Privacy Policy

Effective January 1, 2020

BY USING OUR SERVICES, YOU ACCEPT AND AGREE TO THE TERMS OF THIS PRIVACY POLICY. BY ACCEPTING THE TERMS OF THIS PRIVACY POLICY, YOU REPRESENT AND WARRANT THAT YOU ARE ABLE TO PROVIDE INFORMATION EITHER ON YOUR OWN BEHALF OR ON BEHALF OF ANY COMPANY YOU REPRESENT. IF YOU DO NOT AGREE TO BE BOUND BY THE TERMS OF THIS PRIVACY POLICY YOU MAY NOT USE THE SERVICES.

Introduction

SecurityScorecard, Inc. (“SSC,” "we" or "us") is committed to safeguarding the privacy of our customers and those who use our websites, including but not limited to www.securityscorecard.com (the “Sites”), and our products and services, including our cloud-based products or services (the “Services”). This Privacy Policy describes SSC’s policies and practices regarding our collection and use of your personal data or information and sets forth your privacy rights. We recognize that data privacy is an ongoing responsibility. We will from time to time update this Privacy Policy as we adopt new privacy practices and policies in response to updates in the law, to align with changing industry best-practices, and to reflect our product enhancements.

Information Covered Under This Policy

This Privacy Policy applies to the processing of your personal data collected by us when you visit our Sites, use our Services as an authorized user (for example, as an employee of one of our customers who provided you with access to our Services), visit our social media pages, visit our offices, receive communications from us (including emails, phone calls, texts or fax), or register for, attend or take part in our events, webinars, or contests.

Personal data is any information that identifies you or would enable someone to contact you, which may include your name, email address, phone number and other non-public information that is associated with such information.

Information Not Covered Under This Policy

This Privacy Policy does not include aggregate information, anonymous information or any other non-personally identifiable information.

Unless expressly set forth herein, this Privacy Policy does not apply to any unsolicited information you provide to us through the Site or the Services or through any other means, such as information posted to any public areas, any ideas for new services or modifications to existing Services, and other unsolicited submissions (collectively, “Unsolicited Information”). All Unsolicited Information shall be deemed to be non-confidential and we shall be free to reproduce, use, disclose, and distribute such Unsolicited Information to others without limitation or attribution.

This Privacy Policy does not cover how our customers and other third parties may use the data that we provide to them in connection with our Services. Our Site and Services may contain links to other websites, applications, and services maintained by third parties. The information practices of other services, or of social media platforms that host our branded social media pages, are governed by their privacy policies, which you should review to better understand their privacy practices.

This Privacy Policy also does not apply to the extent we process personal data in the role of a processor or service provider on behalf of our customers, including where we offer our customers our cloud-based products and services through which our customers (or their affiliates): (i) send electronic communications to others; or (ii) otherwise collect, use, share or process any personal data via such cloud products and services.

For detailed privacy information related to a SSC customer or a customer’s affiliate who uses the SSC cloud products and services as the controller, please contact our customer directly. We are not responsible for the privacy or data security practices of our customers, which may differ from those explained in this Privacy Policy.

Information We Collect

SSC collects personal data about those who interact with us through our Sites and Services. We collect this information from you when you give it us, when we get it from your use of our Sites or Services, or when we receive it from other sources of information collected by third parties on our Site.

Information you give us. SSC collects information directly from you when you provide it to us through our Sites or Services. The personal data we collect directly from you might include: personal identifiers (name), professional or employment-related information (company affiliation, title), contact information (email, phone), financial account information, commercial information, visual information (photos and images uploaded to our Sites or Services), and internet activity information. You are solely responsible for the personal data you choose to submit.

Account information. We collect personal data from you when you create an account to access and use the Services or request certain free Services from our Sites. This information could include your business contact information such as name, email address, mailing address, email, phone number, title, and company information. If you register for an online community that we host, we may ask you to provide a username, photo or other biographical information, such as your occupation, location, social media profiles, company name, areas of expertise and interests.

Inquiry and Support information: We collect personal data from you contained in any inquiry you submit to us regarding our Sites or Services, such as completing our online forms, calling, or emailing for the purposes of general inquiries, support requests, or to report an issue. When you communicate with us over the phone, your calls may be recorded and analyzed for training, quality control and for sales and marketing purposes. During such calls we will notify you of the recording via either voice prompt or script.

Notification information. We collect personal data that you provide to us for the purpose of subscribing to our email notifications and/or newsletters.

Correspondence information. We collect personal data that you provide to us contained in or relating to any communication that you send to us, including survey data.

Event and Office information. We collect personal data from you if you (a) attend an event hosted by SSC, or (b) visit our offices. Such personal data may include your name, title, company name, address, country, phone number, email address, and arrival time.

Information we get from your use of our Sites and Services. We collect personal data when you interact with our Sites and Services.

Identifiers. When you interact with us through our Sites or Services, we may receive and store certain personally identifiable information along with anonymized data, which is collected passively using various technologies, including cookies, web beacons or similar technologies. We may store such information itself or such information may be included in databases owned and maintained by our affiliates, agents or service providers.

Log Data. As is true of most websites, we gather certain information automatically. This information may include Internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring/exit pages, the files viewed on our site (e.g., HTML pages, graphics, etc.) and other usage behavior, operating system, device information, device location, date/time stamp, and/or clickstream data to analyze trends in the aggregate and administer the site.

Tracking Technologies - Cookie Data. We and our partners use cookies or similar technologies to analyze trends, administer our Sites, track users’ movements around the Sites, and to gather demographic information about our user base as a whole. You can control the use of cookies at the individual browser level, but if you choose to disable cookies, it may limit your use of certain features or functions on our Sites or Services.

Telephony log information. If you use certain features of our Services on a mobile device, we may also collect telephony log information (like phone numbers, time and date of calls, duration of calls, SMS routing information and types of calls), device event information (such as crashes, system activity, hardware settings, browser language), and location information (through IP address, GPS, and other sensors that may, for example, provide us with information on nearby devices, Wi-Fi access points and cell towers).

Information we receive or collect from other sources.

Third-party data: We may receive personal information about you from other sources, including publicly available databases or third parties from whom we have purchased data, and combine this data with information we already have about you. We may receive information you post for publication on the Sites, or that you have otherwise made publicly available through third parties. Such profile and publication data helps us to update, expand and analyze our records, identify new customers, and provide products and services that may be of interest to you. If you provide us personal data about others, or if others give us your information, we will only use that information for the specific reason for which it was provided to us.

Information collected by third parties on our sites.

Social media information: Our Site may use social media features and widgets such as Facebook, Twitter and LinkedIn or interactive mini programs that run on our Sites. These features may collect your Internet protocol address, which page you are visiting on our Sites, and may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on our Sites. To the extent the social media features are hosted by the platforms themselves, and you click through to these from a Site, the platform may receive information showing that you have visited our Site. If you are logged in to your social media account, it is possible that the respective social media network can link your visit to our Sites with your social media profile. Your interactions with these features are governed by the privacy statement of the company providing it.

Aggregated Data. We may accumulate and aggregate certain statistical and related data in order to improve the performance and functionality of the Sites and Services, to develop new products and/or services or to analyze the usage of the Sites and Services. As noted above, we may use aggregated data for such purposes as we, in our sole discretion, deems to be appropriate.

We are the sole owner of information collected on the Site and Services (including any metadata), except for vendor lists and contact information that you provide to us in connection with your use of our Sites and Services.

How We Use (or Process) Your Personal Information

SSC uses and processes your information for various legitimate purposes that have a specific legal basis. We use your information only as necessary to fulfill such purposes as set forth in this Privacy Policy and we will only use this information as described in this Privacy Policy.

We may use and process your personal data for the following business purposes:

Providing our Sites and Services: We process your personal data to perform our contract with you for the use of the Sites and Services and to fulfill our obligations under the applicable terms of use and service; if we have not entered into a contract with you, we base the processing of your personal data on our legitimate interest to operate and administer our Sites and to provide you with content you access and request (e.g., to download content from our Sites);

Promoting the security of our Site and Services: We process your personal data by tracking use of our Sites and Services, creating aggregated non-personal data, verifying accounts and activity, investigating suspicious activity, and enforcing our terms and policies to the extent it is necessary for our legitimate interest in promoting the safety and security of the Services, systems and applications and in protecting our rights and the rights of others;

Providing necessary functionality: We process your personal data to perform our contract with you for the use of our Sites and Services; if we have not entered into a contract with you, we base the processing of your personal data on our legitimate interest to provide you with the necessary functionality required for your use of our Sites and Services;

Managing user registrations: If you have registered for an account with us, we process your personal data by managing your user account for the purpose of performing our contract with you according to applicable terms of service;

Handling contact and user support requests: If you fill out a web form or otherwise request user support, or if you contact us by other means including via a phone call, we process your personal data to perform our contract with you and to the extent it is necessary for our legitimate interest in fulfilling your requests and communicating with you;

Managing event registrations and attendance: We process your personal data to plan and host events or webinars for which you have registered or that you attend, including sending related communications to you, to perform our contract with you;

Managing contests or promotions: If you register for a contest or promotion, we process your personal data to perform our contract with you. Some contests or promotions have additional rules containing information about how we will process your personal data;

Managing payments: If you have provided financial information to us, we process your personal data to verify that information and to collect payments to the extent that doing so is necessary to complete a transaction and perform our contract with you;

Developing and improving our Sites and Services: We process your personal data to analyze trends and to track your usage of and interactions with our Sites and Services to the extent it is necessary for our legitimate interest in developing and improving our Sites and Services and providing our users with more relevant content and service offerings, or where we seek your valid consent;

Assessing and improving user experience: We process device and usage data as described above, which in some cases may be associated with your personal data, to analyze trends and assess and improve the overall user experience to the extent it is necessary for our legitimate interest in developing and improving the service offering, or where we seek your valid consent;

Reviewing compliance with applicable usage terms: We process your personal data to review compliance with the applicable usage terms in our customer’s contract to the extent that it is in our legitimate interest to ensure adherence to the relevant terms;

Assessing capacity requirements: We process your personal data to assess the capacity requirements of our Services the extent that it is in our legitimate interest to ensure that we are meeting the necessary capacity requirements of our service offering;

Identifying customer opportunities: We process your personal data to assess new potential customer opportunities to the extent that it is in our legitimate interest to ensure that we are meeting the demands of our customers and their users’ experiences;

Registering office visitors: We process your personal data for security reasons, to register visitors to our offices and to manage non-disclosure agreements that visitors may be required to sign, to the extent such processing is necessary for our legitimate interest in protecting our offices and our confidential information against unauthorized access;

Displaying personalized advertisements and content: We process your personal data to conduct marketing research, advertise to you, provide personalized information about us on and off our Sites and to provide other personalized content based upon your activities and interests to the extent it is necessary for our legitimate interest in advertising our Sites or, where necessary, to the extent you have provided your prior consent;

Sending marketing communications: We will process your personal data or device and usage data, which in some cases may be associated with your personal data, to send you marketing information, product recommendations and other non-transactional communications (e.g., marketing newsletters, telemarketing calls, SMS, or push notifications) about us and our affiliates and partners, including information about our Services, promotions or events as necessary for our legitimate interest in conducting direct marketing or to the extent you have provided your prior consent; and

Complying with legal obligations: We process your personal data when cooperating with public and government authorities, courts or regulators in accordance with our legal obligations under applicable laws to the extent this requires the processing or disclosure of personal data to protect our rights or is necessary for our legitimate interest in protecting against misuse or abuse of our Sites or Services, protecting personal property or safety, pursuing remedies available to us and limiting our damages, complying with judicial proceedings, court orders or legal processes, respond to lawful requests, or for auditing purposes.

When and How We Share Information with Others

We do not sell your personal data. There are, however, certain circumstances in which we may share your personal data with third parties without further notice to you.

We may share your information in connection with business transfers, to affiliates, service providers, agents, consultants and related third parties, partners and resellers, and to comply with legal requirements, as further described below.

Business transfers. As we develop our business, we might sell or buy businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution or similar event, personal data may be part of the transferred assets or otherwise shared.

Related parties. We may also share your personal data with our affiliates for purposes consistent with this Privacy Policy. We may share your information with others within your organization (including any affiliates or any other individuals designated as users on your company’s account).

Service providers, agents, consultants, subcontractors and third parties. Occasionally, we enter into contracts with carefully selected third parties so that they can assist us in maintaining, servicing and improving our Sites and Services (for example, providing or maintaining databases, processing payment, fraud detection and deterrence or access to advertising assets), to assist us in our own marketing and advertising activities or to engage in co-marketing activities with us. Our contracts with such third parties prohibit them from using any of your personal data for any purpose beyond the purpose for which it was shared.

Partners and resellers. We may share your personal data with our partners and resellers so that they can assist you in using our Services and sell or resell our Services to you.

Legal requirements. We may disclose your personal data when such disclosure is necessary or advisable, in our sole discretion, to conduct an investigation, respond to a third-party or law enforcement subpoena or court order, bring legal action, prevent harm to others or pursue other relief when you or a third party are or may be: (i) violating our terms and conditions of use; (ii) causing injury or other harm to, or otherwise violating our property or other legal rights, or those of other users of our Sites and Services or third parties; or (iii) violating federal, state, local, or other applicable law. This disclosure may include transferring information to the U.S. and outside the European Economic Area.

Anonymized Data. We may also share aggregated and non-personal data with any third party, including the media and industry observers. For example, we may disclose security trends or the number of customers that have evaluated or purchased our Services.

Accessing and Updating Your Personal Information

This Privacy Policy is intended to provide you with information about what personal data SSC collects about you and how it is used. Upon request we will provide you with information about whether we hold any of your personal data and allow you to access, correct, or request deletion of such information.

Upon request we will provide you with information about whether we hold any of your personal data. You may access, correct, or request deletion of your personal data by logging into your account or contacting us at [email protected] We will respond to your request within a reasonable timeframe and we try to respond to all legitimate requests within one month. We may contact you if we need additional information from you in order to honor your request. Occasionally it may take us longer than a month, taking into account the complexity and number of requests we receive. Please be aware that even after we have processed your request for such a change, we may retain certain residual information in the backup and/or archival copies of our database.

In the event you close any account in connection with the Services, your account will be deactivated, and your name and other personal data will no longer be accessible by you. We may retain your personal data for as long as your account is active or to provide you Services, improve our Services, comply with our legal obligations, resolve disputes and enforce our agreements.

Links from the Site

Certain pages of the Site and Services may, from time to time, contain external links. You should verify and validate any and all privacy practices of other websites. We encourage you not to provide personal data, without first assuring yourself of the privacy policies of such other websites.

WE ARE NOT RESPONSIBLE IN ANY WAY FOR ANY USE AND/OR MISUSE OF ANY PERSONAL DATA OR OTHER INFORMATION PROVIDED BY YOU AT SUCH OTHER WEBSITES.

How We Keep Your Information Secure

To help protect the privacy of data and personal information you transmit through use of our Sites, we maintain industry-appropriate physical, technical and administrative safeguards.

We take reasonable industry-appropriate steps to protect the personal data provided via the Sites and Services from loss, misuse, and unauthorized access, disclosure, alteration, or destruction. We limit access to your personal data and/or your information on the Services with password-protection (it is your responsibility to protect the security of any of your login information). We update and test our security technology on an ongoing basis. We restrict access to your personal data to those employees who need to know that information to provide benefits or Services to you. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information.

Notwithstanding our efforts, we cannot guarantee absolute or unqualified protection of this information given the open nature and resulting instability of the Internet, and we make no representations or warranties as to the effectiveness of our security and assume no liability for security breaches or any failure in the security of your computer equipment, your internet service provider or other networks and communications providers. If you have any questions about the security of your personal data, you can contact us at [email protected]

Children

We do not knowingly attempt to solicit or receive information from children. Our Sites and Services are not directed to persons under 18. We do not knowingly collect personal data, or any information, from children under 18. If a parent or guardian becomes aware that his or her child has provided us with personal data without such parent or guardian’s consent, he or she should contact us. If we become aware that a child under 18 has provided us with personal data, we will delete such information from our files.

International Transfers

SSC is based in the United States. Our service providers, and other third parties you may interact with in connection with our Services may be located in the United States and other countries around the world, including countries that may not offer the same level of protection for personal data as that offered in the United States. By accessing or using our Sites or Services in the United States or any other country or jurisdiction, you consent to such transfer and processing of your information.

Personal data may be accessed by us or transferred to us in the United States or to our affiliates, service providers, agents, consultants and related third parties, partners and resellers, or service providers elsewhere in the world. By providing us with personal data, you consent to this transfer. We will protect the privacy and security of personal data according to this Privacy Policy, regardless of where it is processed or stored, however you explicitly acknowledge and consent to the fact that personal data stored or processed in the United States will be subject to the laws of the United States, including the ability of governments, courts or law enforcement or regulatory agencies of the United States to obtain disclosure of your personal data.

California Privacy Rights

This section provides additional details about the personal data we collect about California consumers and the rights afforded to them under the California Consumer Privacy Act (“CCPA”).

California consumers have certain rights afforded to them under the California Consumer Privacy Act. The CCPA requires businesses to disclose whether they sell “personal data”. As a business covered by the CCPA, we do not sell personal data. We may share personal data with third parties or allow them to collect personal data from our sites or Services if those third parties are authorized service providers or business partners who have agreed to our contractual limitations as to their retention, use, and disclosure of such personal data, or if you use the Site or Services to interact with third parties or direct us to disclose your personal data to third parties. California law requires that we detail the categories of personal data that we share or disclose for certain “business purposes,” such as disclosures to service providers that assist us with securing our Services or marketing our Services.

We disclose the following categories of personal data for our business purposes:

  • Identifiers;
  • Commercial information;
  • Internet activity information;
  • Financial information;
  • Professional and employment-related information;
  • Education information; and
  • Inferences drawn from any of the above information categories.

Subject to certain limitations, the CCPA provides California consumers the right to request to know more details about the categories or specific pieces of personal data we collect (including how we use and disclose this information), to delete their personal data, to opt out of any “sales” that may be occurring, and to not to be denied goods or services for exercising these rights.

If you are a California resident under the age of 18 and have registered for an account with us, you may ask us to remove content or information that you have posted to our Sites. Please note that your request does not ensure complete or comprehensive removal of the content or information, because, for example, some of your content may have been reposted by another user.

If you are an authorized agent wishing to exercise rights on behalf of a California resident, please contact us using the information in the “Our Contact Information” section below and provide us with a copy of the consumer’s written authorization designating you as their agent. We may verify your request using the information associated with your account, including email address.

Our Contact Information

We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy.

SSC is headquartered in New York, in the United States. We have designated an internal Privacy Manager for you to contact if you have any questions or concerns about SSC’s personal data policies or practices. To exercise your rights regarding your personal data or if you have questions regarding this Privacy Policy or our privacy practices please contact us, email us at [email protected], call us at 1-800-682-1707, or write to us at:

SecurityScorecard, Inc.
Attn: Privacy Team
111 West 33rd Street, 11th Floor
New York, NY 10001

Notification of Changes

Your access to and use of the Site and the Services is strictly conditioned upon your agreement with and consent to the terms and conditions of this Privacy Policy. In the event of any material modification by us to this Privacy Policy, we will notify you as described below.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, and other factors. If we do, we will update the “effective date” at the top. If we make a material update, we may provide you with notice prior to the update taking effect, such as by posting a conspicuous notice on our Sites or by contacting you directly.

We encourage you to periodically review this Privacy Policy to stay informed about our collection, processing and sharing of your personal data.