Skip to content
Home » Privacy Policy

Privacy Policy

Effective May 27, 2024

1. Who “we” are

When we say “Digital Risk Inc,” “we,” “us” or “our” in this Policy, we are referring to Digital Risk Inc.

2. Who “you” are

When we say “you,” we are referring to a customer, to a visitor to our Sites or to a participant at a Digital Risk Inc. event or activity, such as a conference attendee.  A “customer” is an entity or organization that has acquired a subscription to Digital Risk Inc. for Services (“business customer”).

3. Scope of Policy

In addition to describing our practices for collecting, using and disclosing personal information, this Policy describes the rights individuals have to control the use of their personal information.  When we say “personal information” in this Policy we are referring to any information relating to an identified or identifiable natural person, which may include the individual’s name, identification number, location data, email address, social media handle or other online identifier.  If you use the Services through a business customer (like your employer), the terms of the customer’s contract for the Services may restrict our collection or use of your personal information more than what is described in this Policy.

4. Changes to Policy

We may change this Policy from time to time. The most recent version of the Policy is reflected by the date at the top of this Policy. All updates and amendments are effective immediately upon notice, which we may give by any means, including by posting a revised version of this Policy or other notice on the Site. We encourage you to review this Policy often to stay informed of changes that may affect you.  Your continued use of the Sites or Services signifies your ongoing acknowledgment of this Policy.

5. Contacting us

Please contact us with any questions or comments about this Policy, including questions around how we process your personal information.  You can reach us by email at marketing@digitalriskinc.com.

INFORMATION COLLECTED

The following paragraphs 6 through 10 describe the personal information we collect.

6. Information you provide to us

When you register for or use the Services, modify your Services account, consult with our customer support or success teams, send us an email, participate in any interactive features of the Sites or Services, participate in a survey, participate in a contest, participate in a Digital Risk Inc. activity or event, apply for a job, integrate the Services with another website or service, or communicate with us in any way, you are voluntarily giving us information that we collect.  The types of personal information we may collect directly from you include your first name, last name, picture, employer name, job title, industry, username, email address, phone number, physical address, social media handle and IP address.  In cases where we ask you for certain information, for example when completing a form requesting a whitepaper, we will tell you what information is required.  If you are a customer, we also store the information that you provide to the Services, which in the case of a business customer may include the information types listed above with respect to the business customer’s personnel.

7. Information collected for and by our customers

If you are a customer using the Services, you may process personal information that you have collected from your own personnel as a business customer or other individuals.  You are responsible for making sure that you have appropriate permission for us to collect and process information about those individuals.  If you are an employee or contractor of one of our business customers, please contact that business customer directly to update or delete your information.  If you contact us, we will provide notice to our business customer of your request.  If you are an EU resident, please refer to paragraph 23 for additional detail.

8. Information we collect from your use of Services

We receive information about how and when you use the Services, store it in log files or other types of files associated with your account, and link it to other information we collect about you. This information includes, for example, your IP address, time, date, browser used, and actions you have taken within the application. This type of information helps us to improve our Services for both you and for all of our users.

9. Information we collect automatically

When you access the Services or browse our Sites, we collect information about your visit, your usage of the Services and your web browsing. That information may include your IP address, your operating system, your browser ID, your browsing activity and other information about how you interacted with the Sites or other websites. We may collect this information as a part of log files as well as through the use of cookies or other tracking technologies.  Our use of cookies and other similar technologies, such as Google Analytics, is discussed in more detail in our Cookie Statement.

10. Information from other sources

From time to time we may obtain personal information about you (or in the case of business customers, your personnel) from third party sources, such as public databases, social media platforms, third party data providers and our joint marketing partners.  We take steps to ensure that such third parties are legally permitted or required to disclose such information to us. We use this information, alone or in combination with other information (including personal information) we collect, to enhance our ability to provide relevant marketing and content to you and to develop and provide you with more relevant products, features, and services.

11. How we use information

We may use and disclose personal information described in this Policy only to:

  • provide, operate, maintain and support the Services;
  • send system alert messages, for example, we may inform you of temporary or permanent changes to our Services, such as planned outages, new features, version updates, releases, abuse warnings and changes to this Policy;
  • communicate with customers (and business customers’ personnel) about their accounts and provide customer support, training and other requested services;
  • bill and collect money owed to us by customers, including sending emails, invoices, receipts, notices of delinquency etc.;  
  • protect the rights and safety of our customers and third parties, as well as our own;
  • respond to lawful requests by public authorities, including to meet national security or law enforcement requirements;
  • meet legal requirements, including complying with court orders, valid discovery requests, valid subpoenas, and other appropriate legal mechanisms;prosecute and defend a court, arbitration, or similar legal proceeding;
  • provide information to our professional advisors and representatives, such as attorneys and accountants, to help us comply with legal, accounting or security requirements;
  • in the case of personal information of our employees, perform human resources activities such as onboarding, training and payroll;
  • improve our products, technology and Services, including for example, aggregating information from your use of the Services or visits to our Sites and sharing this information with third parties to improve the Services and Sites;
  • send you informational and promotional content in accordance with your marketing preferences (provided you have not unsubscribed from promotional emails);
  • promote use of our Services to you and others, for example to suggest additional features of our Services that you might consider using (again, provided you have not unsubscribed from promotional emails);
  • transfer your information in the case of a sale, merger, consolidation, liquidation, reorganization, or acquisition, provided that (1) any acquirer will be subject to our obligations under this Policy, including your rights to access and choice and (2) we will notify you of the change either by sending you an email or posting a notice on the Sites; and
  • link or combine personal information with other information we collect or obtain about you (such as information we source from our third party partners), to serve you specifically, such as to deliver Services according to your preferences or restrictions, or for advertising or targeting purposes in accordance with this Policy. (Any combination of personal information with other information is treated as personal information under this Policy.)

12. Sharing information within our group and with our service providers

We are headquartered in Canada and operate internationally.  We may share personal information described in this Policy with third-party vendors and service providers who are working on our behalf and require access to your information to carry out that work.  For example, Digital Risk Inc. currently uses cloud services from Microsoft Azure and Google for the infrastructure of its cloud-hosted Services.  These service providers are authorized to use your personal information only as necessary to provide services to Digital Risk Inc. and/or the Services and are bound to contractual obligations to maintain the confidentiality of your information.  Accordingly, you should be aware that your personal information may be processed in countries other than your country of residence, and that those countries may have different privacy and data protection laws than where you reside.

13. Safeguarding personal information

We take reasonable and appropriate measures to protect personal information from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in the processing and the nature of the personal information.  However, no means of processing of personal information is 100% secure and while we comply with our legal obligations, we cannot guarantee absolute security.

14. Information changes and retention

If you are a customer, you may update, correct or delete personal information about you (or your personnel, if a business customer) through your business customer Services administrator or by emailing us.  We will retain personal information that we process on behalf of our customers for as long as the customer’s account is active and as may otherwise be appropriate to fulfill the purposes outlined in this Policy, for example to comply with legal obligations, resolve disputes, prevent abuse and enforce agreements.

15. Social media

(This paragraph applies to our public Sites, not the features or functionality of the Services.)  Our Sites may include social media features.  These features on our Sites may collect information about your IP address and which page you are visiting on our Site, and they may set a cookie to make sure the features function properly. Social media features and widgets are either hosted by a third party or hosted directly on our Site. We also maintain presences on social media platforms. Any information, communications, or materials you submit to us via a social media platform is done at your own risk without any expectation of privacy. We cannot control the actions of other users of these platforms or the actions of the platforms themselves.  Your interactions with those features and platforms are governed by the privacy policies of the companies that provide them.

16. Community forums and blogs

We may have public blogs or other forums on our Sites from time to time.  Any information you include in a comment on a public blog may be read, collected and used by anyone. To request removal of your personal information from our blogs or testimonials, contact us at the email address listed above. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.

17. Links to third-party sites and services

Our Sites and Services include links to, or integrations with, other sites and services whose privacy practices may be different from ours. If you submit personal information to any of those sites or services, your information is governed by their privacy policies.

18. Notice for California residents

California Civil Code section 1798.83 permits California residents to request certain information regarding our disclosure of personal information to third parties.  To make such a request, please contact us as provided in paragraph 5.

Notices for European Union Residents

19. Transfers of personal information from the European Union to Canada

As noted above, we, and many of our service providers operate internationally. In addition to ensuring those providers are bound by restrictions on use and disclosure of personal information, our agreements with them also reflect the legal mechanisms in place to ensure the transfer of personal information is in compliance with European data protection law.  If the European Union (EU) data protection law applies to the processing of your information, you can exercise your right to request access to, update, remove, and restrict the processing of your information. You also have the right to object to the processing of your information or export your information to another service.

  1. Controllers, processors and your GDPR rights

Under the GDPR, a “processor” is a person or entity that processes personal information on behalf of the controller, and the “controller” is the person or entity that determines how and why personal information is processed.  This distinction recognizes that not all persons or entities involved in the processing of personal information have the same degree of responsibility.  In that vein, controllers are typically primarily responsible for managing EU residents’ exercises of their rights under GDPR (“data subject rights”).  Data subject rights include, among others, an individual’s right to access, correct, restrict processing of and/or delete his or her personal information.

21. Our role as a processor for business customers

The Services are intended to be used and managed by the business customer.  In general, we are collecting and processing personal information in connection with a business customer’s use of the Services on behalf of that customer.  In that case, the business customer is acting as the controller and Digital Risk Inc. is acting as a processor according to the business customer’s instructions.  If you are an EU resident and believe Digital Risk Inc. is processing your personal information on behalf of a business customer, and you would like to exercise your data subject rights, please start by contacting the business customer.

22. Our role as a controller

In other cases, such as personal information used by Digital Risk Inc. for management of a customer’s account, invoicing and marketing, Digital Risk Inc. will be the controller with respect to personal information.  If you are an EU resident, in situations where we are the controller of your personal information and you would like to exercise your data subject rights, please contact us as provided in paragraph 5.

23. Legal bases for processing

The GDPR requires that personal information be processed lawfully and outlines specific legal bases for processing.  We describe in paragraphs 6 through 10 above the personal information we may collect, and in paragraph 11 how we may use it.  The legal bases under the GDPR for those uses depends on the personal information collected and the context of its collection.  Digital Risk Inc. has determined a basis for each use, including:

  • performing a contract, or taking steps linked to a contract, such as providing the Services to you if you are an individual customer;
  • subject to our interests not being overridden by your interests and fundamental rights and freedoms, pursuing legitimate interests in the conduct of our business, such as processing the data of our EU employees;
  • processing your personal information where you have provided consent, such as when you submit an online form with your contact information on our Site requesting that we get in touch with you with information on our Services; and
  • complying with legal obligations, such as responding to lawful requests by public authorities.

24. Inquiries and Complaints

For inquiries or complaints regarding this Policy, we request that EU residents first contact Digital Risk Inc. as provided in paragraph 5.  You may also approach your local data protection authority (referred to under the GDPR as your supervisory authority) which can provide further information about your rights and our obligations in relation to your personal information.

CCPA Data Processing Addendum

PRIVACY STATEMENT-CALIFORNIA 

This PRIVACY NOTICE FOR CALIFORNIA RESIDENTS supplements the information contained in the Privacy Statement of Digital Risk Inc. (“Digital Risk Inc.”, “we,” “us,” or “our”) and applies solely to visitors, users, and others who reside in the State of California (“consumers” or “you”). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and other California privacy laws.  Any terms defined in the CCPA have the same meaning when used in this notice.

25. Information We Collect.

We may collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:

CategoryExamplesCollected
Identifiers.A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers.YES
Commercial information.Records of products or services purchased, obtained, or considered, or other purchasing or consuming historiesYES

Personal information does not include:

  • Publicly available information from government records.
  • De-identified or aggregated consumer information.
  • Information excluded from the CCPA’s scope, like: health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
  • personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

We obtain the categories of information listed above from the following categories of sources:

  • Directly from our Customers or their agents. For example, from documents that our Customers provide to us related to the services we are providing to them.
  • Indirectly from our Customers or their agents. For example, through information we collect from our Customers in the course of providing services to them.
  • Directly and indirectly from activity on our website. For example, from submissions through our website portal or website usage details collected automatically.

26. Use of Personal Information

We may use or disclose the personal information we collect for one or more of the following business purposes:

  • To fulfill or meet the reason for which the information is provided. For example, if you provide us with personal information in order for us to provide our services, we will use that information to maintain the service for you. 
  • To provide you with information, products or services that you request from us.
  • To provide you with email alerts, event registrations and other notices concerning our products or services, or events or news, that may be of interest to you.
  • To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collections.
  • To improve our website and present its contents to you.
  • For testing, research, analysis and product development.
  • As necessary or appropriate to protect the rights, property or safety of us, our customers or others.
  • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
  • As described to you when collecting your personal information or as otherwise set forth herein.
  • To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us is among the assets transferred.

We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

27. Sharing Personal Information

We may disclose your personal information to a third party for a business purpose.  When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract.

28. Your Rights and Choices

The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:

  • The categories of personal information we collected about you.
  • The categories of sources for the personal information we collected about you.
  • Our business or commercial purpose for collecting or selling that personal information.
  • The categories of third parties with whom we share that personal information.
  • The specific pieces of personal information we collected about you (also called a data portability request).
  • If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
    • sales, identifying the personal information categories that each category of recipient purchased; and
    • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.

Deletion Request Rights

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service providers to:

  1. Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
  2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  3. Debug products to identify and repair errors that impair existing intended functionality.
  4. Exercise free speech and ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
  5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.).
  6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent.
  7. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
  8. Comply with a legal obligation.
  9. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

29. Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by first contacting Digital Risk Inc. as provided in paragraph 5.  

Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.  Making a verifiable consumer request does not require you to create an account with us.  We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

30. Response Timing and Format

We will respond to a verifiable consumer request within 45 days of its receipt.  If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.  If you have an account with us, we will deliver our written response to that account.  If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.  Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt.  The response we provide will also explain the reasons we cannot comply with a request, if applicable.  For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded.  If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

31. Changes to Our Privacy Notice

We reserve the right to amend this privacy notice at our discretion and at any time. When we make changes to this privacy notice, we will notify you by email or through a notice on our website homepage.

32. Contact Information

If you have any questions or comments about this notice, our Privacy Statement, the ways in which we collect and use your personal information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

Email: marketing@digitalriskinc.com