Privacy & Cookie Notice
Last updated June 2026 — Digital Identity Lab demonstration environment
Important — please read
- Do not enter, upload, or store any client data, confidential information, or personal data of real individuals in this environment. All content is synthetic and for demonstration purposes only.
- Access to and use of this environment is governed by the applicable Canadian non-disclosure agreement (NDA). A member firm wishing to establish a relationship with any vendor featured here should put in place a separate NDA, tailored to its specific needs, directly with that vendor.
- The Digital Identity Lab is a KPMG sales-support and demonstration tool — not a production service, and not an offer or endorsement of any vendor. It exists solely to support KPMG client conversations.
This notice explains how the KPMG Digital Identity Lab handles cookies and data, in line with the EU General Data Protection Regulation (GDPR), UK GDPR, Brazil LGPD, Canada PIPEDA, and other applicable international privacy laws.
Cookie usage
The public pages on this domain set no cookies. The cookie described below applies to the Digital Identity Lab application you sign in to, which uses a single strictly necessary cookie for authentication. Under GDPR Article 6(1)(f), the ePrivacy Directive, and equivalent international regulations, strictly necessary cookies are exempt from consent requirements as they are essential for the service to function.
| Property | Detail |
|---|---|
| Name | identity-lab-session |
| Purpose | Authentication and session management |
| Type | Strictly necessary (HttpOnly, Secure) |
| Duration | 4 hours from sign-in |
| Third-party access | None |
No tracking, analytics, or advertising cookies are used.
Data collection & processing
When you sign in using an enterprise identity provider, basic directory profile attributes — display name and email address, job title and department, and user principal name (UPN) — may be accessed solely to demonstrate identity workflows. This information is held in memory, is never shared with third parties, and is cleared when the service restarts. Beyond this, the application:
- performs no analytics, tracking, or profiling
- holds no client or end-customer production data
- uses no cross-site tracking or advertising cookies
- does not use IP addresses or device fingerprints for tracking or profiling
Authentication & security
Authentication is handled via enterprise identity providers using industry-standard protocols such as OAuth 2.0 with PKCE. Tokens are processed server-side and are not stored in the browser; the application requests minimal permissions to access only basic profile information.
- Session cookie is HttpOnly (inaccessible to JavaScript)
- Cookie is Secure-flagged (HTTPS only in production)
- Token is cryptographically signed (HMAC-SHA256) and time-limited
- SameSite=Strict prevents cross-site request forgery
Data retention
The authentication session expires automatically after 4 hours. Access-request submissions (name, email, organization, and reason) are stored in the lab’s database to operate the access-approval workflow; other demo-created records are held in ephemeral storage and cleared when the service restarts. The lab is not a production system of record and holds no client or end-customer data.
Legal basis & compliance
The session cookie is classified as strictly necessary under:
- EU/EEA: GDPR Art. 6(1)(f), ePrivacy Directive Art. 5(3)
- UK: UK GDPR, PECR Reg. 6
- Brazil: LGPD Art. 7(IX) — legitimate interest
- Canada: PIPEDA — implied consent for necessary cookies
- Japan: APPI — necessary for service provision
- South Korea: PIPA — essential for service operation
- Australia: Privacy Act 1988 — necessary for function
As a strictly necessary cookie, no prior consent is required. This notice fulfils the transparency obligation under all applicable frameworks.
Contact your local KPMG Privacy Officer, the KPMG Global Labs team responsible for this application, or your KPMG project lead.