Professional Purple Team Services Available

Security Risk Advisors Intl, LLC – Privacy Statement

 

At Security Risk Advisors Intl, LLC (“SRA”, “we”, “us” and “our”) we understand that privacy is important. As part of our security testing, engineering, cyber security operations center, advisory services (the “Services”) and the SRA websites, currently at https://sra.io, https://siftr.sra.io, and https://vectr.io (the “SRA Sites”).

Each company, person or entity who uses our Services is referred to as a “user” or “you” or “your.” This Privacy Statement applies to each user.

This document is our statement of our privacy practices (“Privacy Statement”). Among other things, it explains how we and some of the companies we work with collect, use, share and protect the information you provide to us or that we develop on your behalf (“Content”). The Content may include personally-identifiable information, including without limitation name, address, telephone numbers, electronic mail and postal addresses, and other sensitive information that identifies or is uniquely associated with an individual (collectively, “Personal Data”). This Privacy Statement also discusses your choices about the collection, storage and use of your Personal Data.

Any Content that is not Personal Data is referred to as “Non-Personal Data.” Non-Personal Data may include information about how users interact with us and use the Services, what Services users select, how users respond to service offerings, how users share information with others, what users say they like and dislike, but none of this information identifies individuals (collectively, “Behavioral Data” which is a type of Non-Personal Data).

This Privacy Statement does not apply to any other websites, mobile applications, businesses, or the VECTR community software available at https://github.com/SecurityRiskAdvisors/VECTR. This Privacy Statement applies to any Personal Data and other Content we collect or process via any means; although the focus of this Privacy Statement is on Content we collect via our Services.

By using our Services, you consent to the collection, transfer, analysis, transformation, storage, disclosure and other uses of your Content, including your Personal Data, as described in this Privacy Statement.

 

1.       Information We Collect

As noted above, we collect Content from you while providing the Services. Some of the Content is Personal Data that we use to contact you and verify you as a user, and which is necessary to provide the Services. Other Content we collect from you includes Behavioral Data and other Non-Personal Data that we use to improve our Services, and the services of others.

We collect many different types of information from you, both directly and indirectly.

Information you provide us directly

We may collect the following information from you.

  • Profile information. You may provide us with your name, address and other profile and billing information.
  • Location Information. We may ask for your postal address or your geographic location information. You may provide your location information, including global positioning system (“GPS”) data or other location information.
  • Communications between you and SRA: We may send you emails, SMS or text messages, and other electronic communications for user authentication, sales and delivery, notices of changes/updates to features of the Services, technical and security notices, and for other purposes. We may collect and store these communications.

Information we gather from your use of our Services

We collect the following information from your use of our Services.

  • Emails. We may save private emails sent to us by users, and we may share your emails with any third parties or other users. You may elect to disclose certain Personal Data and Non-Personal Data.
  • Analytics. We may use third-party analytics tools to help us measure traffic and usage trends and other Non-Personal Data for the Services. These tools collect information sent by your device or our Services, including how you use the App, the web pages you visit on the Site, add-ons, and other information that assists us in improving our Services.
  • Metadata. Metadata is usually technical data that is associated with other data, including Content. For example, metadata can describe how, when and by whom an item of Content was collected and how that Content is formatted. SRA may collect and store metadata, including about each user’s public posts on the Services.
  • Log Data. Our servers automatically record information (“Log Data,” which is a type of Non-Personal Data) created by your use of the Services. Log Data may include information such as your Internet Protocol (“IP”) address when you access the App or the Site. SRA uses log data to review how we provide our Services and to measure, customize, and improve the Services.

2.         How We Store Your Information

We currently provide the Services from within the United States, and we store all Content, including Personal Data, that we currently collect and retain on servers inside the United States.

Certain types of Content you submit to us might reveal your gender, ethnic origin, nationality, age, religion, sexual orientation, or other Personal Data about you or others.

By using our Services, or by submitting your Personal Data to us, you consent to the collection, storage, processing and onward transfer of your Personal Data as stated in the current version of this Privacy Statement.

3.         How We Use Your Information

We share and use your Personal Data in the following circumstances:

  • Partners of SRA. We may share your Personal Data with any subcontractors or other companies (“Partners”) to sell and provide the Services.
  • Cookies. Cookies are unique identifiers that are transferred to your device to enable information systems to recognize your device, and to provide features and remember your personalization choices. We do not use cookies at this time.
  • Do Not Track. Do Not Track (DNT) is a privacy preference that users can set in certain web browsers. We currently do not read or follow any “do not track” settings on users’ devices.
  • Opt-out Email or Postal Address. If you supply us with your postal or email address you may receive periodic mailings from us with information on new goods and services or upcoming events. If you do not want to receive such mailings, please let us know by sending an email to us at “Contact Us” address, below. We will remove your name from the list we use internally. Opting-out of these emails does not mean we remove your email from our system entirely, because we still retain your email addresses for other purposes.
  • Required by Law. We may access, preserve and share your Personal Data in response to a legal request (like a search warrant, court order or subpoena). We may also access, preserve and share Personal Data when we have a good faith belief it is necessary to: detect, prevent and address fraud and other illegal activity; to protect ourselves, you and others, including as part of investigations; and to prevent death or imminent bodily harm. Information we receive about you may be accessed, processed and retained for an extended period of time when it is the subject of a legal request or obligation, governmental investigation, or investigations concerning possible violations of our terms or policies, or otherwise to prevent harm.
  • Change of Control. If we sell or otherwise transfer part or the whole of SRA or our assets to another organization (e.g., in a merger, acquisition, or reorganization), your Personal Data such as user name and email address, other Content and any other information collected through the Services may be among the items transferred.
  • Non-Personal Data. Currently, we do not share your Non-Personal Data except to analyze and provide the Services. Non-Personal Data includes aggregated or collective information about multiple users that does not reflect or reference an individually-identifiable user.
  • Other. In addition to some of the specific uses of information we describe in this Privacy Statement above, we may use Personal Data that we receive to:
    • help you efficiently access your information after you sign in.
    • remember information so you will not have to re-enter it during your visit or the next time you visit the Services.
    • provide, improve, test, and monitor the effectiveness of our Services.
    • develop and test new products and features.
    • monitor metrics such as traffic and usage patterns.
    • diagnose or fix technology problems.

4.         Your Right to Review, Request Changes, and Disclose Personal Data

Where required by applicable laws and regulations, each user may inspect and receive a copy of the user’s Personal Data as stored in the Services. In rare circumstances, we may deny a request, and we may provide you with an explanation. If we deny your request, you may request a review by another professional, who will be chosen by SRA, and we will comply with the outcome of the review.

Subject to applicable laws and regulations, the Personal Data you provide to us remains under your control. If you believe the Personal Data we have is incorrect or incomplete, you may in writing request an amendment to your Personal Data. We will approve or deny each request, and notify you of our decision. If approved, we will amend the Personal Data. We will also make a reasonable effort to notify people to whom the Personal Data was released. In the case of a denial, we will provide the reason for the denial and instructions on how to appeal.

5.         Children

Our Services are not directed to persons under age 18. If you are the parent or guardian of a person under 18, and you become aware that your young person has provided us with Personal Data or Content without your consent, please contact us at Info@sra.io and we will delete the Personal Data or other Content.

6.         Changes to this Privacy Statement

We may modify our Privacy Statement from time to time on prior written notice sent to the email or other address we have for you. For any user who has not provided us with an email or other address, the revised Privacy Statement will become effective ten (10) calendar days after posting on the Services. If you choose not to be subject to a revised version of this Privacy Statement, then you may terminate your use of our Services.

7.         Different Locations, Different Laws

The laws and regulations that address privacy rights and responsibilities (collectively, “Laws”) are different from one to another. Laws also change from time to time. Indeed, some of the Laws do or do not apply to us and to you depending on different factors, including:

  • Location or residence of the user.
  • Location or residence of the individual that is the subject of the Personal Data (“Data Subject”).
  • Location or residence of the person or organization that employs or contracts with the Data Subject.
  • Location of each server or other machine where the Personal Data is received, stored, or processed.
  • Location of the relevant office of SRA or any company that processes Personal Data.

Several of the Laws that concern users and SRA are discussed below, but these are not all of the Laws that may apply. In addition, if there is any conflict or ambiguity between the statements made in this Privacy Statement and an applicable Law, then the Law will control.

7.1       United States Federal and State Laws

Several of the federal Laws in the United States may apply to the Personal Data collected by us. Congress has passed several federal information privacy and security laws, while each state in the United States has passed and enforces information privacy and security laws that apply to Data Subjects, Data, and businesses resident in that state.

Currently, all Personal Data of SRA users is stored on servers and other machines physically located within the United States.

7.1.1    Health Insurance Portability and Accountability Act (“HIPAA”)

Currently, HIPAA does not apply to the Services as we are neither a covered entity nor a business associate (as those terms are used in HIPAA).

7.1.2    Children’s Online Privacy Protection Act (“COPPA”)

Currently, COPPA does not apply to the Services. Each user must be 18 years of age or older. As noted in this Privacy Statement, if we learn any user is under the age of 18, or if any parent or guardian contacts us, we will delete all information provided by the individual from our Services.

7.2       Your California Privacy Rights

This section supplements the information contained elsewhere in our Privacy Statement and applies to all visitors, users, and others who reside in the State of California (“consumers” or “you”). This notice of privacy rights has been adopted in order to comply with California’s Laws, including the California Consumer Privacy Act of 2018 (“CCPA”). Any terms defined in the CCPA have the same meaning when used in this Privacy Statement. For further information about your rights under California’s privacy laws, please see California’s “Privacy Laws” website at https://oag.ca.gov/privacy/privacy-laws or any website that supplements or replaces it.

You have the right under the CCPA and other California privacy and data protection Laws, as applicable, to exercise these rights free of charge:

7.2.1 Disclosure of Personal Data We Collect About You

7.2.1.1 You have the right to know:

  • The categories of Personal Data we have collected about you;
  • The categories of sources from which the Personal Data is collected;
  • Our business or commercial purpose for collecting or selling Personal Data;
  • The categories of third parties with whom we share Personal Data, if any; and
  • The specific pieces of Personal Data we have collected about you.

Please note that we are not required to:

  • Retain any Personal Data about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained;
  • Re-identify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered Personal Data; or
  • Provide the Personal Data to you more than twice in a 12-month period.

7.2.1.2 Disclosure of Personal Data Sold or Used for a Business Purpose

  • In connection with any Personal Data we may sell or disclose to a third party for a business purpose, you have the right to know:
    • The categories of Personal Data about you that we sold and the categories of third parties to whom the Personal Data was sold; and
    • The categories of Personal Data that we disclosed about you for a business purpose.
  • We have provided a table of this information below.

7.2.1.3 Disclosure of Personal Data to Third Party for Direct Marketing

  • If you are a California resident, California Civil Code Section 1798.83 permits you to request information regarding the disclosure of your Personal Data by us to third parties for the third parties’ direct marketing purposes. To make such a request, see the section “How to Exercise Your Rights,” below.
  • Pursuant to California Civil Code Section 1798.83(c)(2), we do not share users’ Personal Data with affiliate companies or others outside SRA for those parties’ direct marketing use.

7.2.1.4 Right to Deletion

  • Subject to certain exceptions set out below, on receipt of a verifiable request from you, we will:
    • Delete your Personal Data from our records; and
    • Direct any service providers to delete your Personal Data from their records.
  • Please note that we may not delete your Personal Data if it is necessary to:
    • Complete the transaction for which the Personal Data was collected, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us;
    • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;
    • Debug to identify and repair errors that impair existing intended functionality;
    • Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;
    • Comply with the California Electronic Communications Privacy Act;
    • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, provided we have obtained your informed consent;
    • Enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us;
    • Comply with an existing legal obligation; or
    • Otherwise use your Personal Data, internally, in a lawful manner that is compatible with the context in which you provided the information.

7.2.1.5 Protection Against Discrimination

  • You have the right to not be discriminated against by us because you exercised any of your rights under the CCPA. This means we cannot, among other things:
    • Deny goods or services to you;
    • Charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
    • Provide a different level or quality of goods or services to you; or
    • Suggest that you will receive a different price or rate for goods or services or a different level or quality of goods or services.
  • Please note that we may charge a different price or rate, or provide a different level or quality of goods or services to you, if that difference is reasonably related to the value provided to you by your Personal Data.

7.2.1.6 Categories of Information We Collect

  • The CCPA applies to “information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device,” which we refer to as Personal Data in this Privacy Statement.
  • The following list details categories of Personal Data and indicates whether we collect this data, the commercial or business purpose behind the collection, and whether the Personal Data is shared with, or sold to, a third party.

 

CategoryCollectedBusiness PurposeShared with 3rd party in past 12 months?Sold to 3rd party in past 12 months?
A. Personal Data and other identifiers, such as your name, email addressYesRequired for the Services’ functionality and for billingNoNo
B. Characteristics of protected classifications under California or federal law, such as age, race, religion, military status. California provides a list of its classes at https://www.senate.ca.gov/content/protected-classes. The Federal EEOC provides a list of Federal classes at https://www.eeoc.gov/laws/types/NoNoNoNo
C. Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.NoNoNoNo
D. Biometric informationNoNoNoNo
E. Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application or advertisementNoNoNoNo
F. Geolocation dataNoNoNoNo
G. Audio, electronic, visual, thermal, olfactory, or similar informationNoNoNoNo
H. Professional or employment-related informationYesMay be voluntarily provided by customers to enhance SRA’s engagementNoNo
I. Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)NoNoNoNo
J. Inferences drawn from any of the information in the categories above to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.NoNoNoNo

7.2.1.7 Why We Collect Your Personal Data

  • We use your Personal Data for the following reasons:
    • As needed to provide the Services and bill you for them;
    • Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity;
    • Debugging to identify and repair errors that impair existing intended functionality;
    • Performing services on behalf of the business or service provider, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services on behalf of the business or service provider;
    • Undertaking internal research for technological development and demonstration.

7.2.1.8 Parties With Whom We Share Your Personal Data

  • We routinely share Personal Data with:
    • service providers we use to help deliver our services to you;
    • other third parties we use to help us run our business;
    • our business advisors, including accounting and legal professionals;
    • our insurers and brokers; and
    • our banks.

7.2.2 Your Right to Opt-Out

If you are a California resident 16 years of age or older, you have the right to opt-out from the collection and sale of your Personal Data. As we’ve stated in the sections titled “Children” and “How Old are You?”, minors are not permitted to register to use our site; however, if you are the parent or guardian of a minor, please contact us to as stated below to tell us that we may not sell your Personal Data.

7.2.3 Rights of Minors

As stated in the sections titled “Children” and “How Old are You?,” minors are not permitted to register to use our site. However, if you are a California resident under the age of 18, and a registered user of any site where this Privacy Statement is posted, California Business and Professions Code Section 22581 permits you to request and obtain removal of content or information you have publicly posted. To make such a request, please send an email or letter with a detailed description of the specific content or information to the addresses provided in the sections below entitled “How to Exercise Your Rights” or “Contact Us.” Please be aware that such a request does not ensure complete or comprehensive removal of the Content or information you have posted and that there may be circumstances in which the law does not require or allow removal, even if requested.

By submitting any Personal Data or other Content to us, or by using our Services, you consent to the storage, processing, use and onward transfer of your Personal Data and other Content to us in the United States.

7.2.4 Verifying Your Identity

If you choose to contact us directly, you may need to provide us with:

  • Enough information to identify you (e.g., your full name, address and customer or matter reference number);
  • Proof of your identity and address (e.g., a copy of your driving license or passport and a recent utility or credit card bill); and
  • A description of what right you want to exercise and the information to which your request relates.

7.3    EU/ EEA Citizens

The EU General Data Protection Regulation (GDPR) grants individuals who are in the European Union and European Economic Area (EU/EEA) the certain rights, with some limitations. We will establish a system to enable and facilitate the exercise of data subject rights related to:

  • Information access;
  • Objection to processing;
  • Objection to automated decision-making and profiling;
  • Restriction of processing;
  • Data portability;
  • Data rectification; and
  • Data erasure.

We are not obligated to make a data access or data portability disclosure if we cannot verify that the person making the request is the person about whom we collected information, or is someone authorized to act on such person’s behalf.

Any Personal Data we collect from you to verify your identity in connection with your request will be used solely for the purposes of verification.

8.           How to Exercise Your Rights

If you would like to exercise any of your rights as described in this Privacy Statement, please:

  • Complete a data subject request form available by request. Email or info@sra.io for a form.
  • Call us, toll-free, at 215.867.9051; or
  • Email us at info@sra.io  or
  • Write to us at Attn: Privacy, Security Risk Advisors Intl, LLC, 1760 Market Street, 3rd Floor, Philadelphia, PA 19103, USA

Please note that you may only make a data access or data portability disclosure request twice within a 12-month period.

9.         Use of Email Addresses and Other Contact Information

We collect the email addresses of those who voluntarily provide them to us. You may receive messages from the Services or from us. If you do not want to receive email from us in the future, please let us know at info@sra.io.

10.       Contact Us

If you have questions or concerns about this Privacy Statement, please contact us at:

Security Risk Advisors
1760 Market St, 3rd Floor
Philadelphia, PA 19103
Attn: Privacy and Compliance Officer

Phone: 215.867.9051
Email: info@sra.io

11.       Revision Date and History

This Privacy Statement was last revised: August 30, 2021.

Prior versions of this Privacy Statement are listed below:

  • March 30, 2021
  • November 20, 2019