Privacy Policy Annex

Annexes (Feature-Specific Schedules)

This Section 16 provides feature-specific descriptions of how Junify processes personal data for particular product capabilities.

It should be read together with the main body of this Privacy Policy, in particular:

  • Section 5 (Data Categories), and
  • Section 6 (Purposes of Processing).

Information about Junify's own third-party processors (sub-processors) is not repeated in these Annexes. Junify maintains a separate, standalone Sub-Processor List, which describes:

  • the third-party service providers we use as processors,
  • the types of services they provide,
  • the categories of personal data they may process, and
  • their locations and applicable transfer safeguards.
Design Principles and Common Template

Each feature-specific Annex follows a common structure and covers at least the following items:

  1. Feature Overview

    A high-level description of the feature, its purpose, typical users and usage scenarios.

  2. Who Enables It

    Who can enable or configure the feature (e.g. Customer Admin, End User, system default), and the default state (ON / OFF).

  3. Data Collected / Processed

    The categories of personal data processed by the feature, mapped to the data categories described in Section 5, with representative examples.

  4. Purposes of Processing

    The purposes for which the feature processes personal data, mapped to the purpose categories in Section 6 (for example, service provision, security, compliance).

  5. Third-Party Services and Integrations (Customer-Controlled)

    Where relevant, a description of third-party systems that the Customer chooses to integrate with Junify in connection with the feature (for example, IdPs, email providers or endpoint management tools). These entities usually act as independent controllers under the Customer's control.

    Junify's own processors are described only in the separate Sub-Processor List, not in these Annexes.

  6. Retention

    A high-level description of how long different categories of data (such as content, logs and metadata) are retained in connection with the feature.

  7. Admin & User Controls

    The configuration options and controls available to Customer Admins and End Users (such as enable/disable, scope settings, role-based access, opt-out mechanisms).

  8. What We Do Not Collect or Do

    Negative assurances that clarify what the feature does not collect or do, to avoid misunderstandings and to show that the feature is not designed for excessive or invasive monitoring.

Annex A: Identity & Authentication

This Annex describes processing related to the identity and authentication features provided by Junify. Junify offers two broad types of authentication functionality:

  1. authentication that allows End Users to sign in to Junify itself (Junify Authentication); and
  2. single sign-on that allows End Users to sign in to other applications through Junify (SSO).
A.1 Feature overview

Junify Authentication

  1. QR code based sign-in instead of passwords

    Junify Authentication uses a QR code based sign-in flow. Junify does not require or store a traditional password for this authentication method.

    The user scans a QR code presented in the Junify interface using the Junify mobile application installed on the user's smartphone. The Junify mobile application functions as a key, and the server stores identifiers that uniquely associate the Junify application on a device with the corresponding Junify account.

  2. Use of the Junify mobile application, device passcode, and biometric authentication

    When a user opens the Junify mobile application, the smartphone may require biometric verification or a device passcode, as configured on that device.

    The passcode used to unlock the Junify mobile application is stored on the device and is not transmitted to Junify's servers.

    When the smartphone's built-in biometric functions are used, such as fingerprint or face recognition provided by the operating system, biometric templates and similar data remain on the device and are not transmitted to Junify.

  3. Optional Junify provided facial recognition

    In addition to the smartphone's own biometric functions, Junify may offer an optional facial recognition feature that Junify itself provides. This feature is distinct from the operating system level biometric functions.

    Where this Junify provided facial recognition feature is enabled, biometric templates or similar personal data are stored on Junify's servers and used to verify the user's identity when the user attempts to authenticate.

    This feature is available only where a Customer's Admin has explicitly chosen to enable it and, where required, has ensured that appropriate notices and consents for biometric processing have been provided under Applicable Data Protection Laws.

  4. Limited email based verification

    Where an email address is registered for an account, Junify may provide limited email based verification or step up authentication. For example, Junify may send a one time link or code to the registered email address to confirm that the person attempting to sign in has access to that email account. This is used as a supplementary control and does not replace Junify's primary QR code based authentication flow.

  5. Use of a Customer's external identity provider for Junify Authentication

    Where a Customer configures Junify to trust an external identity provider that the Customer controls, Junify can act as a service provider and accept single sign on initiated by that external identity provider. In this case, Junify relies on identity assertions from the Customer's identity provider to authenticate the user to Junify, subject to the Customer's configuration.

    This capability is available only where a Customer's Admin has expressly enabled and configured the connection to the external identity provider.

SSO

  1. Junify as an identity provider for other applications

    In the SSO mode, Junify can act as an identity provider for other applications. Junify may store authentication credentials for connected applications or use federated identity protocols to authenticate on behalf of the user.

    Junify can act as a SAML identity provider or use similar protocols to issue assertions or tokens that allow End Users to sign in to applications that trust Junify.

  2. Junify as a second factor authenticator

    Junify can act as a second factor authenticator for connected services. For example, Junify may generate or validate one time passcodes, text or similar second factor credentials used together with a primary factor such as a password.

  3. Credential storage and use on the user's behalf

    For some applications, Junify may store credentials or secrets and then use those credentials on the End User's behalf when performing SSO. Depending on the Customer's configuration, these credentials may either be stored individually for each End User or be defined and managed centrally by the Customer's Admin as organization-managed credentials that remain under the organization's control, are not visible to End Users, and can be assigned by the Admin to specific users, groups, or the entire organization.

A.2 Who enables it

Junify Authentication

  1. QR code based Junify Authentication

    QR code based Junify Authentication is a core element of the Service and is available by default. It can be used when an End User installs the Junify mobile application and is enrolled in Junify by their organization.

  2. Biometric and passcode protection in the Junify mobile application

    Biometric and passcode protection within the Junify mobile application can be enabled by the End User on their device.

    A Customer's Admin may enforce that the Junify mobile application can be unlocked only with a passcode, device level biometric authentication, the Junify provided facial recognition feature where available, or a combination of these methods, in accordance with the organization's security policy.

  3. Use of a Customer's external identity provider for Junify Authentication

    Use of a Customer's external identity provider to authenticate to Junify is enabled and configured by the Customer's Admin. Admins decide which identity provider to use, which attributes to release to Junify, and which users or groups may authenticate to Junify in this way.

SSO

  1. User managed credentials

    Where credentials for connected applications are managed by individual End Users, SSO is activated when the End User chooses to store and manage those credentials in Junify, within the permissions and policies defined by the Customer.

    In this model, the End User may, for example, register a username and password for a specific application inside Junify so that Junify can perform sign in on their behalf.

  2. Organization managed credentials

    Where credentials are managed centrally by the Customer, SSO is enabled when the Customer's Admin configures the relevant connections and credentials in Junify.

    Admins may, for example, configure a SAML integration, OpenID Connect integration, or shared credentials for certain applications, assign those applications to specific users or groups, and define any conditional access settings that apply.

A.3 Data collected and processed

This section describes, at a high level, the categories of data that may be processed when Junify Authentication or SSO are used. These data are processed as part of the Service Data described in the Privacy Policy and fall into the following categories:

  1. Account Information;
  2. Third Party App or Integration Data;
  3. Device and Technical Information; and
  4. Usage Information.

Junify Authentication

  1. Account Information

    For Junify Authentication, we may process:

    1. the End User's name and business email address;
    2. organization details and role information associated with the Junify account;
    3. account identifiers that link the user to the Junify mobile application and authentication keys.

  2. Third Party App or Integration Data

    Where a Customer's external identity provider is used for Junify Authentication, we receive identity attributes from that provider, as configured by the Customer's Admin. These attributes may include:

    1. identifiers such as name, email, username or subject identifier;
    2. group membership, department, or role;
    3. other claims that the Admin has chosen to release.

    These attributes are treated as Third Party App or Integration Data and, in some cases, also as Account Information.

  3. Device and Technical Information

    For device and technical information, we may collect minimum necessary information about the smartphone or device used with the Junify mobile application, such as:

    1. device type and operating system version;
    2. application version and configuration;
    3. IP address and related network information;
    4. device identifiers needed to link the Junify mobile application to the user's account.

    Where an Admin enables risk based or context aware authentication, we may also process additional information such as approximate location derived from network information, time of access, device posture, or other contextual signals in order to help determine whether an authentication attempt appears consistent with the Customer's policies.

  4. Usage Information

    For usage information, we log:

    1. Junify Authentication events, including successful and unsuccessful attempts;
    2. timestamps, session identifiers, and related security events;
    3. information about the authentication method used, for example QR code, email based step up, external identity provider, or Junify provided facial recognition where enabled.

    Authentication logs are used for security monitoring, auditing, and troubleshooting as described in the Privacy Policy.

  5. Biometric and passcode data

    The passcode used to unlock the Junify mobile application is stored on the device and is not transmitted to the Junify server.

    When device level biometric functions provided by the smartphone operating system are used, biometric templates and similar data remain on the device and are not transmitted to the Junify server.

    Where the optional Junify provided facial recognition feature is enabled, biometric templates or similar data are stored and processed by Junify solely for the purpose of verifying the user's identity and only under the Customer's configuration and Applicable Data Protection Laws.

SSO

  1. Account Information

    For SSO, we may process identifiers and account related information needed to link a user's Junify account to connected applications and represent the user to those applications, for example:

    1. user IDs and usernames for connected applications;
    2. group or role assignments used to determine access;
    3. mappings between Junify accounts and identities in third party services.

  2. Third Party App or Integration Data

    For SSO, we process information exchanged with connected applications and services, including:

    1. identity assertions, tokens, or similar protocol messages used in SAML, OpenID Connect, or other identity protocols;
    2. attributes defined by the Customer's configuration and required by the connected application, for example group information or roles;
    3. indicators of successful or failed sign in events received from applications where such feedback is available.

  3. Device and Technical Information

    To evaluate whether an SSO attempt meets the Customer's configured conditions, Junify may process:

    1. IP address and location;
    2. browser type and version;
    3. operating system details and device identifiers;

    This information is used, for example, to enforce policies that restrict access by location, network, device type, or similar conditions.

  4. Usage Information

    For SSO, we log:

    1. SSO events, including which connected applications are accessed and when;
    2. whether SSO attempts are successful or unsuccessful;
    3. second factor events, for example where Junify acts as a second factor authenticator or sends an SMS code;
    4. session related information such as session identifiers and termination events.

    These logs form part of the audit trail and are used for security monitoring and troubleshooting.

Authentication logs

Both Junify Authentication and SSO generate authentication logs and related Usage Information. These logs are stored and retained for the periods described in Section A.6 of this Annex and in the Retention section of the Privacy Policy.

A.4 Purposes of processing

We process the data described in this Annex in order to:

  1. authenticate users and manage sessions for Junify Authentication and SSO;
  2. enforce access controls, security policies, and conditional access rules defined by the Customer;
  3. support single sign on and identity federation with external identity providers and with connected applications;
  4. log and monitor authentication activity for security, auditing, and troubleshooting.

These purposes are consistent with the high level purposes of processing described in the Privacy Policy.

A.5 Third party services and integrations

We may rely on third party services in connection with identity and authentication, including:

  1. cloud identity and directory services;
  2. logging and monitoring tools;
  3. SMS delivery providers for second factor authentication where configured.

Where an external identity provider owned or operated by the Customer is used, such as a corporate identity platform, that provider acts as an independent controller for its own authentication processes and the personal data it processes. Junify receives only the attributes and assertions that the Customer has configured the identity provider to release and processes them in accordance with the Customer's instructions.

A.6 Retention
  1. Authentication logs and related metadata for Junify Authentication and SSO are retained for a limited period necessary for security, auditing, and troubleshooting. After that period, the data are deleted or de identified, in line with the Retention section of the Privacy Policy.
  2. Account level identifiers and configuration records for identity and authentication features are retained while the relevant account or configuration remains active and for a reasonable period thereafter, as described in Section 11 of the Privacy Policy.
A.7 Admin and user controls

Junify Authentication controls

  1. Admins can:
    1. require that the Junify mobile application be protected by a passcode, device level biometric authentication, the Junify provided facial recognition feature where available, or a combination of these methods, in accordance with organizational security policies;
    2. configure and manage connections between Junify and a Customer's external identity provider for Junify Authentication, including attribute release and user assignment;
    3. provision, suspend, and delete Junify accounts for End Users, including revoking or resetting links between accounts and specific devices or Junify mobile applications;
    4. monitor Junify Authentication activity through logs and dashboards and respond to suspicious events, for example by forcing re authentication or revoking sessions.
  2. End Users can:
    1. install and enroll the Junify mobile application on their devices as permitted by their organization;
    2. enable additional local protections such as device passcodes or biometrics where permitted by Admin policies;
    3. use QR code based authentication and any Admin configured step up methods when signing in to Junify.

SSO controls

  1. Admins can:
    1. define which connected applications are available through SSO and assign them to specific users or groups;
    2. decide whether End Users may manage their own credentials for certain applications or whether credentials are managed centrally by the organization;
    3. configure access time and risk based conditions for SSO, such as restrictions based on network, device posture, time of day, location, or requirement for second factor authentication;
    4. manage SSO sessions after authentication, including defining session lifetime and terminating sessions or revoking tokens in response to risk events;
    5. manage End User accounts and entitlements for SSO, such as provisioning and deprovisioning access to connected applications;
    6. monitor authentication and SSO activity, including second factor usage, through logs and reports and investigate suspicious or non compliant access.
  2. End Users can:
    1. use Junify to authenticate to connected applications in accordance with the Customer's configuration;
    2. where permitted by the Admin, store and manage their own credentials for certain applications within Junify;
    3. complete any second factor authentication steps required by the Customer's policies when using SSO.
A.8 What we do not collect or do

Junify does not use authentication data, for example login history, for advertising or third party marketing.

Annex B: Content Analysis & Automation (Server-Side)

B-1. Feature Overview

This Annex describes Junify features that perform server-side content analysis and automation, including:

  • Processing of PDF, CSV and similar files (for example, invoice processing, bulk member provisioning).
  • Monitoring emails for defined, limited purposes (for example, Shadow IT detection, detection of password reset emails).

The primary goal of these features is to automate manual tasks, improve visibility into SaaS usage and support security and compliance.

B-2. Who Enables It
  • The Customer Admin configures and enables:
    • Which mailboxes, folders, domains or addresses are in scope for monitoring.
    • Whether users may upload PDF / CSV files for analysis and, if so, how.

End Users typically use these features (for example by uploading files or triggering analyses) within the parameters defined by the Admin.

B-3. Data Collected / Processed

In connection with Content Analysis & Automation, Junify may process:

  • Content You Provide (Customer Content)
    • PDF, CSV and similar files explicitly uploaded to Junify.
    • Email content (headers, subject, body and attachments) that is forwarded or delivered to Junify via routing rules or APIs, within the scope defined by the Customer Admin.
  • Usage Information
    • Execution history of analysis jobs (job identifiers, timestamps, status, error codes).
    • Operational metadata used for troubleshooting and monitoring.
  • Admin-Authorized Data
    • Content and metadata from specific mailboxes, folders or domains that the Admin has configured as in scope.
  • Device & Technical Information
    • Technical information such as sending IP addresses or mail server identifiers, where made available by the email infrastructure.
B-4. Purposes of Processing

Junify uses this data to:

  • Perform automated tasks such as invoice parsing, detection of new SaaS registrations and detection of password reset emails.
  • Generate notifications, alerts and reports for Customer Admins.
  • Support the Customer's security, compliance and audit requirements.
B-5. Third-Party Services and Integrations

Content Analysis & Automation may interact with third-party services chosen and managed by the Customer, such as:

  • Email hosting services and security gateways.
  • APIs of applications that Customer uses.

These services typically operate under the Customer's control and act as independent controllers.

This Annex focuses on how Junify processes personal data once the relevant content has been provided to Junify or when Junify sends outputs back to such systems.

B-6. Retention
  • Analysed content (for example, PDFs, CSVs, email bodies):
    • Retained only for as long as necessary to perform the analysis and deliver the results, and then deleted within a short and defined retention window, where technically feasible.
    • Where supported, the Customer Admin may configure retention for derived records or outputs.
  • Logs and metadata:
    • Retained for a defined period under Junify's internal policies to support security, troubleshooting and audit.
B-7. Admin & User Controls
  • Customer Admins can:
    • Define the scope of monitored mailboxes, folders, domains and addresses.
    • Decide what portion of an email can be accessed (for example, subject only, headers only or full message content).
    • Configure exclusion rules for particular users, groups or mailboxes.
  • End Users can:
    • Use or decline to use specific automation features that are made available.
    • Request information from their Admin about the organization's policy for email monitoring and automated processing.
B-8. What We Do Not Collect or Do
  • Junify does not scan mailboxes, folders or accounts that have not been explicitly configured as in scope by the Customer Admin.
  • Junify does not retain content longer than necessary for the defined purposes, unless the Customer explicitly configures longer retention in a way that complies with applicable law.
  • Junify does not operate a mode in which human operators continuously monitor all Customer Content processed by this feature.

Annex C: Endpoint & Activity Monitoring (Mobile App, Desktop Agent / Browser Extension)

C-1. Feature Overview

This Annex covers Junify features that collect activity and device information using:

  • Browser extensions, which observe SaaS usage patterns and help detect potential Shadow IT.
  • Endpoint agents installed on managed devices, which collect device posture and certain activity information.
  • Features that may include collection of location data, where explicitly enabled by the Customer.

The primary purposes of these features are to detect Shadow IT, increase visibility into SaaS usage, support security incident detection and fulfil certain compliance logging requirements.

C-2. Who Enables It
  • The Customer Admin:
    • Decides which devices and users are in scope (for example, company-owned laptops only).
    • Configures which domains, applications or categories are monitored.
    • Controls whether more sensitive features (such as location collection or screen capture) are enabled, where such features are available.

End Users typically do not enable the agent or extension on their own; installation and configuration are managed by the Customer.

C-3. Data Collected / Processed

In connection with Endpoint & Activity Monitoring, Junify may process:

  • Device & Technical Information
    • Device type, operating system version and hardware identifiers (such as MAC address) where required by the agent.
    • IP address, browser type and other technical information.
  • Usage Information
    • Access to configured domains and applications (for example, URLs or application identifiers, timestamps, session duration).
    • Whether a browser tab related to a monitored domain or application is active and for how long.
    • Detection of certain events such as downloads, uploads or print operations related to monitored targets, where enabled.
  • Admin-Authorized Data
    • Location information, where the Customer Admin has explicitly enabled location-based features and such collection is supported by the underlying platform.
    • In certain configurations, and only where the Customer Admin has explicitly enabled the relevant feature, the browser extension may automatically inspect limited parts of the HTML content of pages displayed in the browser in order to derive narrow signals (for example, screen recording or shadow IT detection). In such cases, the extension is designed to transmit to Junify only the minimum derived information needed for the configured feature.
C-4. Purposes of Processing

Junify uses the above data to:

  • Support compliance and audit requirements that call for logging of access to specific systems, including, where explicitly enabled by the Customer Admin, certain visual records such as screenshots or screen recordings needed to demonstrate that access.
  • Detect and understand Shadow IT and SaaS usage patterns.
  • Detect, investigate and respond to potential security incidents.
C-5. Third-Party Services and Integrations

Endpoint & Activity Monitoring may interact with third-party tools and services under the Customer's control, such as:

  • Endpoint management and mobile device management (MDM) platforms used to deploy or manage Junify agents.
  • Security information and event management (SIEM) tools that ingest logs from Junify.
  • Operating systems and browser platforms that collect their own telemetry.

These third parties are typically independent controllers or processors under the Customer's own arrangements.

This Annex describes Junify's processing of personal data received from or sent to such systems; it does not govern those systems' own internal data practices.

C-6. Retention

For data processed in connection with Endpoint and Activity Monitoring, including activity logs, location information and other Admin-Authorized Data, retention works as follows.

  1. Junify-defined retention periods and options

    Junify defines default retention periods for Endpoint and Activity Monitoring data and, for certain data types or features, provides a limited set of configurable retention options that are appropriate for security monitoring, audit and technical operation.

  2. Role of Customer Admins

    Customer Admins are responsible for understanding the retention periods and configuration options that Junify makes available and, where a retention setting can be adjusted, selecting a value that aligns with their organisation's internal policies and legal obligations. Customer Admins do not define arbitrary retention periods beyond the options provided by Junify.

  3. Deletion and de-identification by Junify

    Junify applies the relevant default or Admin-selected retention period by storing Endpoint and Activity Monitoring data only for the applicable period and then deleting or de-identifying it, subject to any limited additional retention in backups as described in the Privacy Policy.

C-7. Admin & User Controls
  • Customer Admins can:
    • Limit deployment to specific managed devices (for example, corporate devices only).
    • Configure monitored domains, applications and categories, including exclusions.
    • Enable or disable monitoring features.
  • End Users can:
    • Request information from their organization regarding whether their activity is monitored and within what scope.
C-8. What We Do Not Collect or Do
  • Junify does not collect or store a complete history of all personal browsing behavior across all websites. Monitoring is restricted to the domains, applications or categories designated by the Customer for legitimate business purposes.
  • Junify does not perform continuous screen recording or keystroke logging on the device side agent as part of the standard Endpoint & Activity Monitoring feature. The screen recording feature, which works in a browser extension, is limited to specific applications and accounts configured by the Customer Admin, and End Users are clearly notified when recording begins and while it is in progress. If more invasive capabilities were ever introduced, they would be subject to separate, explicit documentation and safeguards.

Annex D: Generative AI Features

D-1. Feature Overview

This Annex describes Junify features that use generative AI, primarily large language models, as a component of the Service. Generative AI is used to:

  1. help interpret and understand data provided by End Users or Customer Admins in natural language;
  2. analyse complex inputs such as PDFs, other documents or log data and produce summaries, classifications or structured interpretations;
  3. operate as an AI agent that can, under the Customer's configuration, assist with or automate certain browser-based or workflow actions on the user's behalf.

Generative AI outputs are intended to assist users and Admins in working with complex information and workflows. Where such outputs are presented directly to the Customer (for example as summaries, suggestions or recommended actions), they are provided for assistance only and do not replace the Customer's responsibility to review and validate the results before relying on them or acting on them.

D-2. Who Enables It
  1. Generative AI is used as an underlying component of certain Junify features rather than as a single, global switch.
  2. When a Customer Admin enables a feature that relies on generative AI, the associated AI processing becomes active for that feature, for the users and scope defined by the Admin.
  3. Customer Admins can disable or restrict individual features that rely on generative AI and can, where supported, limit access to those features to specific users or groups.
D-3. Data Collected / Processed

In connection with Generative AI features, Junify may process the following data.

  1. Input data sent to generative AI

    This is data used as prompts or context when Junify calls generative AI services. It may include:

    1. text or instructions that users type or select;
    2. parts of documents, PDFs, configuration data or other Customer Content that a feature is designed to analyse;
    3. extracts or summaries of logs, activity histories or Admin-Authorized Data;
    4. limited metadata from Third-Party App or Integration Data, where needed for the requested operation.

    Input data is drawn from information that users provide to Junify or that Junify processes on behalf of the Customer under the other Annexes.

  2. AI-generated outputs returned to Junify

    These are the responses that the generative AI service returns to Junify, such as:

    1. summaries, explanations or classifications of PDFs, logs or other content;
    2. suggested text, actions or decisions to support the user;
    3. proposed steps for an AI agent to perform in the user's browser or workflow.

    Depending on the feature, these outputs may be displayed to users, used to drive automated actions, or stored as part of Customer Content or Service Data.

  3. Usage and performance data

    Junify may also record limited metadata about AI feature usage, such as timestamps, feature identifiers and technical error information, as part of Usage Information for monitoring, troubleshooting and security.

D-4. Purposes of Processing

Junify uses the data described in this Annex for the following purposes.

  1. Analysis of complex user inputs

    To analyse and transform complex inputs provided by users, such as PDFs, other documents or configuration data, and to produce summaries, extracted fields or other structured representations that are easier to work with.

  2. Interpretation of logs and activity histories

    To interpret relevant logs and activity histories, including data related to Shadow IT or security events, and to derive higher-level insights such as categories, intents or risk indicators.

  3. Operation of AI agents

    To control and support AI agents that can, within the limits configured by the Customer Admin, suggest or perform certain browser-based or workflow actions on behalf of users.

Generative AI outputs are assistive tools. Customers remain responsible for reviewing AI outputs and for any decisions or actions taken based on them.

D-5. Third-Party Services and Integrations
  1. Junify does not develop or operate its own foundation large language models. Instead, it uses third-party LLM providers to deliver generative AI capabilities.
  2. These providers act as sub-processors on Junify's behalf and are listed in Junify's Sub-Processor List.
  3. When engaging third-party LLM providers, Junify requires contractual assurances and uses available configuration options to ensure that:
    1. prompts, context and outputs sent via Junify's generative AI features are used only to provide the requested AI functionality (inference) and are not used by those providers to train or improve their generative AI models; and
    2. data is not retained by the provider for longer than necessary to provide the requested service, except where a longer period is strictly required by law.
  4. If a Customer chooses to connect or use its own AI services directly outside of Junify, those services operate under the Customer's control and their own terms. This Annex focuses on Junify's processing when Junify calls third-party LLM providers as part of its own features.
D-6. Retention

Retention of data used in connection with Generative AI features on the Junify side follows these principles.

  1. Prompts and outputs as content

    Where prompts or AI-generated outputs are stored as part of Customer Content or configuration within Junify (for example, saved summaries, explanations or agent outcomes), they are retained in line with the retention rules that apply to the underlying content or feature, as described in the Privacy Policy and relevant Annexes.

  2. Transient or session-based processing

    For features that operate on a transient or session basis, Junify aims to process prompts and outputs only for as long as needed to complete the requested operation and maintain short-term reliability and security, after which the data is deleted or de-identified.

  3. Usage logs and metadata

    Metadata and logs relating to AI feature usage, such as timestamps, feature identifiers and error information, are retained as Usage Information for limited periods appropriate for security monitoring, troubleshooting and audit, and are then deleted or de-identified in accordance with the Privacy Policy.

D-7. Admin and User Controls

  1. Customer Admin controls

    Customer Admins can:

    1. enable or disable individual Junify features that rely on generative AI;
    2. where supported, limit which users or groups may access those features;
    3. where supported, restrict which data sources or types of content may be used as input to specific AI features.

  2. End User controls

    End Users can:

    1. choose whether to invoke generative AI features that are available to them;
    2. review, edit and, where appropriate, discard AI-generated outputs;
    3. follow their organisation's policies regarding human review and approval before acting on AI-generated content or agent actions.
D-8. What We Do Not Collect or Do
  1. Junify does not use Customer Content, or data derived from prompts and outputs, to train or improve generative AI models for Junify or for any third party. Generative AI components of the services operate in an inference-only mode.
  2. Junify does not sell or share AI prompts or outputs for third-party advertising or marketing purposes.

Annex E: API / Webhook / SDK

E-1. Feature Overview & Status

This Annex describes Junify's APIs, Webhooks and SDKs, which enable programmatic integration with other systems.

Covered capabilities include:

  • APIs that allow external systems to query or update data in Junify.
  • Webhooks that allow Junify to send event notifications or updates to external systems.
  • SDKs and similar components that allow developers to embed certain Junify capabilities into other applications.

If certain APIs are not generally available at a given time, this Annex may indicate that they are in development or available only under specific programmes, and details will be provided in developer documentation.

E-2. Who Enables It
  • The Customer Admin:
    • Decides whether and how to use APIs, Webhooks and SDKs.
    • Issues and manages API keys, client IDs/secrets or other credentials.

These interfaces are primarily designed for server-to-server or application-to-application communication, rather than for direct use by End Users.

E-3. Data Collected / Processed

Depending on the specific endpoint and configuration, APIs and Webhooks may process:

  • Account Information

    Data required to identify and manage users, groups or accounts.

  • Usage Information

    Data about events, actions or metrics that are pushed via Webhooks or retrieved via APIs.

  • Admin-Authorized Data

    Data categories and records that the Customer Admin has made accessible via APIs or included in Webhook payloads.

  • Third-Party App / Integration Data

    Data exchanged between Junify and integrated systems when APIs and Webhooks are used.

  • Metadata about Customer Content

    In some cases, identifiers, timestamps or classification labels related to Customer Content.

An optional Endpoint Mapping Appendix may document, for each endpoint, which categories of data it processes.

E-4. Purposes of Processing

Junify uses APIs, Webhooks and SDKs to:

  • Deliver and operate the service (for example, user provisioning, configuration, synchronisation).
  • Support automation and monitoring designed by the Customer (for example, pushing logs or alerts to a SIEM or ticketing system).
  • Prevent misuse and support security investigations through analysis of API usage patterns.
E-5. Third-Party Services and Integrations

APIs, Webhooks and SDKs are often used to connect Junify with other systems that are selected and controlled by the Customer, such as:

  • Identity providers and directory services.
  • SIEM platforms, ticketing tools and monitoring systems.
  • Custom applications developed by or for the Customer.

These systems typically act as independent controllers (or processors under the Customer's arrangements).

This Annex describes how Junify processes and exposes data via APIs and Webhooks; it does not govern those external systems' internal processing.

E-6. Retention
  • API and Webhook logs:

    Junify may retain metadata about API calls and Webhook deliveries (for example, timestamps, endpoint names, response codes, request identifiers) for a defined period for security, reliability and troubleshooting.

Retention periods are set in Junify's internal policies and may be aligned with the Customer's requirements where applicable.

E-7. Admin & Security Controls
  • Customer Admins can:
    • Issue, revoke and rotate API keys or other credentials.
    • Configure permissions and scopes (for example, read-only vs read-write).
    • Where supported, configure IP allow-lists, rate limits or other security controls.
  • Security:
    • Communications with Junify APIs and Webhooks are protected with industry-standard transport encryption (such as TLS).
    • Data accessed via APIs remains subject to Junify's access controls and audit logging mechanisms.
E-8. What We Do Not Collect or Do
  • Junify does not sell or share data transmitted via APIs or Webhooks for third-party marketing purposes.
  • Junify does not use data transmitted via APIs or Webhooks to train or improve generative AI models for Junify or for any third party.
  • Where the Customer, acting as controller, sends personal data of third parties to Junify via APIs or Webhooks, the Customer remains responsible for ensuring that such processing is lawful (including providing required notices and obtaining any necessary consents).

Terms of Service | Privacy Policy | Privacy Policy Annex | Subprocessor List | Independent Controllers List