Company setup
The app receives a company identifier, display name, branding, server address, support details, and enabled capability flags.
This page explains common data flows. The Privacy Policy and the agreement with each customer govern if there is a conflict.
The app receives a company identifier, display name, branding, server address, support details, and enabled capability flags.
The platform processes identity and session information needed to authenticate the user. Passwords and OTP values must never be stored in analytics or ordinary audit text.
The app can display company supplied identity attributes and can submit approved changes. The company controls which fields are editable.
When enabled, MYID processes incident details associated with the signed in user, the user response, timing, and configured provider result.
Audit records can include actor, tenant, action, time, service, reason, method, outcome, duration, correlation, and safely captured request or response evidence.
Mobile measurements can include operation category, duration, status, app build, platform, frame timing, and jank. They exclude credentials, request bodies, and user entered values.
For most company deployments, the employer or customer decides why and how employee identity data is used. That organization is commonly the controller or business owner. Software Productivity Strategists, Inc. operates MYID as a service provider or processor under the customer’s instructions and applicable agreement.
Requests about company identity records may need to be handled by the employer because MYID cannot independently decide to change or delete a customer controlled directory record.
MYID can store company configuration, protected session state, capability information, recent summary data, freshness timestamps, and a scoped profile image cache on the device. Platform secure storage and operating system protections are used where supported.
Biometric checks are performed by the operating system. MYID does not receive or store the user’s face, fingerprint template, or biometric measurement from Face ID, Touch ID, or the Android biometric service.
A profile image can be cached locally after a successful download so the main screen does not fetch it every time. A background process can refresh the image separately from the main security sync. If the customer enables profile image writeback, the chosen image can be sent to the configured directory or identity provider.
MYID uses the W7 model to record Who, What, When, Where, Why, How, and Outcome. The audit record must state whether a body was fully observed, partly observed, summarized, or unavailable. Passwords, OTP values, access tokens, refresh tokens, cookies, API keys, client secrets, private keys, and similar authentication material are redacted.
Exact byte length and integrity data are recorded only when the complete bytes were observed. This avoids a false claim that a request or response was captured when the connector or transport did not make that possible.
The public website uses optional first party analytics after consent. It can record a random pseudonymous visitor identifier, session identifier, visit time, page path, referring site without its query string, approved campaign fields, device category, browser family, operating system family, full browser user agent, general screen size, engagement, approximate location when supplied by the host, clicked link text, and destination without its query string.
The website removes query strings from stored page and link addresses and stores a protected pseudonymous value instead of a raw network address for new events. It does not use advertising trackers. Choose Necessary only in the analytics notice or reopen Cookie choices in the footer at any time.
Data can be shared with the customer, the providers the customer configures, and service providers required to operate the selected deployment. The actual set varies by customer. Review the Subprocessor Notice and the customer agreement for the applicable list.
Customer platform retention is set by contract, configuration, legal need, and provider behavior. Website analytics are generally retained for about 395 days unless a shorter operational setting applies. Periodic cleanup triggered by eligible analytics traffic and operational delay can affect the exact deletion time. Contact form and support records are kept as needed to answer the request, preserve business records, protect security, and meet legal obligations.
Use the Privacy Request page for access, correction, deletion, restriction, or appeal requests. Use the Account Deletion page for mobile and customer account guidance.