Privacy Policy
DATE OF LAST REVIEW: JUNE 12, 2024
Definitions.
As used in this policy, the terms listed below will have the following meanings:
“Anonymous Information” means information that does not relate to an identified or identifiable natural person or to Personal Data rendered unable to identify a natural person. “Anonymized” or “Anonymization” is the process of making information anonymous.
“CAL™” or “Collective Analytics Layer” is a proprietary Threat Analysis Tool that operates with the ThreatConnect Platform and aggregates a worldwide scope of threat intelligence data and information, including OSINT, from all available sources, both internal and external to the ThreatConnect Platform, including from all users and Online Communities of any Products for which CAL is engaged.
“CAL Data” means anonymized or pseudonymized Indicators of Compromise that CAL automatically ingests and that is aggregated and co-mingled into all other data, information, and tools available on CAL to enrich the threat analysis capabilities of the ThreatConnect Platform for the benefit of all ThreatConnect users globally.
“Cloud” is a remote instantiation of the ThreatConnect Platform which is administratively controlled by ThreatConnect in a secure manner for multiple users, and for which organizational access to the account is controlled by the User. CAL and certain other vendor services (i.e., Pendo) are always active and engaged for Cloud users.
“Cookies” are small pieces of information that a website sends to your browser while you are viewing a website. We may use both session Cookies (which expire once you close your Web browser) and persistent Cookies. Our use of Cookies is subject to your consent to our Cookie Policy located here [https://threatconnect.com/cookie-policy/].
“Data Protection Laws” means GDPR and any and all other laws, rules and regulations of any jurisdiction applicable to us or to our Services from time to time, as amended.
“Data Subject” means an identified or identifiable person to whom Personal Information relates.
“Dedicated Cloud” is a remote instantiation of the ThreatConnect Platform which is licensed to a single organization who possesses all administrative control of its Instance, including the creation of organizations and sub-organizations and the engagement of vendor services.
“GDPR” means the EU General Data Protection Regulation 2016/679 of the European Parliament and the European Council dated April 27, 2016 and all amendments and successors thereto.
“Instance” is a single instantiation of our cloud-based ThreatConnect Platform, which can be either a Cloud, Dedicated Cloud, or On-Premises deployment of the application.
“IOCs” or “Indicators of Compromise” are the information and technical data (e.g., IP address, domain name, hashes of malware, URLs and elements of valid or spoofed Personal Information) associated with an actual or attempted hack, intrusion, attack, release or compromise of the security of any data, network, device or information system or which may identify the existence or possible existence of any other cybersecurity threat, vulnerability or risk.
“Legitimate Interests” include, with regard to the controller or processor: (i) internal administration of the company’s business, including the management of assets, staff and business risks, (ii) direct marketing, (iii) preventing fraud or other illegal activities, (iv) ensuring network and information security, including preventing unauthorized access or damage to electronic communications networks, stopping malicious code distribution and preventing DNS attacks, (v) the establishment or defense of legal claims by the company or on behalf of a third party, and (vi) for purposes of public safety & health or other public interest, whether or not subject to action by a governmental authority.
“Online Communities” are those publicly available areas and other interactive features of the Sites or ThreatConnect Platform, such as Workspaces, user profiles, forums and message boards, with which users can share data and information for access by other users. Other than your password, your registration information (i.e., name, email address, user ID and avatar photo, if selected) will be available to all members of any Online Community or Workspace you join and to which you contribute User Shared Data.
“Personal Data” means, as defined in Article 4(1) of the GDPR, any information relating to an identified or identifiable natural person (i.e., Data Subject).
“Personal Information” means Personal Data, personally identifiable information, or any other such information that is protected under any Data Protection Laws, that is not encrypted or Anonymized.
“Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, use, transmission, dissemination, erasure or destruction.
“Products” mean any or all of our proprietary threat intelligence tools or services, including TC Complete, TC Identify, TC Manage, TC Analyze, RQ, TC Exchange and CAL, and any other tools or software developed by us from time to time.
“Pseudonymization” means the processing of Personal Data such that it can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to protect against the attribution of such data to an identified or identifiable natural person. “Pseudonymized Information” is data that has undergone the process of pseudonymization.
“OSINT” or “Open Source Intelligence Feeds” means third-party products or tools that are used in or made available to users through our ThreatConnect Platform which provide cybersecurity threat, incident or adversary data, information or IOCs.
“Site” or “Sites” means the website ThreatConnect.com, including all subdomains thereof.
“Sub-Processor” means any third-party that we engage to Process Personal Information for or on behalf of you or for any other business purposes with you.
“TAP” or “ThreatConnect Authorized Personnel” means any of our employees or other authorized agents who need to know or otherwise have access to Personal Information in order for us to perform our obligations to you.
“ThreatConnect Data” means all data and information, other than User Data that is created, developed, licensed, stored, accessed and/or used in the ThreatConnect Platform (including all User Shared Data), all right, title and interest to which is held by us.
“ThreatConnect Platform” means our proprietary collaborative security operations and analytics platform that combines threat data collection, analysis, collaboration and expertise from a wide variety of sources into a single platform and is the operating platform for all of our Products and Threat Analysis Tools, including CAL.
“ThreatConnect Processing Authorities”. Our data processing is based upon performance of a contract, public interest and legitimate interests. Our collection and Processing of Personal Information in connection with your purchase, acquisition, use or license of any of our Products and Services, including use of the ThreatConnect Platform, is lawful and necessary on the basis of (i) the performance of a contract between you and us or at your request in anticipation of formation of such a contract, (ii) for the performance of a task carried out in the public interest, whether or not the subject of action by a public authority (including but not limited to the protection and enhancement of network and information security), and/or (iii) based upon our other Legitimate Interests means our respective legal bases for the collection and Processing of Personal Information.
“Threat Analysis Tools” means cyber threat-related inventions, software and information, whether proprietary to ThreatConnect or licensed by us from a Vendor and integrated into our Services.
“User Data” means a user’s Personal Information, text, documents, content, code, software, video, images, music, sound, messages, tags or other materials of any type exclusive of any ThreatConnect Data.
“User Shared Data” means any and all elements of User Data that a user uploads, submits, posts, emails, transmits or otherwise makes available to or through the use of CAL or to an Online Community, and all IOCs identified in a user’s Instance.
“Vendors” mean our suppliers and licensors which enable us to perform our Services, including our providers of (i) IP information & analytics, (ii) human resource information systems, (iii) OSINT and Threat Analysis Tools, and/or (iv) other security-related products or services.
“You,” “Your” or “User” means any and all authorized personnel of a client, organization, or entity which is the user account holder. Any right or obligation of an individual user may be administered by or under the authority of its employer or other account holder and the exercise of Data Subject Rights may not conflict with an individual user’s duties to its employer, including duties of confidentiality with regard to employer data.
“We,” “Us” or “Our” means ThreatConnect, Inc. including ThreatConnect, Inc., licensors and any and all ThreatConnect Authorized Personnel.
1. Introduction.
Welcome to the website of ThreatConnect, Inc., a Delaware corporation (“ThreatConnect,” “We,” “Us” or “Our”), where we provide our users (collectively, “You,” “Your” or “User”) with access to our Products, to our support services and to other resources relating to cyber security (collectively, the “Services”).
We have developed the ThreatConnect Platform, a proprietary collaborative security operations and analytics platform that combines threat data collection, analysis, collaboration and expertise from a wide variety of sources into a single platform. Our platform provides software, information and tools to detect, track, analyze and defend against all manner of cyber threats through both on-premises and remote cloud applications.
We know you are concerned about your privacy, so we have developed this Privacy Policy (“Privacy Policy”) to explain and secure your consent to how we collect, use and disclose information about you. This policy also explains when and how we may transfer that data to third parties for specifically identified purposes. We also explain your right to exercise certain data privacy rights that are granted under this policy or under applicable law and when those rights may not apply.
1.1 Web Site Owner. ThreatConnect is the owner of this web site (“https://threatconnect.com”). ThreatConnect can be contacted by mail at 3865 Wilson Blvd, Arlington, Virginia 22203, by phone at (703) 229-4240, or by e-mail at privacy@threatconnect.com.
1.2 Web Site Visits. We are committed to safeguarding the privacy of all visitors to this Site and any other Sites operated by us (collectively, the “Sites”) as well as online users of our Products and Services in accordance with applicable law. What that means is:
WE DO NOT TRACK OR PROFILE OUR SITE VISITORS OR USERS OF OUR SERVICES FOR ANY PURPOSE OTHER THAN FOR THE MARKETING, PERFORMANCE AND DELIVERY OF OUR SERVICES;
WE DO NOT SHARE ANY PERSONAL DATA WITH THIRD PARTIES FOR THEIR TRACKING OR PROFILING OF OUR USERS OR FOR THE MARKETING OF THEIR OWN PRODUCTS OR SERVICES; AND
1.3 Children. The Sites are not intended for nor directed to children and children are not eligible to use our Services. Protecting the privacy of children is very important to us. We do not collect or maintain Personal Information from people we actually know are under 13 years of age, and no part of our Sites or Services is designed to attract people under 13 years of age. If we later learn that a user is under 13 years of age, we will take steps to remove that user’s Personal Information from our databases and prevent the user from utilizing the Sites and the Services.
2. Personal Information That May Be Collected.
2.1 Sources of Personal Data. Our means and methods of collecting Personal Information include:
- We collect Personal Information that you submit to us voluntarily, including when you register an account and when you use our Sites and/or any of our Services;
- Each time you request information from us or communicate with us through our Sites, register or attend an event or webinar, participate in telephonic communications with us or by sending us an email, we may collect and store any information that is contained in or otherwise associated with your communications, including internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and other technology on the devices you use to access our Sites;
- We use Cookies and navigational data like Uniform Resource Locators (URLs) to gather information regarding the date and time of your visit and the solutions and information for which you searched and viewed;
- We use a third-party service to track and analyze Anonymous Information from users of our Sites such as statistical or demographic data and those third parties may use Cookies to help track user behavior however those third parties may not use such data for any other purpose than our own Services or for any third party.
- We may receive Personal Information about you from various third parties and public sources, including from data analytics providers and our social media pages;
2.2 Listing of Sub-Processors. Our current Sub-Processors may include, but are not limited to,
Primary Subprocessor for customer data to support ThreatConnect Applications
| Amazon Web Services | Provides the cloud infrastructure to support ThreatConnect applications and service |
Business, Support, and Security subprocessors
| Pendo | Product analytics |
| Google Suite | Business processes and collaboration |
| Slack | Internal business communications |
| DataDog | Security SIEM |
| SingleStore | Database as a Service |
Marketing and Sales application data may be collected via automated means or by submission of individual
| Marketing and Sales Applications | Personal Data That May Be Collected |
| 6sense | IP Address |
| Pardot / Marketo | Name, Email Address, Phone Number, IP Address, Location |
| WebFX LeadManager | Name, Email Address, Phone Number, IP Address, Location |
| Navattic | Name, Email Address, Company Name, IP Address |
| Qualified | Name, Email Address, IP Address, Phone Number, Company Name |
| LinkedIn Advertising | Name, Email Address, Job Title, Company Name, Phone Number |
| Zapier | Name, Email Address, Company Name, Job Title, Phone Number |
| Sequel | Name, Email Address, Company Name |
| UserGems | Name, Email Address, Company Name, Phone Number |
| UserEvidence | Name, Email Address, Company Name |
| Salesforce | Name, Email Address, Company Name, Phone Number, Company Name, Company Website |
| Outreach | Name, Email Address, Company Name, Phone Number, Company Name, Company Website |
| Gong | Name, Email Address, Company Name, Phone Number, Company Name, Company Website, Records Calls |
| Giftsenda | Name, Email Address, Company Name, Phone Number, Company Name, Company Website |
| LinkedIn Sales Navigator | Name, Email Address, Company Name, Phone Number, Company Name, Company Website |
| Zoominfo | Name, Email Address, Company Name, Phone Number, Company Name, Company Website |
| Mercury – SMS | Name, Email Address, Company Name, Phone Number, Company Name, Company Website |
| Cacheflow | Name, Email Address, Company Name, Phone Number, Company Name, Company Website |
| ChurnZero | Name, Email Address, Company Name, Phone Number, Company Name, Company Website |
Please note: Not all of these Sub-Processors are engaged for all users or for all Services.
The configuration of Dedicated Cloud and On-Premises Instances can be specifically customized for a User that may disallow services provided by some of these Sub-Processors.
2.3 Links to Other Websites. The ThreatConnect Web site may contain links to other websites. ThreatConnect is not responsible for the privacy practices or the content of those other Web sites. If you click on a link or web application and are directed to a site other than our Sites, please refer to the privacy policy governing that site or Web application.
3. How We Process Your Information.
3.1 Purpose. We use all Personal Information collected or received by us for purposes of the performance of this policy, including the development, delivery and performance of our Products and Services.
3.2 Purposes Defined
| Purpose of Processing | Lawful Basis |
| To Process your requests and provide you with access to our Services and customer support, including administering your account; | Legitimate interests; Contract; Legal obligations |
| To market our Products and Services to you, including through your subscriptions to our email notifications and/or newsletters; | Consent (where required by law); Legitimate interests |
| To sell the products or services of third parties we believe may be of interest to you, subject to your opportunity to opt-out of those communications; | Consent (where required by law); Legitimate interests |
| To respond to your requests and questions, resolve disputes and/or troubleshoot problems with our Services | Legitimate interests; Contract; Legal obligations |
| To improve the quality of and communicate with you about our Sites and Services | Consent (where required by law); Legitimate interests |
| To process information relating to transactions that you enter into with us, including your purchases of our Products and Services or other goods and services available through our Sites | Legitimate interests; Contract; Legal obligations |
| To create Anonymized Information, Pseudonymized Information or CAL Data by removing or otherwise processing personally identifiable information. | Legitimate interests |
| We may also Process your Personal Information where necessary for the exercise of our ThreatConnect Processing Authorities, including the establishment, exercise or defense of legal claims, the exercise of our Legitimate Interests or any other rights, duties or obligations that we may hold under applicable law. | Legal obligations; Contract |
| Disclosure to Governmental Authorities. ThreatConnect may release Personal Information to appropriate governmental authorities where release is required by law (for example, a subpoena) or by a regulation, or is requested by a government agency conducting investigations or proceedings. | Legal obligations |
| Stored Information Uses. ThreatConnect stores and retains the information provided by customers OR the information entered on the ThreatConnect Web site. Stored information is used by ThreatConnect to support customer interaction with the ThreatConnect Web site; to deliver customer purchases; and/or to contact customers again about other ThreatConnect services and products. | Legitimate interests; Contract |
| Within Corporate Organization. ThreatConnect is a globally operated organization, with legal entities, business processes, management structures, and technical systems that cross borders. ThreatConnect may share your Personal Information within the ThreatConnect corporate organization and may transfer the information to countries in the world where ThreatConnect conducts business. Some countries may provide less legal protection for customer Personal Information. | Legitimate interests |
| Mergers and Acquisitions. Circumstances may arise where for business reasons, ThreatConnect decides to sell, buy, merge or otherwise reorganize its businesses in the United States or some other country. Such a transaction may involve the disclosure of personal identifying information to prospective or actual purchasers, and/or receiving such information from sellers. It is ThreatConnect’s practice to seek appropriate protection for information in these types of transactions. | Legal obligations; Contract |
| Use of Web Beacon Technologies. ThreatConnect may also use Web beacon or other technologies to better tailor its Web site(s) to provide better customer service. If these technologies are in use, when a visitor accesses these pages of the Web site, a non-identifiable notice of that visit is generated which may be processed by ThreatConnect or by its suppliers. Web beacons usually work in conjunction with Cookies. If customer does not want cookie information to be associated with customer’s visits to these pages, customer can set its browser to turn off Cookies; however, Web beacon and other technologies will still detect visits to these pages, but the notices they generate cannot be associated with other non-identifiable Cookie information and are disregarded. | Legitimate interests |
3.3 Collection of Non-Identifiable Information. ThreatConnect may collect non-identifiable information from user visits to the ThreatConnect Web site(s) in order to provide better customer service. Examples of such collecting include: traffic analysis, such as tracking of the domains from which users visit, or tracking numbers of visitors; measuring visitor activity on ThreatConnect Web site(s); Web site and system administration; user analysis; and business decision making. Such information is sometimes known as “clickstream data.” ThreatConnect or its contractors may use this data to analyze trends and statistics.
4. Providing Your Personal Data to Others.
4.1 We may disclose your Personal Information to our Sub-Processors, Vendors and ThreatConnect Authorized Personnel only if and to the extent necessary for the purposes of this policy, including the exercise of our ThreatConnect Processing Authorities. We will ensure the reliability and training of all ThreatConnect Authorized Personnel as to the confidential nature of all Personal Information and will ensure that they have either executed confidentiality agreements or are otherwise subject to equivalent duties of confidentiality with regard thereto. For a list of potential sub-processors, please refer to section 2.2.
4.2 We will limit access to Personal Information to only authorized Sub-Processors and Vendors who have executed confidentiality agreements or are otherwise subject to confidentiality obligations with regard to the Processing of Personal Information (including, when appropriate, the execution of data processing agreements).
4.3 We may disclose your Personal Information to our insurers and/or professional advisers if and to the extent necessary for obtaining or maintaining insurance coverage, managing risks, obtaining professional advice or the establishment or defense of legal claims.
4.4 Financial transactions relating to our Site and Services may be handled by our payment services providers (e.g., banks, credit card companies, etc.). We will share transaction data with our payment services providers only to the extent necessary for purposes of processing payments or refunds or resolving issues relating thereto and only when they are subject to appropriate Data Protection Laws.
4.5 We may also disclose your Personal Information when necessary for compliance with a legal obligation to which we are subject, in order to protect your vital interests or the vital interests of another natural person or where disclosure is necessary for the establishment or defense of legal claims or other exercise of our ThreatConnect Processing Authorities.
5. International Transfers of Your Personal Information.
5.1 Your Personal Information may be transferred to countries outside the European Economic Area (EEA), to (i) our offices or facilities in the United States or in other countries, (ii) to one of our Sub-Processors (e.g., Amazon Web Services or other data hosting providers); and/or (iii) to one or more of our Vendors.
5.1.1 Purpose of International Data Transfer:
To provide our services and/or products to our customers
To provide support and maintenance of our products and services – This will include, but is not limited to the access of data residing in the EEA, Switzerland, and the U.K. by United States based ThreatConnect personnel to maintain our contractual obligations to our customers.
To collaborate with our customers
To comply with our legal obligations
5.1.2 Legal Basis for International Data Transfer:
Contractual necessity: Transfers necessary for product and/or service delivery to our customers
Legitimate interests: Transfers based on our legitimate interests, provided they are not overridden by individual’s rights and interests
Legal Obligations: Transfers to comply with applicable laws and regulations
5.2 Transfers of your Personal Information in all such cases will be protected by appropriate security and privacy safeguards.
Standard Contractual Clauses (SCCs): We may use SCCs approved by relevant data protection authorities
Approved Certification Mechanisms: We may rely on our adherence to certifications that demonstrate our adherence to data protection standards
5.3 You acknowledge that any and all User Shared Data or other User Data access by or through the use of CAL may be accessed, available or used throughout the world, in Anonymized, Pseudonymized or other processed form, that identification and recovery of such data is lost and that access of such data by others cannot be tracked, discovered or restricted.
6. Information Security.
6.1 Commitment to Online Security. ThreatConnect employs physical, electronic and managerial procedures to safeguard the security and integrity of Personal Information. Billing and payment data is encrypted whenever transmitted or received online. Personal Information is accessible only by staff designated to handle online requests or complaints. All ThreatConnect agents and contractors with access to Personal Information on the ThreatConnect web site(s) or products, are also bound to adhere to ThreatConnect security standards.
ThreatConnect intends to protect customer Personal Information and to maintain its quality. To achieve information security and quality, ThreatConnect implements appropriate measures and processes, such as using encryption when transmitting certain sensitive information.
7. Privacy Policy Changes.
7.1 Changes to Privacy Policy.
ThreatConnect reserves the right to change OR update its privacy policy statement at any time.
8. Access Rights to Data.
8.1 Summary. This section summarizes your rights with regard to your Personal Data under certain Data Protection Laws (“Data Subject Rights”). These rights are complex and not all relevant details are included here. You should read the relevant laws and the available guidance from the relevant regulatory authorities and review recent cases interpreting those requirements in order to fully understand the scope and applicability of these Data Subject Rights.
8.2 When Data Rights Do Not Apply
These Data Subject Rights only apply to the extent that the Personal Data retains its character as Personal Data. Even then, certain Data Subject Rights are overridden by the legal basis upon which the Processing occurs. These Data Subject Rights do not apply to the extent that the Personal Data under consideration is governed by our Legitimate Interests.
8.3 Data Subject Rights Described
Your principal rights to Personal Data include, when and as applicable, the following. The following is a general statement of potential Data Subject Rights and does not imply that all such rights exist in all cases or as to all users. If you wish to exercise any of these rights, please contact us at privacy@threatconnect.com:
The Right of Access
You have a right to have access to the Personal Data we hold about you and to verify that we are using your Personal Data lawfully. If asked, we will provide confirmation of what Personal Data we hold, together with certain additional information such as the purposes of the Processing, the categories of Personal Data concerned and the recipients of the Personal Data. Provided that our rights and interests or the rights and interests of others are not affected, we will supply you with a copy of your Personal Data or inform you of the rights you may have with regard thereto.
The Right of Rectification
You have the right to have any Personal Data held about you which is inaccurate to be rectified and, taking into account the purposes of the Processing, to have any incomplete personal data about you completed.
The Right to Erasure (Right to be Forgotten)
In some circumstances you have the right to the erasure of your Personal Data. Those circumstances include when (i) the Personal Data is no longer necessary in relation to the purposes for which it was collected or processed; (ii) you withdraw consent to consent-based Processing such as marketing; (iii) you object to Processing and a balance of your rights against Legitimate Interests weighs in your favor, and/or (iv) the Processing is unlawful. However, there are exclusions of the right to erasure, including where Processing is necessary for compliance with Legitimate Interests which override the right to erasure.
The Right to Restrict Processing
In some circumstances you have the right to restrict the Processing of your Personal Data. Those circumstances include when you (i) accurately contest the accuracy of the Personal Data; (ii) Processing is unlawful but you oppose erasure of it; (iii) we no longer need the Personal Data for the purposes of our Processing, and (iv) you have objected to Processing but our verification of your objection is still pending. Where Processing has been restricted on this basis, we may continue to store your Personal Data but will only Process it with your consent, for our Legitimate Interests or upon governmental order or request.
The Right to Object to Processing
You have a right to object, in certain circumstances, to our Processing of your Personal Data. Among other grounds, you may object to our Processing of your Personal Data if we do not honor your rightful withdrawal of consent-based Processing or when you disagree with our assertion of Legitimate Interests. In such a case, we will no longer Process the applicable Personal Data unless we can demonstrate compelling Legitimate Interests for such Processing which override your Data Rights. But if you do object to our Processing, we will seek to accommodate your request to the extent practicable.
The Right to Data Portability
To the extent that the legal basis for our Processing of your Personal Data is (i) your consent; or (ii) the Processing is necessary for the performance of a contract and such Processing is carried out by automated means, you have the right to receive your Personal Data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it is outweighed by our Legitimate Interests or when it would adversely affect the rights or interests of others.
The Right to Complain to a Supervisory Authority
If you believe that our Processing of your Personal Data violates GDPR, you have a legal right to lodge a complaint with a Supervisory Authority responsible for data protection in the EU member state of your residence, your place of work or the place of the alleged violation. A list of Supervisory Authorities is available here: https://edpb.europa.eu/about-edpb/board/members_en.
The Right to Withdraw Consent
To the extent that our Processing of your Personal Data is based solely upon your consent, you have the right to withdraw such consent at any time, which will terminate such Processing. A withdrawal of your consent does not affect the lawfulness of any Processing based on consent before our receipt of your withdrawal of consent.
Right to Opt-Out of Automated Decision-Making
You have the right to opt-out of automated decision-making processes that affect you. If you choose to exercise this right, our systems will not use automated processes to make decisions about you, and we will seek alternative methods that do not solely rely on automated processing.
9. Legal Bases for Our Processing of Personal Information.
9.1 Lawful Basis for Processing. As provide in Article 6 of GDPR, Processing is lawful only if and to the extent that at least one of the following justifications applies:
(a) The Data Subject has given consent to the Processing of his or her Personal Data for one or more specific purposes;
(b) Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
(c) Processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and/or
(f) Processing is necessary for the purposes of the Legitimate Interests pursued by the controller or by a third party, except where a balancing of such Legitimate Interests is overridden by the interests or fundamental rights and freedoms of the Data Subject.
9.2 Legitimate Interests. Under Article 11 of GDPR, if the purposes for which a controller processes Personal Data do not require the identification of a Data Subject, the controller shall not be obliged to maintain, acquire or process additional information in or-der to identify the Data Subject solely to comply with GDPR. Also, Data Subject Rights as set forth in Articles 15-20 of the GDPR do not apply unless the controller actually receives additional information that enables the Data Subject to be identified. This provision is further support for our Processing of Personal Information in Threat Analysis Tools, OSINT and CAL, which may contain inadvertent, incidental or unassociated elements of Personal In-formation of Data Subjects.
9.3 Processing Based Upon Consent. Our collection and Processing of Personal Data associated solely with (i) your visitation to our Sites, without the purchase or preparation for purchase of any Products or Services, or (ii) for our own marketing purposes is your voluntary, informed consent.
10.1 Data Privacy Framework Compliance
ThreatConnect complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. ThreatConnect has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. ThreatConnect has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
Pursuant to the DPF Program, EU, UK, and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under the DPF, should direct their query to privacy@threatconnect.com. If requested to remove data, we will respond within a reasonable timeframe.
We will provide an individual opt-out choice, or opt-in for sensitive data, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information, please submit a written request to privacy@threatconnect.com
10.2 Internal Complaints Mechanism
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, ThreatConnect commits to resolve DPF Principles-related complaints about our collection and use of your Personal Information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF} should first contact ThreatConnect at: privacy@threatconnect.com
10.3 Independent Recourse Mechanism
In compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), ThreatConnect commits to resolve complaints about our collection or use of your Personal Information transferred to the U.S. pursuant to the EU-U.S. DPF, the UK extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. EU, UK, and Swiss individuals with inquiries or complaints should first contact ThreatConnect at privacy@threatconnect.com
ThreatConnect has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.
10.4 Federal Jurisdiction
The Federal Trade Commission has jurisdiction over ThreatConnect ’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
10.5 Binding Arbitration
An individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms. Please consult the Data Privacy Framework Annex I for additional information: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2
10.6 Onward Transfer Liability
In the context of an onward transfer, a participating DPF organization has responsibility for the processing of Personal Information it receives under the DPF Principles and subsequently transfers to a third party acting as an agent on its behalf. In alignment to the DPF, ThreatConnect shall remain liable if its agent processes such Personal Information in a manner inconsistent with the DPF Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
10.7 Disclosure by Lawful Request
ThreatConnect may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
11.1 You have the right under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), and certain other privacy and Data Protection Laws, as applicable, to exercise free of charge:
| Disclosure of Personal Information We Collect About You | You have the right to know, and request disclosure of:· The categories of Personal Information we have collected about you, including sensitive Personal Information· The categories of sources from which the Personal Information is collected· The categories of third parties to whom we disclose Personal Information, if any –and–· The specific pieces of Personal Information we have collected about youPlease note that we are not required to:· Retain any Personal Information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained· Reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered Personal Information –or–· Provide the Personal Information to you more than twice in a 12-month period |
| Disclosure of Personal Information Sold, Shared, or Disclosed for a Business Purpose | In connection with any Personal Information we may sell, share, or disclose to a third party for a business purpose, you have the right to know:· The categories of Personal Information about you that we sold or shared and the categories of third parties to whom the Personal Information was sold or shared –and–· The categories of Personal Information that we disclosed about you for a business purpose and the categories of persons to whom the Personal Information was disclosed for a business purposeYou have the right to opt-out of the sale of your Personal Information or sharing of your Personal Information for the purpose of targeted behavioral advertising. If you exercise your right to opt-out of the sale or sharing of your Personal Information, we will refrain from selling or sharing your Personal Information, unless you subsequently provide express authorization for the sale or sharing of your Personal Information.To opt-out of the sale or sharing of your Personal Information, please email privacy@threatconnect.com |
| Right to Limit Use of Sensitive Personal Information | You have the right to limit the use and disclosure of your sensitive Personal Information to the use which is necessary to:· Perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services· To perform the following services: (1) Helping to ensure security and integrity to the extent the use of the consumer’s Personal Information is reasonably necessary and proportionate for these purposes; (2) Short-term, transient use, including, but not limited to, non-personalized advertising shown as part of a consumer’s current interaction with the business, provided that the consumer’s Personal Information is not disclosed to another third party and is not used to build a profile about the consumer or otherwise alter the consumer’s experience outside the current interaction with the business; (3) Performing services on behalf of the business, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of the business; and (4) Undertaking activities to verify or maintain the quality or safety of a service or device that is owned, manufactured, manufactured for, or controlled by the business, and to improve, upgrade, or enhance the service or device that is owned, manufactured, manufactured for, or controlled by the business –and–· As authorized by further regulationsYou have a right to know if your sensitive Personal Information may be used, or disclosed to a service provider or contractor, for additional, specified purposes. |
| Right to Deletion | Subject to certain exceptions set out below, on receipt of a verifiable request from you, we will:· Delete your Personal Information from our records –and–· Delete your Personal Information from our records –and–· Direct third parties to whom the business has sold or shared your Personal Information to delete your Personal Information unless this proves impossible or involves disproportionate effortPlease note that we may not delete your Personal Information if it is reasonably necessary to:· Complete the transaction for which the Personal Information was collected, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us· Help to ensure security and integrity to the extent the use of the consumer’s Personal Information is reasonably necessary and proportionate for those purposes· Debug to identify and repair errors that impair existing intended functionality· Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law· Comply with the California Electronic Communications Privacy Act· Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent· Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us· Comply with an existing legal obligation –or–· Otherwise use your Personal Information, internally, in a lawful manner that is compatible with the context in which you provided the information |
| Right of Correction | If we maintain inaccurate Personal Information about you, you have the right to request us to correct that inaccurate Personal Information. Upon receipt of a verifiable request from you, we will use commercially reasonable efforts to correct the inaccurate Personal Information. |
| Protection Against Retaliation | You have the right to not be retaliated against by us because you exercised any of your rights under the CCPA/CPRA. This means we cannot, among other things:· Deny goods or services to you· Charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties· Provide a different level or quality of goods or services to you –or–· Suggest that you will receive a different price or rate for goods or services or a different level or quality of goods or servicesPlease note that we may charge a different price or rate or provide a different level or quality of [goods and/or services] to you, if that difference is reasonably related to the value provided to our business by your Personal Information. We may also offer loyalty, rewards, premium features, discounts, or club card programs consistent with these rights or payments as compensation, for the collection of Personal Information, the sale of Personal Information, or the retention of Personal Information. |
12. Accountability.
12.1 Terms of Use
If a customer chooses to enter into a purchase order OR to subscribe to ThreatConnect’s services, customer’s action is hereby deemed acceptance of ThreatConnect practices described in this policy statement. Any dispute over privacy between customer and ThreatConnect is subject to the provisions of this notice.
12.2 Questions, Problems and Complaints
If you have a question about this policy statement, or a complaint about ThreatConnect compliance with this privacy policy, you may contact ThreatConnect by email: privacy@threatconnect.com.