Updated: August 16, 2018
At RiskRecon, Inc. (“RiskRecon” or “we”), we help clients understand and manage third-party risk, with particular attention to cyber risk performance of vendors. Using information we collect about organizations’ systems and activities, we utilize our SaaS-based platform to assess and analyze potential risks against multiple criteria (“Services”). In performing our Services, we collect some information from client representatives.
RiskRecon allows users to access the Site in order to learn about RiskRecon, the company and our services, or to utilize the services we provide.
“Personal Information” means information that may be used to readily identify, contact, or locate a specific person, such as: name, address, email address, or telephone phone number. We do not consider Personal Information to include information that has been de-identified (i.e., disconnected from other information) or aggregated so that it does not allow a third party to easily identify a specific individual. When you register with the Sites to contact RiskRecon, to request additional information, or to access our Services, you will be required to provide Personal Information including your name and email address, you will also be required to disclose your relevant organization affiliation company, and you will have the option to provide other information.
“Usage Information” means certain information that could be used to personally identify a user, but is not necessarily used to do so, and certain non-identifiable information that we or our third-party service providers may collect through a variety of technologies (e.g., log files or cookies, discussed below) that automatically or passively collect certain information from users as they visit or interact with the Sites or receive Services. Usage Information includes internet protocol (“IP”) addresses, browser types, user operating systems, internet service provider (ISP), referring/exit pages (i.e., the URL that immediately referred users to the Sites and the URL immediately visited upon leaving the Sites), platform type, date/time stamp, general location data (e.g., postal code, city, or neighborhood), and number of clicks to analyze trends, administer the Sites, track users’ movement in the aggregate, and gather broad demographic information for aggregate use. In particular, we collect information about the manner in which the Sites are used and the devices used to access the Sites and to collect date to improve the performance and features of the Sites. Usage Information is not necessarily associated with Personal Information. If we associate Usage Information with Personal Information we will treat it as Personal Information.
RiskRecon Users Registering and Logging into the Sites – We collect Personal Information from you when you register to receive Services through the Sites, via email with us, or over the telephone. After you provide information to create a profile or an account, you can log in to our Sites using a Single Sign-On (SSO) service. This service will authenticate your identity and provide you the option to share certain personal information with us such as your name and email address to pre-populate our sign-up form.
Collection of Information from Third Parties – From time to time, we may receive Personal Information about you from third party sources including partners with which we offer co-branded services or engage in joint marketing activities, and publicly available sources such as social media websites.
Cookies, Automatic Data Collection, and Related Technologies. Once a user accesses the Sites or receives Services, we may receive, collect, and store Usage Information through automatic data collection tools including cookies, pixel tags, web beacons, embedded web links, and similar technology. Usage Information collected is used to compile overall statistics. The statistics help us decide which products and services best serve our members and guests.
By accessing the Sites and using the Services, you are authorizing us to gather, parse, and retain data, including Personal Information and Usage Information, related to the provision of the Services.
RiskRecon Users – We will display your Personal Information on your account profile page and elsewhere on the Sites depending on your preferences and use. We will use your Personal Information, Usage Information, and other information you provide to us to provide our Services, communicate with you about Services, respond to support requests, add you to our newsletter, marketing, and announcement distribution lists, validate user login identity, and targeted or tailored advertising using Google Analytics and HubSpot. In certain circumstances, we may display testimonials from customers based on feedback and comments provided to us and identify customers and affiliated companies by name. Except as agreed by you and under the terms of this Policy, or as required by law, we will not share your information with third parties. We may store certain data regarding account registration or engagement or purchase of Services with third parties, but employees of such third parties do not have access to your information. We do not sell your Personal Information to third parties for marketing or other purposes; we will strictly follow the sharing and disclosure policy as defined here in this Section 3 of our Policy.
Service Providers, Business Providers, and Others – We may employ third party companies and individuals to facilitate provision of Services, to perform work on our behalf, to perform services related to the operation of the Sites (including but not limited to data storage, maintenance services, database management, web analytics, and improvement of the Sites’ features), or to assist us in analyzing how our Sites and Services are used. These third parties have access to your Personal Information or Usage Information only for the purposes of performing these tasks on our behalf.
Compliance with Laws and Law Enforcement – RiskRecon may preserve and has the right to disclose any information about you or your use of our Sites without your prior permission if we have a good faith belief that such action is necessary to: 1) protect and defend the rights, property, or safety of RiskRecon or its employees, affiliates, other users of the Sites, or the public; or 2) to comply with any applicable law, regulation, legal process, court order, subpoena, or a law enforcement agency or other governmental request.
Business Transfers – RiskRecon may sell, transfer, or otherwise share some or all of its assets, including your personal identifiable information, in connection with a merger, acquisition, reorganization or sale of assets, or in the event of bankruptcy.
Affiliated Businesses – In certain limited situations, businesses we’re associated with may sell or provide products or services to you either alone or jointly with us. We will share your Personal Information with an associated business only to the extent that it is related to a joint transaction or service with us.
Job Application Data – If a prospective employee’s application is successful, we may share job applicant information with other third parties to obtain references and perform background checks and other actions necessary for the employment process. If your application for a job is successful, your information gathered during the recruitment process will be transferred to your human resources files subject to our internal human resources policies and procedures and retained as employment data. If your application is unsuccessful, we may, with your consent, keep your information on file for future employment opportunities. You may withdraw your consent at any time.
We use reasonable technological, physical, and other measures to keep your information protected from unauthorized access. Unfortunately, no method of data transmission over the internet or method of electronic storage can be 100% secure. Therefore, while we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security. Accordingly, we cannot represent or warrant the security of any information you provide to us. We do not accept liability for unintentional disclosure. In the event of a data security incident requiring notice, we will endeavor to provide notice in accordance with applicable legal requirements.
By using the Services or providing Personal Information to us, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of the Services. If we learn of a security system’s breach, we may attempt to notify you electronically by posting a notice on the Services or by sending an email to you. You may have a legal right to receive this notice in paper or hard copy format. To receive free written notice of a security breach in paper or hard copy format (or to withdraw your consent from receiving electronic notice), please notify us at https://www.riskrecon.com.
The Sites are not intended for or targeted at children under 16 years of age, and we do not knowingly or intentionally collect information about children younger than 16. If you believe that we have collected information about a child under the age of 16, please contact us at https://www.riskrecon.com, so that we may delete the information.
The Sites may contain links to other sites. Please be aware that RiskRecon is not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our Sites and to read the privacy statements of sites administered by other persons or organizations that collect personal data. This Policy applies solely to information collected through our Sites.
RiskRecon may send newsletters or other promotional communications containing information such as educational information, announcements, and notifications of new services. If you wish not to receive these newsletters and promotional communications, you may opt-out of receiving them by following the instructions included in each newsletter or communication.
If you would like to opt out of targeted advertising on our Services, please refer to your browser’s technical information for instructions on how to delete and disable cookies and other tracking or recording tools. Please be aware that disabling cookies or similar tools may disable many of the features available through the Sites or Services.
Your account is protected by a password for your privacy and security. If you access your account via a third-party site or service, you may have additional or different sign-on protections via that third-party site or service. You must prevent unauthorized access to your account and Personal Information by selecting and protecting your password and/or other sign-on mechanism appropriately and limiting access to your computer or device and browser by signing off after you have finished accessing your account.
If you are a California resident, California Civil Code Section 1798.83 permits you to request information regarding the disclosure of your personal data by RiskRecon or its affiliates to a third party for the third party’s direct marketing purposes. To make such a request, you may contact us https://www.riskrecon.com. But, again, it is our policy not to provide your Personal Information to third parties for their or others’ marketing purposes.
Lawful Basis if Subject to GDPR – If our processing of your information is subject to the General Data Protection Regulation 2016/679 (“GDPR”), we will use your information according to the following lawful bases for processing. But please note that these are only examples of processing under lawful bases, not an exhaustive list of processing under lawful bases and do not limit any current, past or future processing under a lawful basis that we may use to process your information if subject to the GDPR.
We will process your Personal Information in order to provide the Services. The lawful bases for processing your data may include:
You have the right to be informed about your personal data and how it is being processed, to access, correct and erase personal data, to restrict further processing, to obtain and reuse your data for your own purposes across different services and to object to processing. You also have the right to lodge a complaint with the relevant EU supervisory authority.
Cross-Border Transfer – If your information is transferred to us from a third party or to another recipient in a manner that requires to leave the boundaries of the European Economic Area (“EEA”), we will ensure that at least one of the following shall apply: (i) the transfers will be to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission; (ii) we have used specific model contracts approved by the European Commission which are intended to give personal data the same protection it has in Europe; (iii) where we use providers based in the US, we may transfer information to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US; or (iv) any alternative transfer mechanism that can under GDPR lawfully support the transfer. Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
Erasure – You may ask for your data to be erased from our system. We will comply with a request to erase all customer data, even though this means we will no longer be able to serve this individual as a customer, and all services and products will be revoked. We will also not erase any data that was posted on a third-party service, such as Facebook, and which the individual is able to erase on their own. Finally, an affiliate party that has requested the data of this customer (such as an entity that has provided the customer with one of our products) and already gained access to customer data in the past will need to be contacted separately by the customer.
Restriction of Processing – You may place a restriction on the processing of your data, and the request will be accommodated. But please note that restrictions on processing your data may inhibit your ability to utilize the Services.
Objection to Processing – A user may, at any time, object to our processing of his or her data. We will stop all processing of customer data, if the objection was raised with respect to direct marketing purposes. If an objection was raised with respect to processing of data that is essential to the performance of our duties with respect to the Services, we will no longer be able to provide the Services to our customer.
Riskrecon – Headquarters
560 West 200 South
Salt Lake City, UT 84101
+1 (801) 758-0560