Skip to main content
Request a Demo

Privacy Policy

DATE OF LAST REVIEW: OCTOBER 6, 2023

Definitions.

As used in this policy, the terms listed below will have the following meanings

“Anonymous Information” means information that does not relate to an identified or identifiable natural person or to Personal Data rendered unable to identify a natural person. “Anonymized” or “Anonymization” is the process of making information anonymous.

“CAL™” or “Collective Analytics Layer” is a proprietary Threat Analysis Tool that operates with the ThreatConnect Platform and aggregates a worldwide scope of threat intelligence data and information, including OSINT, from all available sources, both internal and external to the ThreatConnect Platform, including from all users and Online Communities of any Products for which CAL is engaged.

“CAL Data” means anonymized or pseudonymized Indicators of Compromise that CAL automatically ingests and that is aggregated and co-mingled into all other data, information, and tools available on CAL to enrich the threat analysis capabilities of the ThreatConnect Platform for the benefit of all ThreatConnect users globally.

“Cloud” is a remote instantiation of the ThreatConnect Platform which is administratively controlled by ThreatConnect in a secure manner for multiple users, and for which organizational access to the account is controlled by the User. CAL and certain other vendor services (i.e., Pendo) are always active and engaged for Cloud users.

“Cookies” are small pieces of information that a website sends to your browser while you are viewing a website. We may use both session Cookies (which expire once you close your Web browser) and persistent Cookies. Our use of Cookies is subject to your consent to our Cookie Policy located here [https://threatconnect.com/cookie-policy/].

“Data Protection Laws” means GDPR and any and all other laws, rules and regulations of any jurisdiction applicable to us or to our Services from time to time, as amended.

 “Data Subject” means an identified or identifiable person to whom Personal Information relates.

 “Dedicated Cloud” is a remote instantiation of the ThreatConnect Platform which is licensed to a single organization who possesses all administrative control of its Instance, including the creation of organizations and sub-organizations and the engagement of vendor services.

 “GDPR” means the EU General Data Protection Regulation 2016/679 of the European Parliament and the European Council dated April 27, 2016 and all amendments and successors thereto.

“Instance” is a single instantiation of our cloud-based ThreatConnect Platform, which can be either a Cloud, Dedicated Cloud, or On-Premises deployment of the application.

“IOCs” or “Indicators of Compromise” are the information and technical data (e.g., IP address, domain name, hashes of malware, URLs and elements of valid or spoofed personal information) associated with an actual or attempted hack, intrusion, attack, release or compromise of the security of any data, network, device or information system or which may identify the existence or possible existence of any other cybersecurity threat, vulnerability or risk.

“Legitimate Interests” include, with regard to the controller or processor: (i) internal administration of the company’s business, including the management of assets, staff and business risks, (ii) direct marketing, (iii) preventing fraud or other illegal activities, (iv) ensuring network and information security, including preventing unauthorized access or damage to electronic communications networks, stopping malicious code distribution and preventing DNS attacks, (v) the establishment or defense of legal claims by the company or on behalf of a third party, and (vi) for purposes of public safety & health or other public interest, whether or not subject to action by a governmental authority.

“Online Communities” are those publicly available areas and other interactive features of the Sites or ThreatConnect Platform, such as Workspaces, user profiles, forums and message boards, with which users can share data and information for access by other users. Other than your password, your registration information (i.e., name, email address, user ID and avatar photo, if selected) will be available to all members of any Online Community or Workspace you join and to which you contribute User Shared  Data.

“Personal Data” means, as defined in Article 4(1) of the GDPR, any information relating to an identified or identifiable natural person (i.e., Data Subject).

“Personal Information” means Personal Data, personally identifiable information, or any other such information that is protected under any Data Protection Laws, that is not encrypted or Anonymized.

“Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, use, transmission, dissemination, erasure or destruction.

“Products” mean any or all of our proprietary threat intelligence tools or services, including TC Complete, TC Identify, TC Manage, TC Analyze, TC Exchange and CAL, and any other tools or software developed by us from time to time.

“Pseudonymization” means the processing of Personal Data such that it can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to protect against the attribution of such data to an identified or identifiable natural person. “Pseudonymized Information” is data that has undergone the process of pseudonymization.

“OSINT” or “Open Source Intelligence Feeds” means third-party products or tools that are used in or made available to users through our ThreatConnect Platform which provide cybersecurity threat, incident or adversary data, information or IOCs.

“Site” or “Sites” means the website ThreatConnect.com, including all subdomains thereof.

“Sub-Processor” means any third-party that we engage to Process Personal Information for or on behalf of you or for any other business purposes with you.

“TAP” or “ThreatConnect Authorized Personnel” means any of our employees or other authorized agents who need to know or otherwise have access to Personal Information in order for us to perform our obligations to you.

“ThreatConnect Data” means all data and information, other than User Data that is created, developed, licensed, stored, accessed and/or used in the ThreatConnect Platform (including all User Shared Data), all right, title and interest to which is held by us.

“ThreatConnect Platform” means our proprietary collaborative security operations and analytics platform that combines threat data collection, analysis, collaboration and expertise from a wide variety of sources into a single platform and is the operating platform for all of our Products and Threat Analysis Tools, including CAL.

“ThreatConnect Processing Authorities”. Our data processing is based upon performance of a contract, public interest and legitimate interests. Our collection and Processing of Personal Information in connection with your purchase, acquisition, use or license of any of our Products and Services, including use of the ThreatConnect Platform, is lawful and necessary on the basis of (i) the performance of a contract between you and us or at your request in anticipation of formation of such a contract, (ii) for the performance of a task carried out in the public interest, whether or not the subject of action by a public authority (including but not limited to the protection and enhancement of network and information security), and/or (iii) based upon our other Legitimate Interests means our respective legal bases for the collection and Processing of Personal Information.

“Threat Analysis Tools” means cyber threat-related inventions, software and information, whether proprietary to ThreatConnect or licensed by us from a Vendor and integrated into our Services.

“User Data” means a user’s Personal Information, text, documents, content, code, software, video, images, music, sound, messages, tags or other materials of any type exclusive of any ThreatConnect Data.

“User Shared Data” means any and all elements of User Data that a user uploads, submits, posts, emails, transmits or otherwise makes available to or through the use of CAL or to an Online Community, and all IOCs identified in a user’s Instance.

“Vendors” mean our suppliers and licensors which enable us to perform our Services, including our providers of (i) IP information & analytics, (ii) human resource information systems, (iii) OSINT and Threat Analysis Tools, and/or (iv) other security-related products or services.

“You,” “Your” or “User” means any and all authorized personnel of a client, organization, or entity which is the user account holder. Any right or obligation of an individual user may be administered by or under the authority of its employer or other account holder and the exercise of Data Subject Rights may not conflict with an individual user’s duties to its employer, including duties of confidentiality with regard to employer data.

“We,” “Us” or “Our” means ThreatConnect, Inc. including ThreatConnect, Inc., licensors and any and all ThreatConnect Authorized Personnel.

 

1. Introduction.

Welcome to the website of ThreatConnect, Inc., a Delaware corporation (“ThreatConnect,” “We,” “Us” or “Our”), where we provide our users (collectively, “You,” “Your” or “User”) with access to our Products, to our support services and to other resources relating to cyber security (collectively, the “Services”).

We have developed the ThreatConnect Platform, a proprietary collaborative security operations and analytics platform that combines threat data collection, analysis, collaboration and expertise from a wide variety of sources into a single platform. Our platform provides software, information and tools to detect, track, analyze and defend against all manner of cyber threats through both on-premises and remote cloud applications.

We know you are concerned about your privacy, so we have developed this Privacy Policy (“Privacy Policy”) to explain and secure your consent to how we collect, use and disclose information about you. This policy also explains when and how we may transfer that data to third parties for specifically identified purposes. We also explain your right to exercise certain data privacy rights that are granted under this policy or under applicable law and when those rights may not apply.

1.1 Web Site Owner. ThreatConnect is the owner of this web site (“https://threatconnect.com”). ThreatConnect can be contacted by mail at 3865 Wilson Blvd, Suite 550, Arlington, Virginia 22203, by phone at (703) 229-4240, or by e-mail at privacy@threatconnect.com. [

1.2 Web Site Visits. We are committed to safeguarding the privacy of all visitors to this Site and any other Sites operated by us (collectively, the “Sites”) as well as online users of our Products and Services in accordance with applicable law. What that means is:

WE DO NOT TRACK OR PROFILE OUR SITE VISITORS OR USERS OF OUR SERVICES FOR ANY PURPOSE OTHER THAN FOR THE MARKETING, PERFORMANCE AND DELIVERY OF OUR SERVICES;

WE DO NOT SHARE ANY PERSONAL DATA WITH THIRD PARTIES FOR THEIR TRACKING OR PROFILING OF OUR USERS OR FOR THE MARKETING OF THEIR OWN PRODUCTS OR SERVICES; AND

1.3 Children. The Sites are not intended for nor directed to children and children are not eligible to use our Services. Protecting the privacy of children is very important to us. We do not collect or maintain Personal Information from people we actually know are under 13 years of age, and no part of our Sites or Services is designed to attract people under 13 years of age. If we later learn that a user is under 13 years of age, we will take steps to remove that user’s Personal Information from our databases and prevent the user from utilizing the Sites and the Services.

2. Personal Information That May Be Collected.

2.1 Collection Sources. Our means and methods of collecting Personal Information include:

We collect Personal Information that you submit to us voluntarily, including when you register an account and when you use our Sites and/or any of our Services;

Each time you request information from us or communicate with us through our Sites, register or attend an event or webinar, participate in telephonic communications with us or by sending us an email, we may collect and store any information that is contained in or otherwise associated with your communications, including internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and other technology on the devices you use to access our Sites;

We use Cookies and navigational data like Uniform Resource Locators (URLs) to gather information regarding the date and time of your visit and the solutions and information for which you searched and viewed;

We use a third-party service to track and analyze Anonymous Information from users of our Sites such as statistical or demographic data and those third parties may use Cookies to help track user behavior however those third parties may not use such data for any other purpose than our own Services or for any third party.

We may receive personal information about you from various third parties and public sources, including from data analytics providers and our social media pages;

2.1 Listing of Sub-Processors. Our current Sub-Processors include, but are not limited to, Amazon Web Services, Pendo, Google, Salesforce, and Slack; but not all of these Sub-Processors are engaged for all users or for all Services. The configuration of Dedicated Cloud and On-Premises Instances can be specifically customized for a User that may disallow services provided by some of these Sub-Processors.

2.3 Links to Other Web Sites. The ThreatConnect Web site may contain links to other web sites. ThreatConnect is not responsible for the privacy practices or the content of those other Web sites. If you click on a link or web application and are directed to a site other than our Sites, please refer to the privacy policy governing that site or Web application.

3. Uses Made of the Information.

3.1 Purpose. We use all Personal Information collected or received by us for purposes of the performance of this policy, including the development, delivery and performance of our Products and Services.

3.2 Purposes Defined. We Process your Personal Information for several business purposes, including to:

  • To Process your requests and provide you with access to our Services and customer support, including administering your account;
  • To market our Products and Services to you, including through your subscriptions to our email notifications and/or newsletters;
  • To sell the products or services of third parties we believe may be of interest to you, subject to your opportunity to opt-out of those communications;
  • To respond to your requests and questions, resolve disputes and/or trouble-shoot problems with our Services;
  • To improve the quality of and communicate with you about our Sites and Services;
  • To process information relating to transactions that you enter into with us, including your purchases of our Products and Services or other goods and services available through our Sites; and/or
  • To create Anonymized Information, Pseudonymized Information or CAL Data by removing or otherwise Processing personally identifiable information.
    • “CAL Data” means anonymized or pseudonymized Indicators of Compromise that CAL automatically ingests and that is aggregated and co-mingled into all other data, information, and tools available on CAL to enrich the threat analysis capabilities of the ThreatConnect Platform for the benefit of all ThreatConnect users globally.

3.3 We may also Process your Personal Information where necessary for the exercise of our ThreatConnect Processing Authorities, including the establishment, exercise or defense of legal claims, the exercise of our Legitimate Interests or any other rights, duties or obligations that we may hold under applicable law.

3.4 Stored Information Uses. ThreatConnect stores and retains the information provided by customer OR the information entered on the ThreatConnect Web site. Stored information is used by ThreatConnect to support customer interaction with the ThreatConnect Web site; to deliver customer purchases; and/or to contact customer again about other ThreatConnect services and products.] .

3.5 Within Corporate Organization. ThreatConnect is a globally operated organization, with legal entities, business processes, management structures, and technical systems that cross borders. ThreatConnect may share your personal information within the ThreatConnect corporate organization and may transfer the information to countries in the world where ThreatConnect conducts business. Some countries may provide less legal protection for customer personal information.

3.6 Mergers and Acquisitions. Circumstances may arise where for business reasons, ThreatConnect decides to sell, buy, merge or otherwise reorganize its businesses in the United States or some other country. Such a transaction may involve the disclosure of personal identifying information to prospective or actual purchasers, and/or receiving such information from sellers. It is ThreatConnect’s practice to seek appropriate protection for information in these types of transactions.

3.7 Disclosure to Governmental Authorities. ThreatConnect may release personal information to appropriate governmental authorities where release is required by law (for example, a subpoena) or by a regulation, or is requested by a government agency conducting investigations or proceedings.

3.8 Use of Web Beacon Technologies. ThreatConnect may also use Web beacon or other technologies to better tailor its Web site(s) to provide better customer service. If these technologies are in use, when a visitor accesses these pages of the Web site, a non-identifiable notice of that visit is generated which may be processed by ThreatConnect or by its suppliers. Web beacons usually work in conjunction with cookies. If customer does not want cookie information to be associated with customer’s visits to these pages, customer can set its browser to turn off cookies; however, Web beacon and other technologies will still detect visits to these pages, but the notices they generate cannot be associated with other non-identifiable cookie information and are disregarded.

3.9 Collection of Non-Identifiable Information. ThreatConnect may collect non-identifiable information from user visits to the ThreatConnect Web site(s) in order to provide better customer service. Examples of such collecting include: traffic analysis, such as tracking of the domains from which users visit, or tracking numbers of visitors; measuring visitor activity on ThreatConnect Web site(s); Web site and system administration; user analysis; and business decision making. Such information is sometimes known as “clickstream data.” ThreatConnect or its contractors may use this data to analyze trends and statistics.

4. Providing Your Personal Data to Others.

4.1 We may disclose your Personal Information to our Sub-Processors, Vendors and ThreatConnect Authorized Personnel only if and to the extent necessary for the purposes of this policy, including the exercise of our ThreatConnect Processing Authorities. We will ensure the reliability and training of all ThreatConnect Authorized Personnel as to the confidential nature of all Personal Information and will ensure that they have either executed confidentiality agreements or are otherwise subject to equivalent duties of confidentiality with regard thereto.

4.2 We will limit access to Personal Information to only authorized Sub-Processors and Vendors who have executed confidentiality agreements or are otherwise subject to confidentiality obligations with regard to the Processing of Personal Information (including, when appropriate, the execution of data processing agreements).

4.3 We may disclose your Personal Information to our insurers and/or professional advisers if and to the extent necessary for obtaining or maintaining insurance coverage, managing risks, obtaining professional advice or the establishment or defense of legal claims.

4.4 Financial transactions relating to our Site and Services may be handled by our payment services providers (e.g., banks, credit card company, etc.). We will share transaction data with our payment services providers only to the extent necessary for purposes of processing payments or refunds or resolving issues relating thereto and only when they are subject to appropriate Data Protection Laws.

4.5 We may also disclose your Personal Information when necessary for compliance with a legal obligation to which we are subject, in order to protect your vital interests or the vital interests of another natural person or where disclosure is necessary for the establishment or defense of legal claims or other exercise of our ThreatConnect Processing Authorities.

5. International Transfers of Your Personal Information.

5.1 Your Personal Information may be transferred to countries outside the European Economic Area (EEA), to (i) our offices or facilities in the United States or in other countries, (ii) to one of our Sub-Processors (e.g., Amazon Web Services or other data hosting providers); and/or (iii) to one or more of our Vendors.

5.2 Transfers of your Personal Information in all such cases will be protected by appropriate security and privacy safeguards.

5.3 You acknowledge that any and all User Shared Data or other User Data access by or through the use of CAL may be accessed, available or used throughout the world, in Anonymized, Pseudonymized or other processed form, that identification and recovery of such data is lost and that access of such data by others cannot be tracked, discovered or restricted.

6. Information Security.

6.1 Commitment to Online Security. ThreatConnect employs physical, electronic and managerial procedures to safeguard the security and integrity of personal information. Billing and payment data is encrypted whenever transmitted or received online. Personal information is accessible only by staff designated to handle online requests or complaints. All ThreatConnect agents and contractors with access to personal information on the ThreatConnect web site(s) or products, are also bound to adhere to ThreatConnect security standards.

ThreatConnect intends to protect customer personal information and to maintain its quality. To achieve information security and quality, ThreatConnect implements appropriate measures and processes, such as using encryption when transmitting certain sensitive information.

(b) No Liability for Acts of Third Parties. ThreatConnect will exercise all reasonable efforts to safeguard the confidentiality of customer personal information. However, transmissions protected by industry standard security technology and implemented by human beings cannot be made absolutely secure. Consequently, ThreatConnect shall not be liable for unauthorized disclosure of personal information due to no fault of ThreatConnect including, but not limited to, errors in transmission and unauthorized acts of ThreatConnect staff and/or third parties.

7. Privacy Policy Changes.

7.1 Changes to Privacy Policy. This privacy notice was last updated on 28 September 2023. ThreatConnect reserves the right to change OR update its privacy policy statement at any time.

8. Access Rights to Data.

8.1 Summary. This section summarizes your rights with regard to your Personal Data under certain Data Protection Laws (“Data Subject Rights”). These rights are complex and not all relevant details are included here. You should read the relevant laws and the available guidance from the relevant regulatory authorities and review recent cases interpreting those requirements in order to fully understand the scope and applicability of these Data Subject Rights.

8.2 When Data Rights Do Not Apply. These Data Subject Rights only apply to the extent that the Personal Data retains its character as Personal Data. Even then, certain Data Subject Rights are overridden by the legal basis upon which the Processing occurs. These Data Subject Rights do not apply to the extent that the Personal Data under consideration is governed by our Legitimate Interests.

8.3 Data Subject Rights Described. Your principal rights to Personal Data include, when and as applicable, the following. The following is a general statement of potential Data Subject Rights and does not imply that all such rights exist in all cases or as to all users. If you wish to exercise any of these rights, please contact us at the email address located on the last page of this policy:

a. The Right of Access. You have a right to have access to the Personal Data we hold about you and to verify that we are using your Personal Data lawfully. If asked, we will provide confirmation of what Personal Data we hold, together with certain additional information such as the purposes of the Processing, the categories of Personal Data concerned and the recipients of the Personal Data. Provided that our rights and interests or the rights and interests of others are not affected, we will supply you with a copy of your Personal Data or inform you of the rights you may have with regard thereto.

b. The Right of Rectification. You have the right to have any Personal Data held about you which is inaccurate to be rectified and, taking into account the purposes of the Processing, to have any incomplete personal data about you completed.

c. The Right to Erasure (Right to be Forgotten). In some circumstances you have the right to the erasure of your Personal Data. Those circumstances include when (i) the Personal Data is no longer necessary in relation to the purposes for which it was collected or processed; (ii) you withdraw consent to consent-based Processing such as marketing; (iii) you object to Processing and a balance of your rights against Legitimate Interests weighs in your favor, and/or (iv) the Processing is unlawful. However, there are exclusions of the right to erasure, including where Processing is necessary for compliance with Legitimate Interests which override the right to erasure.

d. The Right to Restrict Processing. In some circumstances you have the right to restrict the Processing of your Personal Data. Those circumstances include when you (i) accurately contest the accuracy of the Personal Data; (ii) Processing is unlawful but you oppose erasure of it; (iii) we no longer need the Personal Data for the purposes of our Processing, and (iv) you have objected to Processing but our verification of your objection is still pending. Where Processing has been restricted on this basis, we may continue to store your Personal Data but will only Process it with your consent, for our Legitimate Interests or upon governmental order or request.

e. The Right to Object to Processing. You have a right to object, in certain circumstances, to our Processing of your Personal Data. Among other grounds, you may object to our Processing of your Personal Data if we do not honor your rightful withdrawal of consent-based Processing or when you disagree with our assertion of Legitimate Interests. In such case, we will no longer Process the applicable Personal Data unless we can demonstrate compelling Legitimate Interests for such Processing which override your Data Rights. But if you do object to our Processing, we will seek to accommodate your request to the extent practicable.

f. The Right to Data Portability. To the extent that the legal basis for our Processing of your Personal Data is (i) your consent; or (ii) the Processing is necessary for the performance of a contract and such Processing is carried out by automated means, you have the right to receive your Personal Data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it is outweighed by our Legitimate Interests or when it would adversely affect the rights or interests of others.

g. The Right to Complain to a Supervisory Authority. If you believe that our Processing of your Personal Data violates GDPR, you have a legal right to lodge a complaint with a Supervisory Authority responsible for data protection in the EU member state of your residence, your place of work or the place of the alleged violation.

h. The Right to Withdraw Consent. To the extent that our Processing of your Personal Data is based solely upon your consent, you have the right to withdraw such consent at any time, which will terminate such Processing. A withdrawal of your consent does not affect the lawfulness of any Processing based on consent before our receipt of your withdrawal of consent.

i. Your California Privacy Rights. Beginning on January 1, 2005, California Civil Code Section 1798.83 permits customers of ThreatConnect who are California residents to request certain information regarding ThreatConnect’s disclosure of personal information for their direct marketing purposes. To make such a request, please write to: privacy@threatconnect.com. Within 30 days of receiving such a request, ThreatConnect will provide a list of the categories of personal information disclosed to third parties for third-party direct marketing purposes during the immediately preceding calendar year, along with the names and addresses of these third parties. This request may be made no more than once per calendar year. ThreatConnect reserves its right not to respond to requests submitted other than to the address specified in this paragraph.

9. Legal Bases for Our Processing of Personal Information.

9.1 Lawful Basis for Processing. As provide in Article 6 of GDPR, Processing is lawful only if and to the extent that at least one of the following justifications applies:

(a) The Data Subject has given consent to the Processing of his or her Personal Data for one or more specific purposes;

(b) Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;

(c) Processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) Processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and/or

(f) Processing is necessary for the purposes of the Legitimate Interests pursued by the controller or by a third party, except where a balancing of such Legitimate Interests is overridden by the interests or fundamental rights and freedoms of the Data Subject.

9.2 Legitimate Interests. Under Article 11 of GDPR, if the purposes for which a controller processes Personal Data do not require the identification of a Data Subject, the controller shall not be obliged to maintain, acquire or process additional information in or-der to identify the Data Subject solely to comply with GDPR. Also, Data Subject Rights as set forth in Articles 15-20 of the GDPR do not apply unless the controller actually receives additional information that enables the Data Subject to be identified. This provision is further support for our Processing of Personal Information in Threat Analysis Tools, OSINT and CAL, which may contain inadvertent, incidental or unassociated elements of Personal In-formation of Data Subjects.

9.3 Processing Based Upon Consent. Our collection and Processing of Personal Data associated solely with (i) your visitation to our Sites, without the purchase or preparation for purchase of any Products or Services, or (ii) for our own marketing purposes is your voluntary, informed consent.

10. Accountability.

10.1 Questions, Problems and Complaints. If you have a question about this policy statement, or a complaint about ThreatConnect compliance with this privacy policy, you may contact ThreatConnect by e-mail: privacy@threatconnect.com.

10.2 Terms of Use. If customer chooses to enter into a purchase order OR to subscribe to ThreatConnect’s services, customer’s action is hereby deemed acceptance of ThreatConnect practices described in this policy statement. Any dispute over privacy between customer and ThreatConnect is subject to the provisions of this notice.