How does the agent know what user it is monitoring?
What other kinds of personal information does it process or collect, locally or in it's server endpoint?
An external IP address is personal information. A UUID identifying a block device is personal information. A hostname is personal information. Anything in "/usr/home" is personal information.
> OP made a claim that Drata collects private employee info and resells it. That’s a large claim.
What I know is:
1) They collect mandatory private information. They already know my name and my email, and they used that information to ask me to complete some tasks on their website. I don't know what those tasks are, because I first have to accept their TOS, which contains clauses that is referred to, but not disclosed. I declined.
2) Their "webpage" is part of their service. This is where I supply personal information (presumably more than they already have). So unless they have another TOS, after I accept the publicly available one, that's the rules: I have to give them personal data, because my employer (well, in my case it's my customer, not my employer - Drata have no agreement with my employer) signed a contract with them.
3) They give themselves the right, in the websites TOS, to sell my data.
So: 1 + 2 + 3 = Drata collects private employee info and resells it.
> Why do you think it covers the data collected by the agent?
The agent is not the only concern. Before you even get to install the agent, you have to provide personal information to their website (I believe - I don't now, because I rejected the TOS and don't have access to the non-public part of their website).
The thing is - Drata collects mandatory information from their customers employees and contractors trough their website. The TOS for the website is explicit about how they plan to use that information.
> This is correct. The privacy policy listed here is for the website.
Is that the 100% honest answer?
From my understanding, your website is where you collect my mandatory personal information, if I agree with your TOS. It's not just a glossy brochure for your product - it is your product.
I cannot choose what I share with you. But you can choose with whom you share what information I provide. And from your websites TOS, you seem very eager to share it.
> We are happy to share our security validation report of the agent as well as the configuration with any prospects/customer.
I am the OP. I am not your customer. My customer is your customer. My customer wants me to install your agent.
When I contacted Drata on email with some concerns before I accepted your terms and conditions (which I will never accept in its current form) and got any real information about your agent, your secretary responded: "Feel free to reach out to your Drata administrator internally with concerns. Do note, that when your company contracted with Drata, any edits or redlines they provided will prevail for all employees of your company."
That is not very reassuring for a company (Drata) that want me to accept undisclosed terms and conditions, wants to sell my personal data to targeted marketing, reserves the right to change the user agreement over night, and who exploits a loophole in GDPR so you can move my personal data out of EU and do things with it that would be a crime in EU.
I interperate that reply, from your secretary, as: "We already sold our thing to your company, so we don't care. Not about you. Not about your company. Bend over and take it like a good bitch!"
As others have suggested here; if you want people to trust your agent, you should open source it, have it audited, and publish the audit reports.
> there is a lot of misinformation here around what the agent does
May be. May be not. I have not decompiled their client, so I don't know what it does. However, Dratas Terms Of Service states: "Drata will notify you of updates via an email or a notification on the platform. Unless the notice states otherwise, the updated terms of this Agreement will become effective and binding on the next business day after it is posted." I assume this is US business days. So I could be on Easter vacation in Romania, while they changed their contract.
Drata gives themselves the right to change what they call "the Agreement" virtually without notice. Unless I have a hook in my email client, and a bot looking for notifications on their "platform", and are ready to get up in the middle of the night to print out and read their new "Agreement" - they could fuck me any way they like. Including updating their client with one that does something entirely different than the one thy have today.
For a company with a mandatory service, they are surely engaging in a lot of dark anti-patterns. I don't believe for a second that they act in good faith. I don't trust them.
Does it also name and shame? ;)