SecurityMetrics, Inc. is aware of the privacy concerns of its customers. Our policy for collecting and using personal information is detailed below.
General Data Protection Regulation (“GDPR”), EU-US Privacy Shield & Swiss-US Privacy Shield
Privacy and data security are a top priority at SecurityMetrics. We have implemented policies designed to address GDPR and help us better protect your information.
SecurityMetrics recognizes that the EEA has established strict protections regarding the handling of EEA Personal Data, including requirements to provide adequate protection for EEA Personal Data transferred outside of the EEA. To provide adequate protection for certain EEA Personal Data about Customers received in the US, SecurityMetrics has elected to self-certify to the EU-US Privacy Shield Framework administered by the US Department of Commerce ("Privacy Shield"). SecurityMetrics adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability.
SecurityMetrics also complies with the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from Switzerland.
For purposes of enforcing compliance with the Privacy Shield, SecurityMetrics is subject to the investigatory and enforcement authority of the US Federal Trade Commission. For more information about the Privacy Shield, see the US Department of Commerce's Privacy Shield website located at: https://www.privacyshield.gov. To review SecurityMetrics’ representation on the Privacy Shield list, see the US Department of Commerce's Privacy Shield self-certification list located at: https://www.privacyshield.gov/list
SecurityMetrics collects information about its Customers from Customers and from third parties such as acquiring banks, merchant service providers, and independent sales organizations (collectively “MSPs”), with whom the Customer has a contractual relationship and through its website and related eCommerce services at several points. The data that we collect include:
- SecurityMetrics may collect information related to user information of Customer contacts as part of the services performed for a Customer including name, email address, phone number, address, fax numbers, and other contact information related to the user.
- SecurityMetrics allows Customers to add additional users to a Customer’s account. Customer agrees that SecurityMetrics may allow an MSP from whom it received Customer’s information to be added as an additional user on a user’s account with rights to make changes to the account.
- Payment information provided by the Customer is processed in accordance with PCI DSS guidelines and may be tokenized for future use depending on the services.
- SecurityMetrics also collects data related to a Customer data security as requested by the Customer when purchasing the services. This data includes answers to self-assessment questionnaires, vulnerability scan data, and which security services the Customer purchases.
- SecurityMetrics collects information that is not personally identifiable to the user, such as referring URL addresses, time spent in certain areas of SecurityMetrics’ website, actions taken while on SecurityMetrics’ website, and origination of the user.
- Certain information such as your IP address, browser type, domain names, and access times may also be collected.
- To receive products and services sold or provided by SecurityMetrics, contact information is required for billing, communicating about the services, and to perform the services.
We use information that we collect that Customer’s provide to us, including any personal information to:
- Present our website and its contents to our Customers
- Report certain Customer compliance with data security standards to a Customer’s merchant service provider, health network, or other entity; this reporting requires contact information of an individual at the Customer.
- To provide you with information, products, or services that you request from us.
- To fulfill any other purpose for which you provide it.
- To carry out our obligations and enforce our rights arising from any contracts entered into between the Customer and us.
- To notify Customers of any changes to our website or any products and services that we offer or provide through it.
- To provide data contractually required by regulatory agencies like the Payment Card Industry Security Standards Council (“PCI SSC”), with whom SecurityMetrics is certified as an Approved Scanning Vendor in order to provide certain scanning services.
- To provide notifications regarding the Customer’s services, accounts, fulfillment of transactions, information about SecurityMetrics’ websites, service changes, special offers, legal notices, and newsletters.
- For any other purposes with your consent.
SecurityMetrics may use the information and data submitted by users and customers for any other purposes related to SecurityMetrics’ business that are compatible with the purposes for which your information was collected by SecurityMetrics, including, but not limited to, conducting market research, improving its products and services, sending surveys, and notifying customers of product upgrades and updates, new products, special offers, seminars and conventions and any other changes within SecurityMetrics that may affect customers and users.
We process EEA Personal Data for the purposes stated above. SecurityMetrics will only process EEA Personal Data in ways that are compatible with the purpose that SecurityMetrics collected it for, or for purposes the individual later authorizes. Before we use your EEA Personal Data for a purpose that is materially different than the purpose we collected it for or that you later authorized, we will notify you and provide you with the opportunity to opt out.
Third parties with whom SecurityMetrics Shares Information
SecurityMetrics' policy in relation to information collected through registration, testing, and/or any other means is to respect and protect the privacy and confidentiality of our users. SecurityMetrics does not disclose, rent, or sell email addresses, security test results, or any other information that we may receive to any third party, unless:
- requested by the customer;
- to report compliance and security-related information to the Customer’s merchant service providers as part of the services provided by SecurityMetrics to the Customer;
- requested or required by applicable credit card associations, acquiring banks, credit card processors, credit card acquirers, credit card processors, or merchant service providers with which SecurityMetrics has a contractual agreement;
- in response to duly authorized information requests of governmental authorities or where required by law;
- in connection with any legal proceedings where disclosure of such data has been requested or required; or
- to an agent of SecurityMetrics acting on behalf of SecurityMetrics (e.g., for database hosting, data processing or mailing services). In this case, SecurityMetrics will make certain that the agent complies with the GDPR and Privacy Shield principles (as defined above) and our commitments in this policy.
Under certain circumstances, we may remain liable for the acts of our third-party agents or service providers who perform services on our behalf for their handling of EEA Personal Data that we transfer to them.
Access to Information
SecurityMetrics understands the importance of maintaining accurate information. Data subjects may exercise the following rights:
- Right to Access – SecurityMetrics will provide Customers with the Personal Data collected in association with their account.
- Right to Rectification – SecurityMetrics allows Customers to update their information on SecurityMetrics websites through those websites.
- Right to Erasure: Customers may choose to remove information collected by SecurityMetrics
- Right to be informed – SecurityMetrics will inform the Customer of the Personal Data collected by SecurityMetrics.
- Right to Object – A contact at a Customer may object to SecurityMetrics processing his/her data.
- Right to Restrict Processing – a contact at a Customer may restrict SecurityMetrics’ processing of personal data.
- Right to Data Portability – a contact at a Customer may request that their Personal Data be moved to another company.
- Right to be Informed – a contact at a Customer may request to be informed about the completion of rectification, erasure (before the erasure takes place), or restriction of processing within 30 days of the request.
If you would like to exercise one of these rights, please contact us by email at email@example.com or in writing addressed to SecurityMetrics, Inc., 1275 West 1600 North, Orem, UT 84057. SecurityMetrics will respond to the request within thirty (30) days.
SecurityMetrics retains information for as long as an account is active or as needed to provide the services requested by the Customer, and for five to seven years, depending on the data, after the account is not active. SecurityMetrics will also retain information as needed to comply with legal or tax obligations, comply with industry regulations, resolve disputes, and enforce agreements.
Privacy Questions or Complaints
You can direct any questions or complaints about the use or disclosure of your EEA Personal Data to us at firstname.lastname@example.org. We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of your EEA Personal Data within 30 days of receiving your complaint. For any unresolved complaints, we have agreed to cooperate with our Independent Dispute Resolution Body, JAMS, who will resolve the issue within a reasonable timeframe. JAMS can be reached at: https://www.jamsadr.com/eu-us-privacy-shield.
SecurityMetrics maintains reasonable and appropriate security measures to protect EEA Personal Data from loss, misuse, unauthorized access, disclosure, alteration, or destruction in accordance with the Privacy Shield.
If you do not wish to have your contact information used by SecurityMetrics to promote our own products or services, you can opt-out by checking the relevant box located on the form on which we collect your data or at any other time by sending us an email stating your request to email@example.com. If we have sent you a promotional email, you may send us a return email asking to be omitted from future email distributions, or by following the opt-out instruction in the email. This opt out does not apply to information provided to SecurityMetrics as a result of a(n) product purchase, account updates, product service experience, service expiration, or other transactions.
To access your information, ask questions about our privacy practices, request to limit the disclosure of your personal information, or issue a complaint, contact us at:
1275 W 1600 N
Orem, UT 84057
Effective Date: May 25, 2018
SecurityMetrics, Inc., is a PCI Approved Scanning Vendor under certificate number 3707-01-08 and performs security assessment scans within the guidelines of the PCI data security initiative.
It is important to allow SecurityMetrics security scanners to have the same level of network access to your Internet-connected devices that you provide to the rest of the world under normal circumstances. Users of SecurityMetrics scanning services are encouraged to add rules to their firewalls and inform their ISPs or hosting providers that security assessment scans may originate from the scanning locations listed in the table below. Ensuring that traffic from SecurityMetrics scanners does not get blocked ensures maximum accuracy of the security assessments, which leads to better security. If you have any questions, please contact SecurityMetrics Technical Support.
|IP Ranges||Subnet Mask (Short)||Subnet Mask (Long)|
Note: This table may be updated from time to time without notice.
Do you believe some form of SecurityMetrics scanning service abuse is occurring?
Please email us (firstname.lastname@example.org)