Updated September 04, 2024
SUBJECT DATA – USAGE DETAIL INSTITUTIONAL CASH DISTRIBUTORS
This document details the types of personal data collected, processed and used by Institutional Cash Distributors, LLC, a U.S. broker-dealer registered with the SEC, member FINRA, Institutional Cash Distributors Limited, a UK broker-dealer authorised and regulated by the Financial Conduct Authority, ICD Europa – Empresa de Investimento, S.A., a Portugal broker-dealer regulated by Comissão do Mercado de Valores Mobiliários (CMVM), and Institutional Cash Distributors Technology, LLC, a Delaware limited liability company (collectively “ICD”, “we”, “us” or “our”), as ‘controllers’ and our third party vendors as ‘processors’ acting on our behalf and the purposes for which our processors use such personal data.
This document applies to both:
A. ICD contacts who are not ICD Portal or ICD Portfolio Analytics customers; and
B. ICD customers and/or ICD Portal and ICD Portfolio Analytics users
Please refer to our Privacy Notice for further details on our data processing activities such as when, how and why we collect personal data and also how we store, transfer and retain personal data, and also the that we take to protect personal data.
A. For ICD contacts who do not have a customer account / are not ICD Portal or ICD Portfolio Analytics users
Personal Data Collected In order to conduct business, ICD may obtain any combination of the following personal data:
- First and last name
- Email address
- Phone number(s)
- Country and time zone
- Fax number
- Full mailing address
- Personal data collected via cookies (which is generally limited, and includes personal data such as user device information and session tracking information. The cookies placed by our websites do not collect sensitive personal data)
- Click here to view details about the cookies we use.
Additionally, ICD representative sales personnel may obtain more unique data in order to personalize their service, including but not limited to:
- Date of birth
- Family relationships
- Business relationships
ICD utilizes Salesforce.com. Inc., as its cloud-based customer relationship management software, which may hold personal data described above (except for any data (including personal data) that has been collected via cookies).
ICD utilizes Amazon Web Services, Inc. for general file storage, in which case certain documents may include Personal Data.
ICD utilizes Whistleblower Software for website complaints submissions, which may be used anonymously by website users.
Personal Data – Systems Usage We do not sell personal data nor use the personal data that we collect for any purpose other than conducting our business, as further described in our Privacy Notice. The following systems utilized by ICD transmit and/or store personal data, and as explained in ICD’s Privacy Notice, a vendor assessment has been carried out in relation to these vendors:
Email service: ICD utilizes the following services for processing email messages to and from ICD:
- Microsoft O365
- SendGrid
- Pardot
Contacts of ICD who email ICD, or receive emails from ICD, will have their messages routed through these services. As part of ICD’s data privacy obligations, a vendor assessment has been conducted on these vendors regarding their data handling and data security practices.
Telecommunications service: Should you call ICD, the phone number you call from may be stored by ICD’s telecommunication service. The telecommunications services utilized by ICD are:
- Lumen
- Jive Communications
- Ring Central
- Vodafone
- Consensus
- Elite Group
- Softphone (UK calls recording)
As part of ICD’s data privacy obligations, a vendor assessment has been conducted on these vendors regarding their data obligations.
Mobile telephone service: Should you call or message an ICD mobile device, the mobile device will store your incoming data.
Recorded calls: Telephone calls with the ICD Trade Desk may be recorded to ensure accuracy of transaction processing, and/or for training purposes.
Communication and Account Archiving: As a regulated broker-dealer, the U.S. SEC and FINRA for Institutional Cash Distributors LLC, and the UK Financial Conduct Authority for Institutional Cash Distributors Ltd., and the Portuguese CMVM for ICD Europa – Empresa de Investimento SA, ICD must adhere to regulatory retention obligations. These include maintaining cloud-service archives of electronic communications (i.e. email), and hard-copy files of Account opening and maintenance documents. ICD utilizes the Smarsh, Inc. data service for its electronic communications archiving. Please contact compliance@icdportal.com (RGPD@icdportal.com for ICD Europa) should you have any questions regarding broker-dealer regulatory retention obligations.
B. For ICD customer account holders and/or ICD Portal and ICD Portfolio Analytics users
In relation to personal data of individuals who customers of ICD Portal or ICD Portfolio Analytics, ICD is both a ‘controller’ and ‘processor’, except where user access for ICD Portal and ICD Portfolio Analytics is managed by designated individuals in the customer organisation in which case the customer organisation will be the controller for such user data.(and ICD will be the processor).
Personal Data Collected In order to conduct business, ICD may obtain any combination of the following personal data:
- First and last name (required)
- Username and encrypted password (required)
- Email address (required)
- Phone number(s) (primary phone required)
- Country and time zone (required)
- Website user’s chosen security Question and Answer (required)
- Fax number (optional)
- Instant messaging address (optional)
- Full mailing address (optional)
- Credentials for third party systems (where applicable)
- 360T user identifier
- Clearwater user identifier and password
- Kyriba user identifier (for Single-SignOn)
- Personal data collected via cookies which is generally limited, and includes personal data such as user device information and session tracking information. The (cookies do not contain sensitive personal data)
- Click here to view details about the Cookies we use.
The data described above is required where specified to utilize ICD business services, specifically our website. This data, with the exception of personal data collected via cookies, may also be warehoused on ICD office sites as hard-copy files, in locked locations.
Additionally, ICD representative sales personnel may obtain more unique data in order to personalize their service, including but not limited to:
- Date of birth
- Family relationships
- Business relationships
ICD utilizes Salesforce.com Inc., as its cloud-based service customer relationship management software, which may hold subject data described above (except password and third-party access credential data, and any data (including personal data) that has been collected via cookies).
ICD utilizes Amazon Web Services, Inc. for general file storage, in which case certain documents may include Personal Data.
ICD utilizes Trademo for sanctions other global-list screening, in which case Personal Data may used.
ICD utilizes Whistleblower Software for website complaints submissions, which may be used anonymously by website users.
ICD Portal Mobile Application
ICD may also obtain the following data from users of the ICD Portal Mobile Application In addition to the data listed above:
- Device Type
- Device OS
- Device Token
- Device Notification Setting (specific to ICD Portal Application)
The data described above is required where specified to utilize mobile native notifications for the ICD Portal Mobile Application. Use of the Portal Mobile Application is not required for all ICD Portal users.
Personal Data – Systems Usage We do not sell personal data nor use the personal data that we collect for any purpose other than conducting our business, as further described in our Privacy Notice. The following systems utilized by ICD transmit and/or store personal data and, as explained in ICD’s Privacy Notice, a vendor assessment has been carried out in relation to these vendors.
ICD Portal Administration website database: ICD maintains a proprietary website and services, powered by various database servers. This Administration site may only be accessed by authorized ICD employees, which include the ICD Trade Desk and administrative staff. Only Trade Desk staff are authorized to make changes to the personal data stored on these database servers. Furthermore, this site may only be accessed within the secure ICD firewall system, either on-site at an approved ICD office, or remotely by secure VPN.
ICD Portal features and emissions: Personal data will appear in a variety of ICD Portal and ICD Portfolio Analytics features and file emissions including:
- ICD Portal and ICD Portfolio Analytics website banner (first name)
- ICD Portal and ICD Portfolio Analytics trade tickets and exports (name, primary phone of ticket creator)
- ICD Portal and ICD Portfolio Analytics trades and trade notifications (names of trade approvers)
- ICD Portal AutoPay and ICD Portfolio Analytics notifications (names of initiators/approvers/revokers)
- ICD Portal and ICD Portfolio Analytics integration files (names of trade approvers)
User Authentication: ICD stores ICD Portal and ICD Portfolio Analytics passwords securely in its Oracle database using state-of-the-art cryptographic methods. Passwords are not accessible to anyone but the users themselves. Security questions and answers are required in the ICD Portal and ICD Portfolio Analytics password setup process and may also be used by the ICD Trade Desk to verify identity for incoming phone calls.
Multi-factor Authentication: ICD utilizes a multi-factor authentication service from Okta, Inc. to enable our customer users secure use of ICD’s website. The ICD Portal and ICD Portfolio Analytics provides users’ email address and phone number data to Okta exclusively for the purpose of supporting multi-factor authentication.
Single Sign-On services: If an ICD Portal and ICD Portfolio Analytics user account is configured to support single sign-on to Clearwater Analytics, Reval, or 360T systems, ICD will submit user credentials to those systems in a secure manner when the SSO feature is invoked by a user.
Email service: ICD utilizes the following services for processing email messages to and from ICD:
- Microsoft O365
- SendGrid
- Pardot
Contacts of ICD who email ICD, or receive email from ICD, will have their messages routed through these services. Registered ICD Portal users will receive automated emails based on their established notification preferences. As part of ICD’s data privacy obligations, a vendor assessment has been conducted on these vendors regarding their data handling and data security practices.
Telecommunications service: Should you call ICD, the phone number you call from may be stored by ICD’s telecommunication service. The telecommunications services utilized by ICD are:
- Lumen
- Jive Communications
- Ring Central
- Vodafone
- Consensus
- Elite Group
As part of ICD’s data privacy obligations, a vendor assessment has been conducted on these vendors regarding their data obligations.
Mobile telephone service: Should you call or message an ICD mobile device, the mobile device will store your incoming data.
Recorded calls: Telephone calls with the ICD Trade Desk may be recorded to ensure accuracy of transaction processing, and/or for training purposes.
Communication and Account Archiving: As a regulated broker-dealer, the U.S. SEC and FINRA for Institutional Cash Distributors LLC, and the UK Financial Conduct Authority for Institutional Cash Distributors Ltd., ICD must adhere to regulatory retention obligations. These include maintaining cloud-service archives of electronic communications (i.e. email), and hard-copy files of Account opening and maintenance documents. ICD utilizes the Smarsh, Inc. data service for its electronic communications archiving. Please contact compliance@icdportal.com should you have any questions regarding broker-dealer regulatory retention obligations.