Updated November 15, 2023
SUBJECT DATA – USAGE DETAIL INSTITUTIONAL CASH DISTRIBUTORS LLC/Ltd
The intent of this document is to detail all possible subject data usage under the scope of international data regulations, including but not limited to General Data Protection Regulations (“GDPR”). This document shall be a component of ICD’s Privacy Policy, and shall be reviewed and updated no less than annually.
ICD Contact (non-customer / non-ICDPortal user)
Subject Data Collected In order to conduct business, ICD may obtain any combination of the following subject data:First and last name
- First and last name
- Email address
- Phone number(s)
- Country and time zone
- Fax number
- Full mailing address
- Cookies (cookies do not contain sensitive personal data)
Additionally, ICD Representative sales personnel may obtain more unique data in order to personalize their service, including but not limited to:
- Birthdate
- Family relationships
- Business relationships
ICD utilizes Salesforce.com, Inc., as its cloud service Customer Relationship Management software, which may hold subject data described above (excepting cookies data).
Subject Data – Systems Usage Subject Data are never sold, and are not used for any purpose other than conducting business with ICD. The following systems are utilized by ICD:
Email service: ICD utilized the following services for processing email messages to and from ICD:
- Microsoft O365
- SendGrid
- Pardot
- Barracuda Networks
Contacts of ICD who email ICD, or receive email from ICD, will have their messages routed through these services. Registered ICD Portal users will receive automated emails based on their established notification preferences. As part of ICD’s data privacy obligations, a vendor assessment has been conducted on these vendors regarding their data obligations.
Telecommunications service: Should you call ICD, the phone number you call from may be stored by ICD’s telecommunication service. The telecommunications services utilized by ICD are:
- Lumen
- Jive Communications
- Ring Central
- Vodafone
- Consensus
- Elite Group
As part of ICD’s data privacy obligations, a vendor assessment has been conducted on these vendors regarding their data obligations.
Mobile telephone service: Should you call or message an ICD mobile device; the mobile device will store your incoming data.
Recorded calls: Telephone calls with the ICD Trade Desk may be recorded to ensure accuracy of transaction processing, and/or for training purposes.
Communication and Account Archiving: As a regulated broker-dealer, the U.S. SEC and FINRA for ICD-LLC, and the UK Financial Conduct Authority for ICD-Ltd., ICD must adhere to regulatory retention obligations. These include maintaining cloud-service archives of electronic communications (i.e. email), and hard-copy files of Account opening and maintenance documents. ICD utilizes the Smarsh, Inc. data service for its electronic communications archiving
ICD Customer and/or ICDPortal user
ICD is both a Controller and Processor of data as defined in GDPR.
Subject Data Collected In order to conduct business, ICD may obtain any combination of the following subject data:
- First and last name (required)
- Username and encrypted password (required)
- Email address (required)
- Phone number(s) (primary phone required)
- Country and time zone (required)
- Website user’s chosen security Question and Answer (required)
- Fax number (optional)
- Instant messaging address (optional)
- Full mailing address (optional)
- Credentials for third party systems (where applicable)
- 360T user identifier
- Tradeweb user identifier
- Clearwater user identifier and password
- Cookies (cookies do not contain sensitive personal data)
The data described above is required where specified to utilize ICD business services, specifically its website. This data, with the exception of cookies, may also be warehoused on ICD office sites as hard-copy files, in locked locations.
Additionally, ICD Representative sales personnel may obtain more unique data in order to personalize their service, including but not limited to:
- Birthdate
- Family relationships
- Business relationships
ICD utilizes Salesforce.com, Inc., as its cloud service Customer Relationship Management software, which may hold subject data described above (excepting password, third-party access credential, and cookies data).
ICD Portal Mobile Application
ICD may also obtain the following data for users of the ICD Portal Mobile Application In addition to the data listed above:
- Device Type
- Device OS
- Device Token
- Device Notification Setting (specific to ICD Portal Application)
The data described above is required where specified to utilize mobile native notifications for the ICD Portal mobile application. Use of the Portal Mobile Application is not required for all ICDPortal users.
Subject Data – Systems Usage Subject Data are never sold, and are not used for any purpose other than conducting business with ICD. The following systems are utilized by ICD:
ICD Portal Administration website database: ICD maintains a proprietary website and services, powered by various database servers. This Administration site may only be accessed by authorized ICD employees, which include Trade Desk and administrative staff. Only Trade Desk staff are authorized to make changes to Subject Data. Furthermore, this site may only be accessed within the secure ICD firewall system, either on-site at an approved ICD office, or remotely by secure VPN.
ICD Portal features and emissions: Subject data will appear in a variety of ICD Portal features and file emissions including:
- ICD Portal website banner (first name)
- ICD Portal trade tickets and exports (name, primary phone of ticket creator)
- ICD Portal trades and trade notifications (names of trade approvers)
- ICD Portal AutoPay notifications (names of initiators/approvers/revokers)
- ICD Portal integration files (names of trade approvers)
User Authentication: ICD stores ICD Portal passwords securely in its Oracle database using state-of-the-art cryptographic methods. Passwords are not accessible to anyone but the users themselves. Security questions and answers are required in the ICD Portal password setup process and may also be used by the ICD Trade Desk to verify identity for incoming phone calls.
Multi-factor Authentication: ICD utilizes a multi-factor authentication service from Okta, Inc. to enable our customer users secure use of ICD’s website. The ICD Portal provides users’ email address and phone number data to Okta exclusively for the purpose of supporting multi-factor authentication.
Single Sign-On services: If an ICD Portal user account is configured to support single sign-on to Clearwater Analytics, Reval, or 360T systems, ICD will submit user credentials to those systems in a secure manner when the SSO feature is invoked by a user.
Email service: ICD utilized the following services for processing email messages to and from ICD:
- Microsoft O365
- SendGrid
- Pardot
- Barracuda Networks
Contacts of ICD who email ICD, or receive email from ICD, will have their messages routed through these services. Registered ICD Portal users will receive automated emails based on their established notification preferences. As part of ICD’s data privacy obligations, a vendor assessment has been conducted on these vendors regarding their data obligations.
Telecommunications service: Should you call ICD, the phone number you call from may be stored by ICD’s telecommunication service. The telecommunications services utilized by ICD are:
- Lumen
- Jive Communications
- Ring Central
- Vodafone
- Consensus
- Elite Group
As part of ICD’s data privacy obligations, a vendor assessment has been conducted on these vendors regarding their data obligations.
Mobile telephone service: Should you call or message an ICD mobile device, the mobile device will store your incoming data.
Recorded calls: Telephone calls with the ICD Trade Desk may be recorded to ensure accuracy of transaction processing, and/or for training purposes.
Communication and Account Archiving: As a regulated broker-dealer, the U.S. SEC and FINRA for ICD-LLC, and the UK Financial Conduct Authority for ICD-Ltd., ICD must adhere to regulatory retention obligations. These include maintaining cloud-service archives of electronic communications (i.e. email), and hard-copy files of Account opening and maintenance documents. ICD utilizes the Smarsh, Inc. data service for its electronic communications archiving
As part of ICD’s data privacy obligations, a vendor assessment has been conducted on these vendors regarding their data obligations. Please contact compliance@icdportal.com should you have any questions regarding broker-dealer regulatory retention obligations.