DATE OF LAST REVIEW: DECEMBER 20, 2018
1. Definitions. As used in this policy, the terms listed below will have the following meanings
1.1. “Anonymous Information” means information that does not relate to an identified or identifiable natural person or to Personal Data rendered unable to identify a natural person. “Anonymized” or “Anonymization” is the process of making information anonymous.
1.2. “CAL™” or “Collective Analytics Layer” is a proprietary Threat Analysis Tool that operates with the ThreatConnect Platform and aggregates a worldwide scope of threat intelligence data and information, including OSINT, from all available sources, both internal and external to the ThreatConnect Platform, including from all users and Online Communities of any Products for which CAL is engaged.
1.3. “CAL Data” means anonymized or pseudonymized Indicators of Compromise that CAL automatically ingests and that is aggregated and co-mingled into all other data, information, and tools available on CAL to enrich the threat analysis capabilities of the ThreatConnect Platform for the benefit of all ThreatConnect users globally.
1.4. “Cloud” is a remote instantiation of the ThreatConnect Platform which is administratively controlled by ThreatConnect in a secure manner for multiple users, and for which organizational access to the account is controlled by the User. CAL and certain other vendor services (i.e., Pendo) are always active and engaged for Cloud users.
1.6. “Data Protection Laws” means GDPR and any and all other laws, rules and regulations of any jurisdiction applicable to us or to our Services from time to time, as amended.
1.7. “Data Subject” means an identified or identifiable person to whom Personal Information relates.
1.8. “Dedicated Cloud” is a remote instantiation of the ThreatConnect Platform which is licensed to a single organization who possesses all administrative control of its Instance, including the creation of organizations and sub-organizations and the engagement of vendor services.
1.9. “GDPR” means the EU General Data Protection Regulation 2016/679 of the European Parliament and the European Council dated April 27, 2016 and all amendments and successors thereto.
1.10. “Instance” is a single instantiation of our cloud-based ThreatConnect Platform, which can be either a Cloud, Dedicated Cloud, or On-Premises deployment of the application.
1.11. “IOCs” or “Indicators of Compromise” are the information and technical data (e.g., IP address, domain name, hashes of malware, URLs and elements of valid or spoofed personal information) associated with an actual or attempted hack, intrusion, attack, release or compromise of the security of any data, network, device or information system or which may identify the existence or possible existence of any other cybersecurity threat, vulnerability or risk.
1.12. “Legitimate Interests” include, with regard to the controller or processor: (i) internal administration of the company’s business, including the management of assets, staff and business risks, (ii) direct marketing, (iii) preventing fraud or other illegal activities, (iv) ensuring network and information security, including preventing unauthorized access or damage to electronic communications networks, stopping malicious code distribution and preventing DNS attacks, (v) the establishment or defense of legal claims by the company or on behalf of a third party, and (vi) for purposes of public safety & health or other public interest, whether or not subject to action by a governmental authority.
1.13. “Online Communities” are those publicly available areas and other interactive features of the Sites or ThreatConnect Platform, such as Workspaces, user profiles, forums and message boards, with which users can share data and information for access by other users. Other than your password, your registration information (i.e., name, email address, user ID and avatar photo, if selected) will be available to all members of any Online Community or Workspace you join and to which you contribute User Shared Data.
1.14. “Personal Data” means, as defined in Article 4(1) of the GDPR, any information relating to an identified or identifiable natural person (i.e., Data Subject).
1.15. “Personal Information” means Personal Data, personally identifiable information, or any other such information that is protected under any Data Protection Laws, that is not encrypted or Anonymized.
1.16. “Processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, retrieval, use, transmission, dissemination, erasure or destruction.
1.17. “Products” mean any or all of our proprietary threat intelligence tools or services, including TC Complete, TC Identify, TC Manage, TC Analyze, TC Exchange and CAL, and any other tools or software developed by us from time to time.
1.18. “Pseudonymization” means the processing of Personal Data such that it can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to protect against the attribution of such data to an identified or identifiable natural person. “Pseudonymized Information” is data that has undergone the process of pseudonymization.
1.19. “OSINT” or “Open Source Intelligence Feeds” means third-party products or tools that are used in or made available to users through our ThreatConnect Platform which provide cybersecurity threat, incident or adversary data, information or IOCs.
1.20. “Site” or “Sites” means the website ThreatConnect.com, including all subdomains thereof.
1.21. “Sub-Processor” means any third-party that we engage to Process Personal Information for or on behalf of you or for any other business purposes with you.
1.22. “TAP” or “ThreatConnect Authorized Personnel” means any of our employees or other authorized agents who need to know or otherwise have access to Personal Information in order for us to perform our obligations to you.
1.23. “ThreatConnect Data” means all data and information, other than User Data that is subject to Section 4.4.1), that is created, developed, licensed, stored, accessed and/or used in the ThreatConnect Platform (including all User Shared Data), all right, title and interest to which is held by us.
1.24. “ThreatConnect Platform” means our proprietary collaborative security operations and analytics platform that combines threat data collection, analysis, collaboration and expertise from a wide variety of sources into a single platform and is the operating platform for all of our Products and Threat Analysis Tools, including CAL.
1.25. “ThreatConnect Processing Authorities”. Our data processing is based upon performance of a contract, public interest and legitimate interests. Our collection and Processing of Personal Information in connection with your purchase, acquisition, use or license of any of our Products and Services, including use of the ThreatConnect Platform, is lawful and necessary on the basis of (i) the performance of a contract between you and us or at your request in anticipation of formation of such a contract, (ii) for the performance of a task carried out in the public interest, whether or not the subject of action by a public authority (including but not limited to the protection and enhancement of network and information security), and/or (iii) based upon our other Legitimate Interests means our respective legal bases for the collection and Processing of Personal Information as defined in Section 10.4.
1.26. “Threat Analysis Tools” means cyber threat-related inventions, software and information, whether proprietary to ThreatConnect or licensed by us from a Vendor and integrated into our Services.
1.27. “User Data” means a user’s Personal Information, text, documents, content, code, software, video, images, music, sound, messages, tags or other materials of any type exclusive of any ThreatConnect Data.
1.28. “User Shared Data” means any and all elements of User Data that a user uploads, submits, posts, emails, transmits or otherwise makes available to or through the use of CAL or to an Online Community, and all IOCs identified in a user’s Instance.
1.29. “Vendors” mean our suppliers and licensors which enable us to perform our Services, including our providers of (i) IP information & analytics, (ii) human resource information systems, (iii) OSINT and Threat Analysis Tools, and/or (iv) other security-related products or services.
1.30. “You,” “Your” or “User” means any and all authorized personnel of a client, organization, or entity which is the user account holder. Any right or obligation of an individual user may be administered by or under the authority of its employer or other account holder and the exercise of Data Subject Rights may not conflict with an individual user’s duties to its employer, including duties of confidentiality with regard to employer data.
1.31. “We,” “Us” or “Our” means ThreatConnect, Inc. including ThreatConnect, Inc., licensors and any and all ThreatConnect Authorized Personnel.
Welcome to the website of ThreatConnect, Inc., a Delaware corporation (“ThreatConnect,” “We,” “Us” or “Our”), where we provide our users (collectively, “You,” “Your” or “User”) with access to our Products, to our support services and to other resources relating to cyber security (collectively, the “Services”).
We have developed the ThreatConnect Platform, a proprietary collaborative security operations and analytics platform that combines threat data collection, analysis, collaboration and expertise from a wide variety of sources into a single platform. Our platform provides software, information and tools to detect, track, analyze and defend against all manner of cyber threats through both on-premises and remote cloud applications.
3.1 Our Commitments to You. We are committed to safeguarding the privacy of all visitors to this Site and any other Sites operated by us (collectively, the “Sites”) as well as online users of our Products and Services in accordance with applicable law. What that means is:
- WE DO NOT TRACK OR PROFILE OUR SITE VISITORS OR USERS OF OUR SERVICES FOR ANY PURPOSE OTHER THAN FOR THE MARKETING, PERFORMANCE AND DELIVERY OF OUR SERVICES;
- WE DO NOT SHARE ANY PERSONAL DATA WITH THIRD PARTIES FOR THEIR TRACKING OR PROFILING OF OUR USERS OR FOR THE MARKETING OF THEIR OWN PRODUCTS OR SERVICES; AND
3.2 Children. The Sites are not intended for nor directed to children and children are not eligible to use our Services. Protecting the privacy of children is very important to us. We do not collect or maintain Personal Information from people we actually know are under 13 years of age, and no part of our Sites or Services is designed to attract people under 13 years of age. If we later learn that a user is under 13 years of age, we will take steps to remove that user’s Personal Information from our databases and prevent the user from utilizing the Sites and the Services.
4. How Our Services & Platform Work
4.1 Site Visitor. A user may visit our Sites at any time with or without acquiring any of our Products and Services but will still be subject to the terms of this policy. Site Visitor data will automatically be Processed by us and by certain Vendors for our own business and marketing purposes and will retain its character as Personal Information.
4.2 User Account Set-Up. A user which desires to acquire any of our Services will register an account, select the Product desired, complete the acquisition requirements and determine the configuration and scope of such Services. The user will select an appropriate Product, and Instance type (i.e., Cloud, Dedicated Cloud, or On-Premises), organize that Product with the appropriate access rights, administrative privileges and, if applicable, community of users and determine the specific Threat Analysis Tools, OSINT and User Data to upload, access or make available to or through its Instance. [All User Data relating to a User’s Product which constitutes Personal Information – excluding CAL Data –retains its character as Personal Information.]
4.3 CAL Access to User Data. For maximum benefit from the ThreatConnect Platform, our CAL tool must be engaged. It is automatically active for all Cloud based Products and is an optional, recommended feature of all Dedicated Cloud and On-Premises Instances of the Products. Organization(s) administering Dedicated Cloud and On-Premises instances of the Product may opt-out of CAL access to CAL Data at any time which will apply to all organization Users within such instance. CAL DATA IN ITS PROCESSED FORM IS UNRECOVERABLE TO ANY USER, POSSESSES OR RETAINS NO DATA SUBJECT RIGHTS AND IS INTEGRAL TO THE PUBLIC SECURITY PURPOSES OF THE THREATCONNECT PLATFORM.
4.4 Two Classes of Processed User Data. The access and use of our Sites, Products and Services will result in the creation of the following classes of User Shared Data:
4.4.1 User Data that continues to identify a User because you provide User Shared Data or We receive it (a) in the accordance with the terms of the Agreement between ThreatConnect and User through Your (i) account with Us or (ii) through Your use of Our Products and Services exclusive of any CAL Data or (b) User Shared Data posted by the User to an Online Community. The User acknowledges that User Data under this Section may include Personal Data which was inadvertently shared by the User.
4.4.2 User Data that no longer continues to identify a User because it was shared and processed into CAL Data, or was shared with an Online Community. The rights to such anonymized or pseudonymized User Shared Data may be used by us for our Legitimate Interests as described in Section 10.2. Data Subject Rights do not apply to this User Shared Data.
5. How We Collect Information
5.1 Collection Sources. Our means and methods of collecting Personal Information include:
- We collect Personal Information that you submit to us voluntarily, including when you register an account and when you use our Sites and/or any of our Services;
- Each time you request information from us or communicate with us through our Sites, register or attend an event or webinar, participate in telephonic communications with us or by sending us an email, we may collect and store any information that is contained in or otherwise associated with your communications, including internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and other technology on the devices you use to access our Sites;
- We may receive personal information about you from various third parties and public sources, including from data analytics providers and our social media pages;
5.2 Listing of Information & Data Analytics Vendors. Our current set of information and analytics Vendors includes the following, but these Vendors are not all engaged for all users or for all Services. Their applicability varies by Service and by user selection:
- Adroll https://www.adroll.com
- Amazon Web Services https://aws.amazon.com
- Atlassian https://www.atlassian.com
- Coastal Cloud https://coastalcloud.us/
- Dstillery https://dstillery.com
- Google https://www.google.com
- HotJar https://www.hotjar.com
- HubSpot https://hubspot.com
- LogMeIn https://logmein.com
- MarketMakers https://www.marketmakers.co.uk
- Microsoft https://microsoft.com
- Onehub https://www.onehub.com
- Oracle https://www.oracle.com
- Pendo https://www.pendo.io
- Rainking https://discoverorg.com
- Salesforce https://www.salesforce.com
- SalesLoft https://salesloft.com
- Slack https://slack.com
- Zapier https://zapier.com
This list is subject to change at any time. Changes to this list will be published in a timely manner in compliance with applicable regulation.
5.3 Listing of Sub-Processors. Our current Sub-Processors include Amazon Web Services, Pendo, Google, Salesforce, HubSpot, HotJar, SalesLoft, Rainking, Oracle, Slack, LogMeIn, Adroll, Zapier and Dstillery, but not all of these Sub-Processors are engaged for all users or for all Services. The configuration of Dedicated Cloud and On-Premises Instances can be specifically customized for a User that may disallow services provided by some of these Sub-Processors.
6. How We Use Your Personal Information
6.1 Purpose. We use all Personal Information collected or received by us for purposes of the performance of this policy, including the development, delivery and performance of our Products and Services.
6.2 Purposes Defined. We Process your Personal Information for several business purposes, including to:
- To Process your requests and provide you with access to our Services and customer support, including administering your account;
- To market our Products and Services to you, including through your subscriptions to our email notifications and/or newsletters;
- To sell the products or services of third parties we believe may be of interest to you, subject to your opportunity to opt-out of those communications;
- To respond to your requests and questions, resolve disputes and/or trouble-shoot problems with our Services;
- To improve the quality of and communicate with you about our Sites and Ser-vices;
- To process information relating to transactions that you enter into with us, including your purchases of our Products and Services or other goods and services available through our Sites; and/or
- To create Anonymized Information, Pseudonymized Information or CAL Data by removing or otherwise Processing personally identifiable information.
6.3 We may also Process your Personal Information where necessary for the exercise of our ThreatConnect Processing Authorities, including the establishment, exercise or defense of legal claims, the exercise of our Legitimate Interests or any other rights, duties or obligations that we may hold under applicable law.
7. Providing Your Personal Data to Others
7.1 We may disclose your Personal Information to our Sub-Processors, Vendors and ThreatConnect Authorized Personnel only if and to the extent necessary for the purposes of this policy, including the exercise of our ThreatConnect Processing Authorities. We will ensure the reliability and training of all ThreatConnect Authorized Personnel as to the confidential nature of all Personal Information and will ensure that they have either executed confidentiality agreements or are otherwise subject to equivalent duties of confidentiality with regard thereto.
7.2 We will limit access to Personal Information to only authorized Sub-Processors and Vendors who have executed confidentiality agreements or are otherwise subject to confidentiality obligations with regard to the Processing of Personal Information (including, when appropriate, the execution of data processing agreements).
7.3 We may disclose your Personal Information to our insurers and/or professional advisers if and to the extent necessary for obtaining or maintaining insurance coverage, managing risks, obtaining professional advice or the establishment or defense of legal claims.
7.4 Financial transactions relating to our Site and Services may be handled by our payment services providers (e.g., banks, credit card company, etc.). We will share transaction data with our payment services providers only to the extent necessary for purposes of processing payments or refunds or resolving issues relating thereto and only when they are subject to appropriate Data Protection Laws.
7.5 We may also disclose your Personal Information when necessary for compliance with a legal obligation to which we are subject, in order to protect your vital interests or the vital interests of another natural person or where disclosure is necessary for the establishment or defense of legal claims or other exercise of our ThreatConnect Processing Authorities.
8. International Transfers of Your Personal Information
8.1 Your Personal Information may be transferred to countries outside the European Economic Area (EEA), to (i) our offices or facilities in the United States or in other countries, (ii) to one of our Sub-Processors (e.g., Amazon Web Services or other data hosting providers); and/or (iii) to one or more of our Vendors.
8.2 Transfers of your Personal Information in all such cases will be protected by appropriate safeguards, including when appropriate, the use of standard data protection clauses adopted or approved by the European Commission, the use of binding corporate rules, in accordance with the Swiss-U.S. and EU-U.S. Privacy Shield Framework and Principles issued by the U.S. Department of Commerce (“Privacy Shield”) or appropriate alternative adequate safeguards in compliance with applicable Data Protection Laws concerning international and onward data transfers.
8.3 You acknowledge that any and all User Shared Data or other User Data access by or through the use of CAL may be accessed, available or used throughout the world, in Anonymized, Pseudonymized or other processed form, that identification and recovery of such data is lost and that access of such data by others cannot be tracked, discovered or restricted.
9. Your Data Subject Rights
9.1 Summary. This section summarizes your rights with regard to your Personal Data under certain Data Protection Laws (“Data Subject Rights”). These rights are complex and not all relevant details are included here. You should read the relevant laws and the available guidance from the relevant regulatory authorities and review recent cases interpreting those requirements in order to fully understand the scope and applicability of these Data Subject Rights.
9.2 When Data Rights Do Not Apply. These Data Subject Rights only apply to the extent that the Personal Data retains its character as Personal Data. Even then, certain Data Subject Rights are overridden by the legal basis upon which the Processing occurs. These Data Subject Rights do not apply to the extent that the Personal Data under consideration is governed by our Legitimate Interests as described in Section 10.2 override and outweigh the applicability of such Data Rights.
9.3 Data Subject Rights Described. Your principal rights to Personal Data include, when and as applicable, the following. The following is a general statement of potential Data Subject Rights and does not imply that all such rights exist in all cases or as to all users. If you wish to exercise any of these rights, please contact us at the email address located on the last page of this policy:
(a) The Right of Access. You have a right to have access to the Personal Data we hold about you and to verify that we are using your Personal Data lawfully. If asked, we will provide confirmation of what Personal Data we hold, together with certain additional information such as the purposes of the Processing, the categories of Personal Data concerned and the recipients of the Personal Data. Provided that our rights and interests or the rights and interests of others are not affected, we will supply you with a copy of your Personal Data or inform you of the rights you may have with regard thereto.
(b) The Right of Rectification. You have the right to have any Personal Data held about you which is inaccurate to be rectified and, taking into account the purposes of the Processing, to have any incomplete personal data about you completed.
(c) The Right to Erasure (Right to be Forgotten). In some circumstances you have the right to the erasure of your Personal Data. Those circumstances include when (i) the Personal Data is no longer necessary in relation to the purposes for which it was collected or processed; (ii) you withdraw consent to consent-based Processing such as marketing; (iii) you object to Processing and a balance of your rights against Legitimate Interests weighs in your favor, and/or (iv) the Processing is unlawful. However, there are exclusions of the right to erasure, including where Processing is necessary for compliance with Legitimate Interests which override the right to erasure.
(d) The Right to Restrict Processing. In some circumstances you have the right to restrict the Processing of your Personal Data. Those circumstances include when you (i) accurately contest the accuracy of the Personal Data; (ii) Processing is unlawful but you oppose erasure of it; (iii) we no longer need the Personal Data for the purposes of our Processing, and (iv) you have objected to Processing but our verification of your objection is still pending. Where Processing has been restricted on this basis, we may continue to store your Personal Data but will only Process it with your consent, for our Legitimate Interests or upon governmental order or request.
(e) The Right to Object to Processing. You have a right to object, in certain circumstances, to our Processing of your Personal Data. Among other grounds, you may object to our Processing of your Personal Data if we do not honor your rightful withdrawal of consent-based Processing or when you disagree with our assertion of Legitimate Interests. In such case, we will no longer Process the applicable Personal Data unless we can demonstrate compelling Legitimate Interests for such Processing which override your Data Rights. But if you do object to our Processing, we will seek to accommodate your request to the extent practicable.
(f) The Right to Data Portability. To the extent that the legal basis for our Processing of your Personal Data is (i) your consent; or (ii) the Processing is necessary for the performance of a contract and such Processing is carried out by automated means, you have the right to receive your Personal Data from us in a structured, commonly used and machine-readable format. However, this right does not apply where it is outweighed by our Legitimate Interests or when it would adversely affect the rights or interests of others.
(g) The Right to Complain to a Supervisory Authority. If you believe that our Processing of your Personal Data violates GDPR, you have a legal right to lodge a complaint with a Supervisory Authority responsible for data protection in the EU member state of your residence, your place of work or the place of the alleged violation.
(h) The Right to Withdraw Consent. To the extent that our Processing of your Personal Data is based solely upon your consent, you have the right to withdraw such consent at any time, which will terminate such Processing. A withdrawal of your consent does not affect the lawfulness of any Processing based on consent before our receipt of your withdrawal of consent.
10. Legal Bases for Our Processing of Personal Information
10.1 Lawful Basis for Processing. As provide in Article 6 of GDPR, Processing is lawful only if and to the extent that at least one of the following justifications applies:
(a) The Data Subject has given consent to the Processing of his or her Personal Data for one or more specific purposes;
(b) Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at the request of the Data Subject prior to entering into a contract;
(c) Processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and/or
(f) Processing is necessary for the purposes of the Legitimate Interests pursued by the controller or by a third party, except where a balancing of such Legitimate Interests is overridden by the interests or fundamental rights and freedoms of the Data Subject.
10.2 Legitimate Interests. Under Article 11 of GDPR, if the purposes for which a controller processes Personal Data do not require the identification of a Data Subject, the controller shall not be obliged to maintain, acquire or process additional information in or-der to identify the Data Subject solely to comply with GDPR. Also, Data Subject Rights as set forth in Articles 15-20 of the GDPR do not apply unless the controller actually receives additional information that enables the Data Subject to be identified. This provision is further support for our Processing of Personal Information in Threat Analysis Tools, OSINT and CAL, which may contain inadvertent, incidental or unassociated elements of Personal In-formation of Data Subjects.
10.3 Processing Based Upon Consent. Our collection and Processing of Personal Data associated solely with (i) your visitation to our Sites, without the purchase or preparation for purchase of any Products or Services, or (ii) for our own marketing purposes is your voluntary, informed consent.
11. Security of Personal Information
Taking into account the state-of-the-art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we agree to implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Processing your Personal Information.
12. Retaining and Deleting Personal Information
12.1 Our data retention policies and procedures are designed to ensure that we comply with our legal obligations in relation to the retention and deletion of Personal In-formation, whether held by us or by any Sub-Processor or Vendor. We will take such reasonable steps as necessary to ensure that any duty or obligation that we have under this policy with regard to your Personal Information, including the return or erasure thereof, applies with equal effect to any Sub-Processor or Vendor with which we share such data.
12.2 Personal Information that we Process for any purpose will not be kept for longer than is necessary for the realization or completion of that purpose; provided that our Legitimate Interests justify a substantial retention period for the data subject to such Legitimate Interests and so long as they apply.
12.3 We will retain your Personal Information as follows:
(a) User Data that has retained its character as Personal Information will be held and retained by us for the longer of (i) your withdrawal of any consent for such data collected on the basis of your consent; (ii) your exercise of any right to erasure or portability of any User Data subject to such Data Rights; and (iii) the minimum period necessary for us to fulfill the purposes of our ThreatConnect Processing Authorities or meet our Legitimate Interests with regard to such User Data;
(b) User Data for which its character as Personal Information has been eliminated, will be retained by us in its Anonymized, Pseudonymized or processed form as ThreatConnect Data and should never be expected to be recoverable, erasable or returnable as Personal Information; and
12.4 Notwithstanding the other provisions of this Section 12, we may retain your Personal Information beyond the period set forth in Section 12.3 where such retention is necessary for compliance with a legal obligation to which we are subject, in order to protect your vital interests or the vital interests of another natural person or for us to meet our other Legitimate Interests.
14. Our Contact Information
14.1 This website is owned and operated by ThreatConnect.
14.2 Our principal place of business is located at 3865 Wilson Blvd, Suite 550, Arlington, Virginia 22203, phone: (703) 229-4240.
14.3 You can contact us:
(a) by mail to the address set forth in Section 14.2;
(b) by using our website contact form posted at https://threatconnect.com/contact;
(c) by telephone at (703) 229-4240; or
(d) by email to firstname.lastname@example.org.