RiskRecon Privacy Notice

Updated: September 2020

At RiskRecon, Inc. (“RiskRecon” or “we”), we help clients understand and manage third-party risk, with particular attention to cyber risk performance of vendors. Using information we collect about organizations’ systems and activities, we utilize our SaaS-based platform to assess and analyze potential risks against multiple criteria (“Services”). In performing our Services, we collect some information from client representatives.

We are committed to protecting the privacy of individuals who interact with us (“You”). This Privacy Notice (“Privacy Notice” or “Notice”) describes privacy practices for our websites and Services and governs the provision of Services to You and Your interaction with our websites and provision of information to us. This Notice also details our privacy practices related to RiskRecon marketing, advertising, and events, and interactions with job applicants.

RiskRecon provides this Privacy Notice to inform You of our policies and procedures regarding the collection, use, and disclosure of personal information we receive on https://www.riskrecon.com, https://www.thirdpartyplaybook.com, https://info.riskrecon.com, https://blog.riskrecon.com, https://auth.riskrecon.com, and https://portal.riskrecon.com (collectively, the “Sites”) or via email or telephone communications. This Privacy Notice applies to information that You provide to us through the Sites or email or on the telephone, including any information provided via a helpdesk or client service application or portal.

Please read this Privacy Notice carefully. By using or providing information to us via the Sites, email, or telephone, You acknowledge that this Notice will apply to the operation of the Sites and our provision of Services. If You do not agree to the application of this Notice or future changes, You may not be able to use the Site or receive our Services.

1. Information We Collect

RiskRecon allows users to access the Site in order to learn about RiskRecon, the company and our services, or to utilize the Services we provide.  The following sections describe the categories of Personal Information we may collect:

“Personal Information” means information that may be used to readily identify, contact, or locate a specific person, such as: name, address, email address, or telephone phone number. We do not consider Personal Information to include information that has been de-identified (i.e., disconnected from Personal Information) or aggregated so that it does not allow a third party to identify a specific individual. When You register with the Sites to contact RiskRecon, to request additional information, or to access our Services, You will be required to provide Personal Information including Your name and email address, You will also be required to disclose your relevant organization affiliation company, and You will have the option to provide other information. When we perform cyber risks assessments, we may collect Your Personal Information which You have made public as a sole proprietor, a business user or, in very limited circumstances, as an individual consumer (e.g. if You publish comments on a website).

“Usage Information” means certain information that could be used to personally identify a user, but is not necessarily used to do so, and certain non-identifiable information that we or our third-party service providers may collect through a variety of technologies (e.g., log files or cookies, discussed below) that automatically or passively collect certain information from users as they visit or interact with the Sites or receive Services. Usage Information includes internet protocol (“IP”) addresses, browser types, user operating systems, internet service provider (ISP), referring/exit pages (i.e., the URL that immediately referred users to the Sites and the URL immediately visited upon leaving the Sites), platform type, date/time stamp, general location data (e.g., postal code, city, or neighborhood), and number of clicks to analyze trends, administer the Sites, track users’ movement in the aggregate, and gather broad demographic information for aggregate use. In particular, we collect information about the manner in which the Sites are used and the devices used to access the Sites and to collect date to improve the performance and features of the Sites. Any Usage Information that is itself Personal Information, or that is otherwise associated with data that is Personal Information, shall be treated as Personal Information.

2. How We Collect Information from You

RiskRecon allows users to access the Site in order to learn about RiskRecon, the company and our services, or to utilize the services we provide.

RiskRecon Users Registering and Logging into the Sites – We collect Personal Information from You when You register to receive Services through the Sites, via email with us, or over the telephone. After You provide information to create a profile or an account, You can log in to our Sites using a Single Sign-On (SSO) service. This service will authenticate Your identity and provide You the option to share certain personal information with us such as Your name and email address to pre-populate our sign-up form.

Collection of Information from Third Parties – From time to time, we may collect or receive Personal Information about You from third party sources including partners with which we offer co-branded services or engage in joint marketing activities, and publicly available sources.

Job Applicants – We may collect information from job applicants who contact us expressing interest in a career with RiskRecon in the form of an application, telephone call, or email inquiry or through our recruitment process, including Your name and contact details, qualifications, skills, references, current and preferred benefits, salary, CV, cover letter, work experience, education, and transcripts; information You provide us when submitting applications or participating in interviews; whether You have a disability for which the organization needs to make reasonable adjustments; information about Your ability to work in a specified location; information about moving; information from Your passport, driver’s license, or other identity or credential documents; and other information required by law or deemed necessary by us to evaluate Your candidacy. We may process special categories of data when relevant for a position and required or permitted by law. If we collect special categories of data from an individual residing in the EU or Switzerland, you will be provided notice and the opportunity to consent to processing as described at the point of collection and this Privacy Notice. Please be aware that if you do not provide us with requested information during the recruitment process, we may not be able to process Your job application properly, or at all.

Cookies, Automatic Data Collection, and Related Technologies. Once a user accesses the Sites or receives Services, we may receive, collect, and store Usage Information through automatic data collection tools including cookies, pixel tags, web beacons, embedded web links, and similar technology. Usage Information collected is used to compile overall statistics. The statistics help us decide which products and services best serve our members and guests.

  • Cookies are small text files placed in visitors’ web browsers to store their preferences or provide certain functionality. We use both session and persistent cookies. Cookies enable us to track and target the interests of our users in the aggregate by analyzing popular areas and products to enhance future experiences on our site. Cookies do not cause damage to Your computer systems or files, and only the web site that transferred a specific cookie to you can read, modify or delete such cookie. If You do not want information collected through cookies, there are simple procedures in most browsers that allow You to delete existing cookies, to automatically decline cookies, or to be given the choice of declining or accepting the transfer of cookies to your computer. Most browsers allow You to block and delete cookies. But please note: if You do that, some functionalities on the Sites or Services, including the online registration platform, may not work properly.
  • Web Beacons or Clear GIFs are small graphic images or other web programming code with a unique identifier, similar in function to cookies that are used to track the online movements of web users or placed in emails to track which emails are opened and which links are clicked by recipients.

We use Google Analytics software and tools for tracking visitors and aggregating information about the traffic to our websites. The Google Analytics privacy policy can be found at https://policies.google.com/privacy. You can learn more about how to opt-out of tracking in Google Analytics here: https://tools.google.com/dlpage/gaoptout/. We also use other third-party services to assist with optimizing our Sites and to facilitate the provision of Services to customers, including, for example, Single Sign-On functionality. Personal Information or Usage Information may be provided to these third-party service providers to enable them to support our Sites’ functionality or provision of Services. These service providers and links to their respective privacy policies are: HubSpot (https://legal.hubspot.com/privacy-Notice?_ga=2.15110654.931831156.1533832784-791295850.1533832784), Zendesk, (https://www.zendesk.com/company/customers-partners/privacy-Notice/), and Okta (https://www.okta.com/privacy-Notice/).

By accessing the Sites and using the Services, You are authorizing us to gather, parse, and retain data, including Personal Information and Usage Information, related to the provision of the Services.

3. How and Why We Use Information Collected from You

RiskRecon Users – We will display Your Personal Information on your account profile page and elsewhere on the Sites depending on Your preferences and use. We treat inferences from your preferences, or other characteristics as Personal Information where required under applicable law. We will use Your Personal Information, Usage Information, and other information You provide to us to provide our Services, communicate with You about Services, respond to support requests, add You to our newsletter, marketing, and announcement distribution lists, validate user login identity, and targeted or tailored advertising using Google Analytics and HubSpot. We may also communicate with You electronically regarding security, privacy, and administrative issues relating to Your use of the Services. In certain circumstances, and with the customer’s consent, we may display testimonials from customers based on feedback and comments provided to us and identify customers and affiliated companies by name. Except as agreed by You and under the terms of this Notice, otherwise disclosed to You at the time the data is collected, or as required by law, we will not disclose Personal Information we collect about You. We may store certain data regarding account registration or engagement or purchase of Services with third parties, but employees of such third parties do not have access to Your information. We will strictly follow the sharing and disclosure Notice as defined here in this Section 3 of our Notice. We do not sell your Personal Information as defined by the California Consumer Protection Act of 2018.

Service Providers, Business Providers, and Others – We may employ third party companies and individuals to facilitate provision of Services, to perform work on our behalf, to perform services related to the operation of the Sites (including but not limited to data storage, maintenance services, database management, web analytics, and improvement of the Sites’ features), or to assist us in analyzing how our Sites and Services are used. These third parties have access to Your Personal Information or Usage Information only for the purposes of performing these tasks on our behalf.

Compliance with Laws and Law Enforcement – RiskRecon may preserve and has the right to disclose any information about You or Your use of our Sites without Your prior permission if we have a good faith belief that such action is necessary to: 1) protect and defend the rights, property, or safety of RiskRecon or its employees, affiliates, other users of the Sites, or the public; or 2) to comply with any applicable law, regulation, legal process, court order, subpoena, or a law enforcement agency or other governmental request.

Business Transfers – RiskRecon may sell, transfer, or otherwise share some or all of its assets, including Your Personal Information, in connection with a merger, acquisition, reorganization or sale of assets, or in the event of bankruptcy.

Affiliated Businesses – In certain limited situations, businesses we’re associated with may sell or provide products or services to You either alone or jointly with us. We will share your Personal Information with an associated business only to the extent that it is related to a joint transaction or service with us.

Job Application Data – If a prospective employee’s application is successful, we may share job applicant information with other third parties to obtain references and perform background checks and other actions necessary for the employment process. If Your application for a job is successful, Your information gathered during the recruitment process will be transferred to Your human resources files subject to our internal human resources policies and procedures and retained as employment data. If Your application is unsuccessful, we may, with Your consent, keep your information on file for future employment opportunities. You may withdraw Your consent at any time.

Third-Party Tracking Technologies – The use of cookies and web beacons by any third party or tracking utility company is not covered by our Privacy Notice or Cookie Notice.

4. Children’s Privacy

RiskRecon products and services are not directed to, or intended for, children under the age of 16.

If You believe that we have collected information about a child under the age of 16, please contact us at support@riskrecon.com.

5. Links to Other Sites

The Sites may contain links to third-party sites, social media tools, widgets or plug-ins. Please be aware that RiskRecon is not responsible for the privacy practices of such other sites. We encourage our users to be aware of any linked websites or features You visit or use that are not owned or controlled by Mastercard, we suggest that You review their own privacy notices or policies. This Notice applies solely to information collected through our Sites and Services.

6. Choice / Opt-out

You have certain rights regarding the Personal Information we maintain about You and certain choices about what Personal Information we collect from You, how we use it, and how we communicate with You.

If you are located in California, we will not deny, charge different prices for, or provide a different level of quality of goods or services if You choose to exercise these rights, except where the different price or level of quality of good or service is reasonably related to the value of the data that we receive from You. In some instances, we may not be able to provide You with the good or service that you request if you choose to exercise certain rights.

RiskRecon may send newsletters or other promotional communications containing information such as educational information, announcements, and notifications of new services. If You wish not to receive these newsletters and promotional communications, You may opt-out of receiving them by following the instructions included in each newsletter or communication.

If You would like to opt out of targeted advertising on our Services, please refer to Your browser’s technical information for instructions on how to delete and disable cookies and other tracking or recording tools. Please be aware that disabling cookies or similar tools may disable many of the features available through the Sites or Services.

Depending on where you are located, You may have the right to:

  • Request access to and receive information about the Personal Information we maintain about You, to update and correct inaccuracies in Your Personal Information, to restrict or to object to the processing of Your Personal Information, to have the information anonymized or deleted, as appropriate, or to exercise Your right to data portability to easily transfer your Personal Information to another company. In addition, You may also have the right to lodge a complaint with a supervisory authority, including in Your country of residence, place of work or where an incident took place.
  • Withdraw any consent You previously provided to us regarding the processing of Your Personal Information, at any time and free of charge. We will apply Your preferences going forward and this will not affect the lawfulness of the processing before Your consent withdrawal.

These rights may be limited in some circumstances by local law requirements.

If we fall short of your expectations in processing Your Personal Information or You wish to make a complaint about our privacy practices, please tell us because it gives us an opportunity to fix the problem. To assist us in responding to your request, please give full details of the issue.

We attempt to review and respond to all complaints within a reasonable time and as required under applicable law.

To update your preferences, ask us to remove Your information from our mailing lists or submit a request to exercise Your rights under applicable law, contact us as specified in the "How to Contact Us" section below.

You may also review, update, correct, or delete the Personal Information provided to us by accessing Your account profile and changing your information.

7. How We Protect Your Information

We maintain reasonable administrative, technical and physical safeguards to protect Personal Information against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse, and any other unlawful form of processing of the Personal Information in our possession. The types of measures we take vary with the type of data, and how it is collected and stored.

We also take measures to destroy or permanently de-identify Personal Information when there is no longer a business need to keep the information.

We will never ask You for Your password in any unsolicited communication (including unsolicited correspondence, such as letters, phone calls or e-mail messages). If You believe Your user name and password have been compromised, please contact us by following the instructions provided in the section "How to Contact Us" below.

Your account is protected by a password for Your privacy and security. If You access Your account via a third-party site or service, You may have additional or different sign-on protections via that third-party site or service. You must prevent unauthorized access to Your account and Personal Information by selecting and protecting Your password and/or other sign-on mechanism appropriately and limiting access to Your computer or device and browser by signing off after You have finished accessing your account.

8. European Union Privacy

Lawful Basis if Subject to GDPR – If our processing of your Personal Information is subject to the General Data Protection Regulation 2016/679 (“GDPR”), we will use Your Personal Information according to the following lawful bases for processing. But please note that these are only examples of processing under lawful bases, not an exhaustive list of processing under lawful bases and do not limit any current, past or future processing under a lawful basis that we may use to process Your Personal Information if subject to the GDPR.

We will process Your Personal Information in order to provide the Services. The lawful bases for processing Your data may include:

  • Pursuant to a Contract. We will use Your Personal Information when it is necessary for us to perform a contract we are about to enter into or have entered into with You, including without limitation when we respond to Your requests about entering into a contractual relationship, to help You create an account, to process requests, to provide Services, or to manage our relationship with You.
  • Pursuant to a Legal Obligation. We will use Your Personal Information when needed to comply with a legal or regulatory obligation, including without limitation to manage our relationship with You by providing this Notice and any changes and updates thereto.
  • Pursuant to a Legitimate Interest. We will use Your Personal Information where necessary for our legitimate interests or those of a third party’s, and Your interests and fundamental rights do not override those interests, including without limitation to process requests and provide Services, to manage our relationship with You, to administer and protect our business and our Services, to deliver the Services, content, and advertisements to You, to evaluate the effectiveness of the Services, content and advertising, to tailor the Services, content and advertising, to use data analytics and other automated processing to evaluate and improve the Services, and to make recommendations to You. We will use Your Personal Information where necessary to prevent fraud. We will also use Your Personal Information where necessary to respond to Your requests. For example, if You request to delete Your Personal Information from our database, we may continue to use Your information to respect Your request and prevent further use of the account. This can include deactivating Your account by removing your username from the permitted usernames and disallow any account creation under Your email address.
  • Pursuant to Consent. We will use Your Personal Information when we have provided You with notice of processing and obtained Your consent in a manner compliant with the requirements set forth in GDPR, including without limitation allowing You to opt-in and opt-out of our marketing our Services to You.
  • Pursuant to One or More Lawful Basis. We may rely on more than one lawful basis for processing Your specific Personal Information described in Sections 1-3 of this Notice set forth above. To our knowledge, we do not process special category data or criminal offence data, and we require You to refrain from providing any such data in the information You share with us. Please contact us if You have any questions about the specific lawful basis we are relying on to process Your Personal Information.

You have the right to be informed about Your Personal Information and how it is being processed, to access, correct and erase Personal Information, to restrict further processing, to obtain and reuse Your data for Your own purposes across different services and to object to processing. You also have the right to lodge a complaint with the relevant EU supervisory authority.

Cross-Border Transfer – RiskRecon is headquartered in and processes Personal Information in the United States.

If you are located in the EEA, we will process your Personal Information in accordance with (i) the Mastercard Binding Corporate Rules, available here, or (ii)

the transfers will be to countries that have been deemed to provide an adequate level of protection for Personal Information by the European Commission; (iii) we have used specific model contracts approved by the European Commission which are intended to give Personal Information the same protection it has in Europe; (iv); or (v) any alternative transfer mechanism that can under GDPR lawfully support the transfer. Please contact us if You want further information on the specific mechanism used by us when transferring Your Personal Information out of the EEA.

Erasure – You may ask for Your Personal Information to be erased from our system. We will comply with a request to erase all customer data, even though this means we will no longer be able to serve this individual as a customer, and all services and products will be revoked. We will also not erase any data that was posted on a third-party service, such as Facebook, and which the individual is able to erase on their own. Finally, an affiliate party that has requested the data of this customer (such as an entity that has provided the customer with one of our products) and already gained access to customer data in the past will need to be contacted separately by the customer.

Restriction of Processing – You may place a restriction on the processing of your Personal Information, and the request will be accommodated. But please note that restrictions on processing Your data may inhibit Your ability to utilize the Services.

Objection to Processing – You may, at any time, object to our processing of Your Personal Information. We will stop all processing of customer data, if the objection was raised with respect to direct marketing purposes. If an objection was raised with respect to processing of Personal Information that is essential to the performance of our duties with respect to the Services, we will no longer be able to provide the Services to You.

9. Changes to Our Privacy Notice and Practices

Posting of Revised Privacy Notice – We may update this Notice to reflect changes to our information practices. If we make any change in how we use Personal Information, we will notify You by posting the new Privacy Notice for the Sites at https://www.riskrecon.com/privacy-notice, by email (sent to the email address specified in Your registration) or by means of a notice on the Services prior to the change becoming effective. We encourage You to periodically review this page for the latest information on our privacy practices.

10. Contact Information

If You have any questions about this Privacy Notice, or would like to exercise Your rights under applicable law, please contact us.

PHONE
801.758.0560

HEADQUARTERS
5241 South State Street, Unit 3
Salt Lake City, UT 84107
USA