Privacy Policy


Effective September 15, 2020

SecurityScorecard, Inc. (“SSC,” "we" or "us") is committed to the privacy of our customers (including those users utilizing our Services for free) and those who use our websites, including but not limited to www.securityscorecard.com (the “Sites”), and our products and services, including our cloud-based products or services (the “Services”). This Privacy Policy describes SSC’s policies and practices regarding our collection and use of your personal data or information and sets forth your privacy rights. We recognize that data privacy is an ongoing responsibility. We will from time to time update this Privacy Policy as we adopt new privacy practices and policies in response to updates in the law, to align with changing industry best-practices, and to reflect our product enhancements.

Types Of Information We Collect.

The following provides examples of the type of information that we collect from you and how we use that information.

Context

Types of Data

Primary Purpose for Collection
and Use of Data

Customer User Information

We collect the name, username, and contact information, of our customers and their employees with whom we may interact.

We have a legitimate interest in contacting our customers and communicating with them concerning normal business administration such as projects, services, and billing.

Account Information (Customer User)

We collect personal data from our customers when they create an account to access and use the Services or request certain free Services from our Sites. This information could include business contact information such as name, email address, title, company information, and password for our services.

We have a legitimate interest in providing account related functionalities to our users, monitoring account logins, and detecting potential fraudulent logins or account misuse. Additionally, we use this information to fulfill our contract to provide you with Services.

Contact Information (Vendors)

Users of our service may ask their vendors or service providers to submit company and security related information on our platform (e.g., to complete a security questionnaire). When a user invites a vendor we collect the name and email address of the vendor.

We have a legitimate interest in contacting vendors on behalf of our customers in order to invite them to communicate with companies through our platform. Among other things, the communication allows our customers to efficiently solicit, and receive, security questionnaires, and allows vendors to efficiently solicit, and transmit, security questionnaires. Additionally, we use this information to fulfill our contract to provide Services which may include soliciting, receiving, transmitting, and hosting responses to security questions.

Account Information (Vendors)

We collect personal data from vendors when they create an account to access and use the Services or request certain free Services from our Sites. This information could include business contact information such as name, email address, title, company information, and password for our services.

We have a legitimate interest in providing account related functionalities to our vendor-users, monitoring account log-ins, and detecting potential fraudulent logins or account misuse. Additionally, in some cases, we use this information to fulfill our contract to provide vendor-users with Services.

Cookies and First Party tracking

We use cookies and clear GIFs. “Cookies” are small pieces of information that a website sends to a computer’s hard drive while a web site is viewed.

We have a legitimate interest in making our website operate efficiently.

Cookies and Third Party Tracking

We participate in behavior-based advertising, this means that a third party uses technology (e.g., a cookie) to collect information about your use of our website so that they can provide advertising about products and services tailored to your interests on our website, or on other websites.

Where required by law, we base the use of third party cookies upon consent.

Demographic Information

We collect personal information, such as your location and IP address.

We have a legitimate interest in understanding our users and providing tailored services.

Email Interconnectivity

If you receive email from us, we use certain tools to capture data related to when you open our message, click on any links or banners it contains and make purchases.

We have a legitimate interest in understanding how you interact with our communications to you.

Employment

If you apply for a job posting, or become an employee, we collect information necessary to process your application or to retain you as an employee. This may include, among other things, your Social Security Number. Providing this information is required for employment.

We use information about current employees to perform our contract of employment, or the anticipation of a contract of employment with you. In some contexts, we are also required by law to collect information about our employees. We also have a legitimate interest in using your information to have efficient staffing and work force operations.

Feedback/Support

We collect personal data from you contained in any inquiry you submit to us regarding our Sites or Services, such as completing our online forms, calling, or emailing for the purposes of general inquiries, support requests, or to report an issue. When you communicate with us over the phone, your calls may be recorded and analyzed for training, quality control and for sales and marketing purposes. During such calls we will notify you of the recording via either voice prompt or script.

We have a legitimate interest in receiving, and acting upon, your feedback, issues, or inquiries.

Mailing List

When you sign up for one of our mailing lists we collect your email address or postal address.

We share information about our products and services with individuals that consent to receive such information. We also have a legitimate interest in sharing information about our products or services.

Order Placement

We collect your name, billing address, shipping address, e-mail address, and phone number. To the extent that you have elected to pay using a credit card we also take (directly or through our payment processor) your payment card information.

We use and share your information to perform our contract to provide you with products or services.

Surveys

When you participate in a survey we collect information that you provide through the survey. If the survey is provided by a third party service provider, the third party’s privacy policy applies to the collection, use, and disclosure of your information.

We have a legitimate interest in understanding your opinions, and collecting information relevant to our organization.

Website interactions

We use technology to monitor how you interact with our website. This may include which links you click on, or information that you type into our online forms. This may also include information about your device or browser.

We have a legitimate interest in understanding how you interact with our website to better improve it, and to understand your preferences and interests in order to select offerings that you might find most useful. We also have a legitimate interest in detecting and preventing fraud.

Web logs

We collect information, including your browser type, operating system, Internet Protocol (IP) address (a number that is automatically assigned to a computer when the Internet is used), domain name, click-activity, referring website, and/or a date/time stamp for visitors.

We have a legitimate interest in monitoring our networks and the visitors to our websites. Among other things, it helps us understand which of our services is the most popular.

In addition to the information that we collect from you directly, we may also receive information about you from other sources, including third parties, business partners, our affiliates, or publicly available sources. For example, if you submit a job application, or become an employee, we may conduct a background check.

Use And Processing Of Information.

In addition to the purposes and uses described above, we use information in the following ways:

  • To identify you when you visit our websites.
  • To provide our Services.
  • To improve our Services and offerings.
  • To promote the security of our Site and Services.
  • To conduct analytics.
  • To respond to inquiries related to support, employment opportunities, or other requests.
  • To send marketing and promotional materials including information relating to our products, services, sales, or promotions, or those of our business partners.
  • For internal administrative purposes, as well as to manage our relationships.

Although the sections above describe our primary purpose in collecting your information, in many situations we have more than one purpose. For example, if you sign up for Services, we may collect your information to complete that transaction, but we also collect your information as we have a legitimate interest in maintaining your information after your transaction is complete so that we can quickly and easily respond to any questions about your Services. As a result, our collection and processing of your information is based in different contexts upon your consent, our need to perform a contract, our obligations under law, and/or our legitimate interest in conducting our business.

Sharing Of Information.

In addition to the specific situations discussed elsewhere in this policy, we disclose information in the following situations:

  1. Affiliates and Acquisitions. We may share information with our corporate affiliates (e.g., parent company, sister companies, subsidiaries, joint ventures, or other companies under common control). If another company acquires, or plans to acquire, our company, business, or our assets, we will also share information with that company, including at the negotiation stage.
  2. Other Disclosures with Your Consent. We may ask if you would like us to share your information with other unaffiliated third parties who are not described elsewhere in this policy.
  3. Other Disclosures without Your Consent. We may disclose information in response to subpoenas, warrants, or court orders, or in connection with any legal process, or to comply with relevant laws. We may also share your information in order to establish or exercise our rights, to defend against a legal claim, to investigate, prevent, or take action regarding possible illegal activities, suspected fraud, safety of person or property, or a violation of our policies, or to comply with your request for the shipment of products to or the provision of services by a third party intermediary.
  4. Service Providers. We share your information with service providers. Among other things service providers help us to administer our website, conduct surveys, provide technical support, process payments, and assist in the fulfillment of orders.

Your Choices.

You can make the following choices regarding your personal information:

  1. Access To Your Personal Information. You may request access to your personal information by contacting us at the address described below. If required by law, upon request, we will grant you reasonable access to the personal information that we have about you. We will provide this information in a portable format, if required. Note that California residents may be entitled to ask us for a notice describing what categories of personal information (if any) we share with third parties or affiliates for direct marketing.
  2. Changes To Your Personal Information. We rely on you to update and correct your personal information. Most of our websites allow you to modify or delete your account profile. If our website does not permit you to update or correct certain information, you contact us at the address described below in order to request that your information by modified. Note that we may keep historical information in our backup files as permitted by law.
  3. Deletion Of Your Personal Information. Typically we retain your personal information for the period necessary to fulfill the purposes outlined in this policy, unless a longer retention period is required or permitted by law. You may, however, request information about how long we keep a specific type of information, or request that we delete your personal information by contacting us at the address described below. If required by law we will grant a request to delete information, but you should note that in many situations we must keep your personal information to comply with our legal obligations, resolve disputes, enforce our agreements, or for another one of our business purposes.
  4. Objection to Certain Processing. You may object to our use or disclosure of your personal information by contacting us at the address described below.
  5. Online Tracking. We do not currently recognize automated browser signals regarding tracking mechanisms, which may include "Do Not Track" instructions.
  6. Promotional Emails. You may choose to provide us with your email address for the purpose of allowing us to send free newsletters, surveys, offers, and other promotional materials to you, as well as targeted offers from third parties. You can stop receiving promotional emails by following the unsubscribe instructions in e-mails that you receive. If you decide not to receive promotional emails, we may still send you service related communications.
  7. Revocation Of Consent. If you revoke your consent for the processing of personal information then we may no longer be able to provide you services. In some cases, we may limit or deny your request to revoke consent if the law permits or requires us to do so, or if we are unable to adequately verify your identity. You may revoke consent to processing (where such processing is based upon consent) by contacting us at the address described below.

Please address written requests and questions about your rights to [email protected] or call us at 1-800-682-1707.

Note that, as required by law, we will require you to prove your identity. We may verify your identity by phone call or email. Depending on your request, we will ask for information such as your name or other account information. We may also ask you to provide a signed declaration confirming your identity. Following a request, we will use reasonable efforts to supply, correct or delete personal information about you in our files.

In some circumstances, you may designate an authorized agent to submit requests to exercise certain privacy rights on your behalf. We will require verification that you provided the authorized agent permission to make a request on your behalf. You must provide us with a copy of the signed permission you have given to the authorized agent to submit the request on your behalf and verify your own identity directly with us. If you are an authorized agent submitting a request on behalf of an individual you must attach a copy of the following information to the request:

  1. A completed, signed and notarized form indicating that you have authorization to act on the consumer’s behalf.
  2. If you are a business, proof that you are registered with the Secretary of State to conduct business in California.

If we do not receive both pieces of information, the request will be denied.

How We Protect Personal Information

No method of transmission over the Internet, or method of electronic storage, is fully secure. While we use reasonable efforts to protect your personal information from unauthorized access, use, or disclosure, we cannot guarantee the security of your personal information. In the event that we are required by law to inform you of a breach to your personal information we may notify you electronically, in writing, or by telephone, if permitted to do so by law.

Some of our websites permit you to create an account. When you do you will be prompted to create a password. You are responsible for maintaining the confidentiality of your password, and you are responsible for any access to or use of your account by someone else that has obtained your password, whether or not such access or use has been authorized by you. You should notify us of any unauthorized use of your password or account.

Other Important Information

The following additional information relates to our privacy practices:

  • Transmission Of Information To Other Countries. SSC is located in the United States. Our service providers and other third parties you may interact with in connection with our Services may be located in the United States and other countries around the world. As a result, your information may be processed in a foreign country where privacy laws may be less stringent than the laws in your country. Nonetheless, where possible we take steps to treat personal information using the same privacy principles that apply pursuant to the law of the country in which we first received your information. By submitting your personal information to us you agree to the transfer, storage and processing of your information in a country other than your country of residence including, but not necessarily limited to, the United States. To the extent personal information is collected and subsequently transferred out of the European Economic Area, the transfer will take place consistent with the Standard Contractual Clauses. If you would like more information concerning our attempts to apply the privacy principles applicable in one jurisdiction to data when it goes to another jurisdiction you can contact us using the contact information below.
  • Third Party Applications/Websites. We have no control over the privacy practices of websites or applications that we do not own.
  • Changes To This Privacy Policy. We may change our privacy policy and practices over time. To the extent that our policy changes in a material way, the policy that was in place at the time that you submitted personal information to us will generally govern that information unless we receive your consent to the new privacy policy. Our privacy policy includes an “effective” and “last updated” date. The effective date refers to the date that the current version took effect. The last updated date refers to the date that the current version was last substantively modified.
  • Accessibility. If you are visually impaired, you may access this notice through your browser’s audio reader.
  • Information for California Residents. California law indicates that organizations should disclose whether certain categories of information are collected, “sold” or transferred for an organization’s “business purpose”(as those terms are defined under California law). You can find a list of the categories of information that we collect and share here. Please note that because this list is comprehensive it may refer to types of information that we share about people other than yourself. If you would like more information concerning the categories of personal information (if any) we share with third parties or affiliates for those parties to use for direct marketing please submit a written request to us using the information in the "Contact Information" section below. We do not discriminate against California residents who exercise any of their rights described in this Privacy Policy.

Contact Information. If you have any questions, comments, or complaints concerning our privacy practices please contact us at the appropriate address below. We will attempt to respond to your requests and to provide you with additional privacy-related information.

[email protected]
Attn: Privacy Team
111 West 33rd Street, 11th Floor
New York, NY 10001
1-800-682-1707

If you are not satisfied with our response, and are in the European Union, you may have a right to lodge a complaint with your local supervisory authority.

California Information Sharing Disclosure

California Civil Code Sections 1798.115(c), 1798.130(a)(5)(c), 1798.130(c), and 1798.140 indicate that organizations should disclose whether the following categories of personal information are collected, transferred for “valuable consideration,” or transferred for an organization’s “business purpose” (as those terms are defined under California law). We do not “sell” your personal information. The table below indicates the categories of personal information we collect and transfer in a variety of contexts. Please note that because this list is comprehensive, it may refer to types of information that we collect and share about people other than yourself. For example, while we transfer credit card or debit card numbers for our business purpose in order to process payments for orders placed with us, we do not collect or transfer credit card or debit card numbers of individuals that submit questions through our website’s “contact us” page.

Categories of Personal Information That We Collect

To Whom We Disclose Personal Information for

Business Purpose

Identifiers – this may include name, postal address, phone number, unique personal identifier, online identifier, internet protocol (IP) address, device ID, email address, account name, signature, or other similar identifiers.

  • Advertising networks
  • Affiliates or subsidiaries
  • Business partners
  • Data analytics providers
  • Government entities
  • Internet service providers
  • Operating systems and platforms
  • Other Service Providers
  • Payment processors and banks
  • Product and service fulfillment companies
  • Social media platforms & networks

Financial information – this may include bank account number, credit or debit card number, or other financial information.

  • Government entities
  • Internet service providers
  • Operating systems and platforms
  • Other Service Providers
  • Payment processors and banks
  • Service fulfillment companies

Commercial information – this may include information about products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

  • Advertising networks
  • Affiliates or subsidiaries
  • Business partners
  • Data analytics providers
  • Government entities
  • Internet service providers
  • Operating systems and platforms
  • Other Service Providers
  • Payment processors and banks
  • Product and service fulfillment companies

Network activity data– this may include internet or other electronic network activity information, such as browsing history, search history, and information regarding an individual’s interaction with an internet website, application, or advertisement.

  • Affiliates or subsidiaries
  • Data analytics providers
  • Government entities
  • Internet service providers
  • Operating systems and platforms
  • Other Service Providers

Geolocation data – this may include precise physical location.

  • Data analytics providers
  • Internet service providers
  • Other Service Providers

Electronic data – this may include audio, electronic, or similar information (e.g., a recording of a customer service call).

  • Government entities
  • Other Service Providers

Professional/employment information – this may include occupation and professional references.

  • Government entities
  • Other Service Providers