the most relevant category from the list provided in the form);
- The subject of the request (for example a domain address, an email, a business name or an individual’s name);
- The specific description of the information that is needed;
- Name or title of the authority issuing the request (for example, the court that issued the subpoena or government agency that authorized the request);
- Jurisdiction of the requesting body;
- The date by which the legal process requests a response from us;
- If the request must be kept confidential (in which case the court or administrative order that is uploaded must include a disclosure prohibition or the statute, law, or regulation that prohibits disclosure must be properly identified);
- If it is an emergency request (in which case additional questions will need to be answered to help us evaluate such emergency).
We cannot guarantee any specific response time (even in the case of an emergency request), although we will use commercially reasonable efforts to respond to your request as quickly as possible.
Devolutions reserves the right to seek reimbursement for the costs associated with responding to public authority or law enforcement data requests, where appropriate.
4. Jurisdiction and requests from foreign law enforcement
Canadian government requests
As a Canadian entity, Devolutions may provide information it holds in response to an order issued by a Canadian court or a warrant issued by a Canadian authority, to the extent that all legal requirements are met.
Non-Canadian government requests
Devolutions is not legally required to provide data to foreign governments in response to legal process issued by foreign authorities. Foreign law enforcement officials wishing to request information from Devolutions should contact the appropriate Canadian public authorities, and Devolutions will promptly respond to requests that are issued via Canadian public authorities or Canadian courts by way of a mutual legal assistance treaty (“MLAT”) or letter rogatory.
5. Data preservation requests
We will take steps to preserve requested information for up to 90 days upon formal request from law enforcement in connection with official criminal investigations, and pending the issuance of a court order or other process. Preservation requests must meet all the relevant requirements applicable to legal requests for information mentioned above, and must specify the particular information to be preserved. A request to extend the preservation for an additional 90 days may be submitted to Devolutions by law enforcement before the expiry of the first 90 days period.
6. Emergency requests
Devolutions evaluates emergency requests on a case-by-case basis. If you provide information that gives us a good faith belief that there is an emergency involving imminent danger of death or serious physical injury to any person, we may provide information necessary to prevent that harm if we are in a position to do so, consistent with applicable law and at our sole discretion. Emergency requests must be submitted by filling out the appropriate sections of our form.
7. Types of data that Devolutions may have
The data that we hold on Customers or Users will depend on the Devolutions products or services that they use, the types of interactions that they have with us, and our data retention policies.
When the legal request concerns Customer Data, we will instruct the requestor to obtain that information directly from our Customer, who is the controller of that data, and also because we generally do not have access to Customer Data, as is it whether stored locally on Customer’s or User’s systems or encrypted client-side, depending on the product or service involved.
Categories of data that may be available for law enforcement:
- Basic Customer or User account information such as email address, name, phone number, organization, billing contact information and/or transactional records;
- Other User account information such as username, User groups, URL, account creation date, date that User last accessed its account, IP addresses associated with log-ins to a User account, administration and server logs;
- Content of written communications between Customers / Users and Devolutions, including through our sales and customer support channels and our online forum.
Last update : December 20, 2022