Request Free Assessment
Home What We Do Blog Events Press Releases Webinars Whitepapers Login Contact Us

RiskRecon - Privacy Policy

Updated: August 16, 2018

At RiskRecon, Inc. (“RiskRecon” or “we”), we help clients understand and manage third-party risk, with particular attention to cyber risk performance of vendors. Using information we collect about organizations’ systems and activities, we utilize our SaaS-based platform to assess and analyze potential risks against multiple criteria (“Services”). In performing our Services, we collect some information from client representatives.

We are committed to protecting the privacy of individuals who interact with us. This Privacy Policy (“Privacy Policy” or “Policy”) describes privacy practices for our websites and Services and governs the provision of Services to your and your interaction with our websites and provision of information to us. This Policy also details our privacy practices related to RiskRecon marketing, advertising, and events, and interactions with job applicants.

Riskrecon provides this Privacy Policy to inform you of our policies and procedures regarding the collection, use, and disclosure of personal information we receive on https://www.riskrecon.com, https://www.thirdpartyplaybook.com, https://info.riskrecon.com, https://blog.riskrecon.com, https://auth.riskrecon.com, and https://portal.riskrecon.com (collectively, the “Sites”) or via email or telephone communications. This Privacy Policy applies to information that you provide to us through the Sites or email or on the telephone, including any information provided via a helpdesk or client service application or portal. Our Privacy Policy may be updated from time to time, and we will notify you of any material changes via email or by posting the new Privacy Policy for the Sites at https://www.riskrecon.com/privacy-policy.html.

Please read this Privacy Policy carefully. By using or providing information to us via the Sites, email, or telephone, you consent and agree that this Policy will apply to the operation of the Sites and our provision of Services. If you do not agree to the application of this Policy or future changes, you may not be able to use the Site or receive our Services.

1. Information We Collect

RiskRecon allows users to access the Site in order to learn about RiskRecon, the company and our services, or to utilize the services we provide.

“Personal Information” means information that may be used to readily identify, contact, or locate a specific person, such as: name, address, email address, or telephone phone number. We do not consider Personal Information to include information that has been de-identified (i.e., disconnected from other information) or aggregated so that it does not allow a third party to easily identify a specific individual. When you register with the Sites to contact RiskRecon, to request additional information, or to access our Services, you will be required to provide Personal Information including your name and email address, you will also be required to disclose your relevant organization affiliation company, and you will have the option to provide other information.

“Usage Information” means certain information that could be used to personally identify a user, but is not necessarily used to do so, and certain non-identifiable information that we or our third-party service providers may collect through a variety of technologies (e.g., log files or cookies, discussed below) that automatically or passively collect certain information from users as they visit or interact with the Sites or receive Services. Usage Information includes internet protocol (“IP”) addresses, browser types, user operating systems, internet service provider (ISP), referring/exit pages (i.e., the URL that immediately referred users to the Sites and the URL immediately visited upon leaving the Sites), platform type, date/time stamp, general location data (e.g., postal code, city, or neighborhood), and number of clicks to analyze trends, administer the Sites, track users’ movement in the aggregate, and gather broad demographic information for aggregate use. In particular, we collect information about the manner in which the Sites are used and the devices used to access the Sites and to collect date to improve the performance and features of the Sites. Usage Information is not necessarily associated with Personal Information. If we associate Usage Information with Personal Information we will treat it as Personal Information.

2. How We Collect Information from You

RiskRecon Users Registering and Logging into the Sites – We collect Personal Information from you when you register to receive Services through the Sites, via email with us, or over the telephone. After you provide information to create a profile or an account, you can log in to our Sites using a Single Sign-On (SSO) service. This service will authenticate your identity and provide you the option to share certain personal information with us such as your name and email address to pre-populate our sign-up form.

Collection of Information from Third Parties – From time to time, we may receive Personal Information about you from third party sources including partners with which we offer co-branded services or engage in joint marketing activities, and publicly available sources such as social media websites.

Job Applicants – We may collect information from job applicants who contact us expressing interest in a career with RiskRecon in the form of an application, telephone call, or email inquiry or through our recruitment process, including your name and contact details, qualifications, skills, references, current and preferred benefits, salary, CV, cover letter, work experience, education, and transcripts; information you provide us when submitting applications or participating in interviews; whether you have a disability for which the organization needs to make reasonable adjustments; information about your ability to work in a specified location; information about moving; information from your passport, driver’s license, or other identity or credential documents; and other information required by law or deemed necessary by us to evaluate your candidacy. We may process special categories of data when relevant for a position and required or permitted by law. If we collect special categories of data from an individual residing in the EU or Switzerland, you will be provided notice and the opportunity to consent to processing as described at the point of collection and this Privacy Policy. Please be aware that if you do not provide us with requested information during the recruitment process, we may not be able to process your job application properly, or at all.

Cookies, Automatic Data Collection, and Related Technologies. Once a user accesses the Sites or receives Services, we may receive, collect, and store Usage Information through automatic data collection tools including cookies, pixel tags, web beacons, embedded web links, and similar technology. Usage Information collected is used to compile overall statistics. The statistics help us decide which products and services best serve our members and guests.

We use Google Analytics software and tools for tracking visitors and aggregating information about the traffic to our websites. The Google Analytics privacy policy can be found at https://policies.google.com/privacy. You can learn more about how to opt-out of tracking in Google Analytics here: https://tools.google.com/dlpage/gaoptout/. We also use other third-party services to assist with optimizing our Sites and to facilitate the provision of Services to customers, including, for example, Single Sign-On functionality. Personal Information or Usage Information may be provided to these third-party service providers to enable them to support our Sites’ functionality or provision of Services. These service providers and links to their respective privacy policies are: HubSpot (https://legal.hubspot.com/privacy-policy?_ga=2.15110654.931831156.1533832784-791295850.1533832784), Zendesk (https://www.zendesk.com/company/customers-partners/privacy-policy/), and Okta (https://www.okta.com/privacy-policy/).

By accessing the Sites and using the Services, you are authorizing us to gather, parse, and retain data, including Personal Information and Usage Information, related to the provision of the Services.

3. How and Why We Use Information Collected from You

RiskRecon Users – We will display your Personal Information on your account profile page and elsewhere on the Sites depending on your preferences and use. We will use your Personal Information, Usage Information, and other information you provide to us to provide our Services, communicate with you about Services, respond to support requests, add you to our newsletter, marketing, and announcement distribution lists, validate user login identity, and targeted or tailored advertising using Google Analytics and HubSpot. In certain circumstances, we may display testimonials from customers based on feedback and comments provided to us and identify customers and affiliated companies by name. Except as agreed by you and under the terms of this Policy, or as required by law, we will not share your information with third parties. We may store certain data regarding account registration or engagement or purchase of Services with third parties, but employees of such third parties do not have access to your information. We do not sell your Personal Information to third parties for marketing or other purposes; we will strictly follow the sharing and disclosure policy as defined here in this Section 3 of our Policy.

Service Providers, Business Providers, and Others – We may employ third party companies and individuals to facilitate provision of Services, to perform work on our behalf, to perform services related to the operation of the Sites (including but not limited to data storage, maintenance services, database management, web analytics, and improvement of the Sites’ features), or to assist us in analyzing how our Sites and Services are used. These third parties have access to your Personal Information or Usage Information only for the purposes of performing these tasks on our behalf.

Compliance with Laws and Law Enforcement – RiskRecon may preserve and has the right to disclose any information about you or your use of our Sites without your prior permission if we have a good faith belief that such action is necessary to: 1) protect and defend the rights, property, or safety of RiskRecon or its employees, affiliates, other users of the Sites, or the public; or 2) to comply with any applicable law, regulation, legal process, court order, subpoena, or a law enforcement agency or other governmental request.

Business Transfers – RiskRecon may sell, transfer, or otherwise share some or all of its assets, including your personal identifiable information, in connection with a merger, acquisition, reorganization or sale of assets, or in the event of bankruptcy.

Affiliated Businesses – In certain limited situations, businesses we’re associated with may sell or provide products or services to you either alone or jointly with us. We will share your Personal Information with an associated business only to the extent that it is related to a joint transaction or service with us.

Job Application Data – If a prospective employee’s application is successful, we may share job applicant information with other third parties to obtain references and perform background checks and other actions necessary for the employment process. If your application for a job is successful, your information gathered during the recruitment process will be transferred to your human resources files subject to our internal human resources policies and procedures and retained as employment data. If your application is unsuccessful, we may, with your consent, keep your information on file for future employment opportunities. You may withdraw your consent at any time.

Third-Party Tracking Technologies – The use of cookies and web beacons by any third party or tracking utility company is not covered by our Privacy Policy or Cookie Policy.

4. Security

We use reasonable technological, physical, and other measures to keep your information protected from unauthorized access. Unfortunately, no method of data transmission over the internet or method of electronic storage can be 100% secure. Therefore, while we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security. Accordingly, we cannot represent or warrant the security of any information you provide to us. We do not accept liability for unintentional disclosure. In the event of a data security incident requiring notice, we will endeavor to provide notice in accordance with applicable legal requirements.

By using the Services or providing Personal Information to us, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of the Services. If we learn of a security system’s breach, we may attempt to notify you electronically by posting a notice on the Services or by sending an email to you. You may have a legal right to receive this notice in paper or hard copy format. To receive free written notice of a security breach in paper or hard copy format (or to withdraw your consent from receiving electronic notice), please notify us at https://www.riskrecon.com.

5. No Use by Children

The Sites are not intended for or targeted at children under 16 years of age, and we do not knowingly or intentionally collect information about children younger than 16. If you believe that we have collected information about a child under the age of 16, please contact us at https://www.riskrecon.com, so that we may delete the information.

6. Links to Other Sites

The Sites may contain links to other sites. Please be aware that RiskRecon is not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our Sites and to read the privacy statements of sites administered by other persons or organizations that collect personal data. This Policy applies solely to information collected through our Sites.

7. Choice / Opt-out

RiskRecon may send newsletters or other promotional communications containing information such as educational information, announcements, and notifications of new services. If you wish not to receive these newsletters and promotional communications, you may opt-out of receiving them by following the instructions included in each newsletter or communication.

If you would like to opt out of targeted advertising on our Services, please refer to your browser’s technical information for instructions on how to delete and disable cookies and other tracking or recording tools. Please be aware that disabling cookies or similar tools may disable many of the features available through the Sites or Services.

8. Changing/Updating Your Information

You may review, update, correct, or delete the Personal Information provided to us by accessing your account profile and changing your information. If you would like to update or modify any Personal Information you have provided to us, or if you have any questions or concerns about this Privacy Policy or the use of your information, please email us at https://www.riskrecon.com.

Your account is protected by a password for your privacy and security. If you access your account via a third-party site or service, you may have additional or different sign-on protections via that third-party site or service. You must prevent unauthorized access to your account and Personal Information by selecting and protecting your password and/or other sign-on mechanism appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account.

9. California Privacy

If you are a California resident, California Civil Code Section 1798.83 permits you to request information regarding the disclosure of your personal data by RiskRecon or its affiliates to a third party for the third party’s direct marketing purposes. To make such a request, you may contact us https://www.riskrecon.com. But, again, it is our policy not to provide your Personal Information to third parties for their or others’ marketing purposes.

10. European Union Privacy

Lawful Basis if Subject to GDPR – If our processing of your information is subject to the General Data Protection Regulation 2016/679 (“GDPR”), we will use your information according to the following lawful bases for processing. But please note that these are only examples of processing under lawful bases, not an exhaustive list of processing under lawful bases and do not limit any current, past or future processing under a lawful basis that we may use to process your information if subject to the GDPR.

We will process your Personal Information in order to provide the Services. The lawful bases for processing your data may include:

You have the right to be informed about your personal data and how it is being processed, to access, correct and erase personal data, to restrict further processing, to obtain and reuse your data for your own purposes across different services and to object to processing. You also have the right to lodge a complaint with the relevant EU supervisory authority.

Cross-Border Transfer – If your information is transferred to us from a third party or to another recipient in a manner that requires to leave the boundaries of the European Economic Area (“EEA”), we will ensure that at least one of the following shall apply: (i) the transfers will be to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission; (ii) we have used specific model contracts approved by the European Commission which are intended to give personal data the same protection it has in Europe; (iii) where we use providers based in the US, we may transfer information to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US; or (iv) any alternative transfer mechanism that can under GDPR lawfully support the transfer. Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

Erasure – You may ask for your data to be erased from our system. We will comply with a request to erase all customer data, even though this means we will no longer be able to serve this individual as a customer, and all services and products will be revoked. We will also not erase any data that was posted on a third-party service, such as Facebook, and which the individual is able to erase on their own. Finally, an affiliate party that has requested the data of this customer (such as an entity that has provided the customer with one of our products) and already gained access to customer data in the past will need to be contacted separately by the customer.

Restriction of Processing – You may place a restriction on the processing of your data, and the request will be accommodated. But please note that restrictions on processing your data may inhibit your ability to utilize the Services.

Objection to Processing – A user may, at any time, object to our processing of his or her data. We will stop all processing of customer data, if the objection was raised with respect to direct marketing purposes. If an objection was raised with respect to processing of data that is essential to the performance of our duties with respect to the Services, we will no longer be able to provide the Services to our customer.

11. Changes to Our Privacy Policy and Practices

Posting of Revised Privacy Policy – We may update this Policy to reflect changes to our information practices. If we make any change in how we use Personal Information, we will notify you by email (sent to the e-mail address specified in your registration) or by means of a notice on the Services prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.

New Uses of Personal Information – From time to time, we may desire to use Personal Information for uses not previously disclosed in our Privacy Policy. If our practices change regarding previously collected Personal Information in a way that would be materially less restrictive than stated in the version of this Privacy Policy in effect at the time we collected the information, we will make reasonable efforts to provide notice and obtain consent to any such uses as may be required by law.

12. Contact Information

If you have any questions about this Privacy Policy please contact us.

Riskrecon – Headquarters
560 West 200 South
Salt Lake City, UT 84101
USA

+1 (801) 758-0560

privacy@riskrecon.com

I acknowledge and agree that my use of this website and receipt of services will be governed by RiskRecon’s Privacy Policy. I agree.