Company is a controller of the PII it processes in connection with management of its engagements with its customers and partners (e.g. contact personnel data, email communications and usage metrics). Company is a joint controller, together with its customers and partners, of PII made available by Company to such customers and partners, from Company’s data-lake (e.g. cyber threat intelligence). When Company processes PII on behalf of its customers (e.g. the customer submits a search query to Company’s solutions or Company acquires compromised data pursuant to a specific request from a data controller), Company is a data processor of such PII, to the extent applicable, and Company’s customer or Company’s partner’s customer, as the case may be, will be the data controller, and will be responsible to establish the lawful basis for processing and to ensure that data subjects can exercise their rights set forth in Section 9 below.
AS A USER OR OUR SERVICES AND/OR SOLUTIONS, YOU ARE NOT LEGALLY REQUIRED TO PROVIDE US WITH PII, HOWEVER, USE OF THE SERVICES REQUIRES THAT YOU PROVIDE PII. IF YOU CHOOSE TO WITHHOLD ANY PII REQUIRED IN RESPECT THEREOF, IT WILL NOT BE POSSIBLE FOR YOU TO USE THE SERVICES. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS SET FORTH HEREIN PLEASE DO NOT USE THE SERVICES.
“PII” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. Information We Collect and How We Use It
Summary: We collect personal data about our customers’ and partners’ representatives who are contact persons or otherwise users of our Services. We also receive your queries on our Services, which may include PII. We use such PII in order to provide the Services, improve our solutions and services and enforce our agreement.
We also collect PII from various sources in the clear-web, deep-web and dark-web and sometimes purchase compromised PII on behalf of data controllers. We use such PII for purposes such as, assisting our customers and partners to mitigate or prevent security breaches, assisting law enforcement or other government agencies in investigation or indictment of suspected cyber-criminals and in cyber-security research and fulfillment of other similar legitimate interests.
In order to provide and operate our Services and provide services in connection therewith, we collect and process PII, including the following types of information:
Your Contact Information
When you subscribe to use the Services we ask you to provide PII, including: Full name, email address, phone number and the organization for whom you work.
When you use the Services, we automatically receive and record information from your browser and information related to such usage for analysis of your usage for improving our solutions and services, including without limitation information and statistics about your online/offline status, your IP address, device identifiers, internet service provider, connection speed, search history, type of browser, your regional and language settings and software and hardware attributes. Our systems automatically record and store technical information regarding the method and nature of your use of the Services, including without limitation your search queries, meta-data of search queries, which pages of the Services you viewed, exit and entrance pages and your use time of the Services. An IP address is a numeric code that identifies your browser on a network, or in this case, the Internet. Your IP address is also used to gather broad demographic information. The Company uses all of the PII identified in this Section in order to understand the usage trends and preferences of our users, including recent visits to our Services and how you move around different sections of our Services for analytics purposes and in order to make our Services more intuitive. We may also disclose aggregated user statistics in order to describe our services to current and prospective business partners, and to other third parties for other lawful purposes.
3. Data From Third Parties
We collect information from the clear-web, dark-web and deep-web and some-times also purchase compromised data on behalf of data controllers, which often includes also PII, in order to assist our customers and partners to mitigate, prevent and remediate cyber security risks and security breaches. We do that by, inter alia: (i) identifying data that may have been breached or leaked online (which often includes PII); (ii) tracking vulnerabilities and exploits targeting our customers; (iii) enabling organizations to remediate compromised credentials; and (iv) assisting organizations in researching security threats. We may also use such PII in order to comply with legal or ethical obligations or with any order of a court or competent authority.
4. User Communications
When you send emails or other communications to the Company, we retain those communications in order to process your inquiries, respond to your requests and improve our Services. We may send customers, partners and other subscribers periodic emails or newsletters and updates from Company’s blog, including promotional materials. Data subjects who wish to unsubscribe from the list may do so at any time by following the detailed instructions found at the bottom of each email they receive from the Company or send us a request here firstname.lastname@example.org. Please note that even if you opt-out of receiving the newsletters and communications, we may still send you transactional communications such as responses to any of your emails as well as administrative e-mails necessary to facilitate your use of our Services.
5. Aggregate and Analytical Data
In the effort to produce insights regarding use of the Services in order to improve our services and develop and improve new features and automated processes on our Services, we often conduct research on PII arising from use of our Services, including usage data and search queries. This research is compiled and analyzed on an aggregate basis, and we share this aggregate data with Company’s affiliates, agents and business partners and also disclose aggregated information in order to describe our services to current and prospective business partners or investors. This aggregate information does not identify you or your customers or employees personally.
In order to collect some of the data described herein we use temporary cookies that remain on your browser for a limited period of time. We also use persistent cookies that remain on your browser until the Company’s Services are removed, in order to manage and maintain the Services and record your use of the Services. Cookies by themselves cannot be used to discover the identity of the user. A cookie is a small piece of information which is sent to and stored on your browser. Cookies do not damage your browser. Most browsers allow you to block cookies but you may not be able to use some features on the Services if you block them. You may set most browsers to notify you if you receive a cookie (this enables you to decide if you want to accept it or not). We also use web beacons via the Services to collect information. Web beacons or “gifs”, are electronic images that are used in our Services or in our emails. We use Web beacons to deliver cookies, count visits and to tell if an email has been opened and acted upon.
We do not intentionally collect PII of minors.
9. Information Sharing
Summary: We transfer your PII to third parties who assist us in providing the Services. We have a contract with those third parties to govern their processing on our behalf. We may also transfer PII to comply with any obligations by which we are bound or to an investor or in connection with a merger or acquisition or similar transaction.
10. Data Security
We follow generally accepted industry standards to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of PII. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your PII, we cannot guarantee its absolute security. We retain your PII only for as long as reasonably necessary for the purposes for which it was collected or to comply with any applicable legal or ethical reporting or document retention requirements.
11. Data Retention
Summary: We retain PII only for as long as necessary to meet our legal and ethical obligations, which for different types of PII will be different periods.
Company will retain PII in accordance with its record retention policy. PII associated with our customers and business partners, will be retained for the duration of our engagement, and a period of seven years thereafter. The company performs periodic reviews of our databases, and have established specific time limits for data retention, based on the criticality of the PII and the purposes of the data processing. We will also retain PII to meet any audit, compliance and business best-practices.
PII with respect to which Company is the processor will be deleted only on instruction of the controller, except where such data must be retained by us due to a legitimate interest such as a legal obligation, protection against legal claims or post engagement customer service.
Personal Data that is no longer retained will be anonymized or deleted. Non-personal, non-identifiable, metadata and statistical information concerning the use of our Services are retained by Company indefinitely.
13. Rights of Data Subjects
Right of Access and Rectification
Data subjects have the right to know what PII we collect about them and to ensure that such data is accurate and relevant for the purposes for which we collected it. We allow data subjects the option to access and obtain a copy of their PII and to rectify such PII if it is not accurate, complete or updated. However, we may first ask data subjects to provide us certain credentials to permit us to identify their PII.
Right to Delete PII or Restrict Processing
Data subjects have the right to delete their PII or restrict its processing. We may postpone or deny such requests if the PII is in current use for the purposes for which it was collected or for other legitimate purposes such as compliance with legal obligations.
Right to Withdraw Consent
Data subjects have the right to withdraw their consent to the processing of their PII. Exercising this right will not affect the lawfulness of processing the PII based on consent obtained before its withdrawal.
Right of Data Portability
Where technically feasible, data subjects have the right to ask to transfer their PII in accordance with their right to data portability, if required pursuant to applicable law.
Data subjects may exercise the above rights by sending a request to email@example.com
Right to Lodge Complaint
Data subjects also have the right to lodge a complaint with a data protection supervisory authority regarding the processing of their PII.
16. Legal Justification and Consent To Processing
When Company processes PII on behalf of its customers (e.g. Company acquires compromised data on behalf of a controller or Company processes search queries of customers or partners), Company is a data processor. In such case, Company’s customer will be a data controller, and will be responsible to obtain the data subjects’ consent or establish any other applicable lawful basis for processing , and we rely on our contractual relationship with the controller (i.e. our customer or partner).
In respect of PII included in Company’s data-lake (e.g. cyber threat intelligence) we rely on a legitimate interest when collecting and retaining such PII, which is to provide cyber threat intelligence services, assist to prevent or investigate crimes or fraud and assist to protect confidential or personal information and in some cases we rely on basis that processing is necessary for the performance of a task carried out in the public interest (e.g. assistance to the European Union or a Member State or a third party authorized by them). Our customers and partners who search for such PII on our Services are deemed as data controllers as well and are required by us to collect and process such PII only based on a legal justification for processing.
17. Your California Privacy Rights and Do Not Track Notices
California Civil Code Section 1798.83 permits customers of Company who are California residents to request certain information regarding its disclosure of PII to third parties for their direct marketing purposes. To make such a request, please send an email to firstname.lastname@example.org. Please note that we are only required to respond to one request per customer each year.