SecurityMetrics Policies

Jump to Section
Privacy Policy
Your Information
State Privacy Rights
Exercising Your Rights
Selling Information
Changes to Policy
Scanning Abuse

Ready for PCI DSS 
solutions?

Request Quote

Privacy Policy

Introduction

We respect your privacy and are committed to protecting it through our compliance with this policy.

This policy describes the types of information we may collect from you or that you may provide when you visit the website securitymetrics.com (our "Website") and our practices for collecting, using, maintaining, protecting, and disclosing that information.

This policy applies to information we collect:

  • On this Website.
  • In email, text, and other electronic messages between you and this Website.

It does not apply to information collected by:

  • Us offline or through any other means, including on any other website operated by Company or any third party; or
  • Any third party, including through any application or content (including advertising) that may link to or be accessible from or through the Website.

Please read this policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, your choice is not to use our Website. By accessing or using this Website, you agree to this privacy policy. This policy may change from time to time (see Changes to Our Privacy Policy). Your continued use of this Website after we make changes is deemed to be acceptance of those changes, so please check the policy periodically for updates.

Children Under the Age of 16

Our Website is not intended for children under 16 years of age. No one under age 16 may provide any  information to or on the Website. We do not knowingly collect personal information from children under 16 If you are under 16, do not use or provide any information on this Website If we learn we have collected or received personal information from a child under 16 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 16, please contact us at privacy@securitymetrics.com.

Information You Provide to Us

The information we collect on or through our Website may include:

  • Information that you provide by filling in forms on our Website. This includes information provided at the time of registering to use our Website, subscribing to our service, creating an account, or requesting further services. We may also ask you for information when you report a problem with our Website.
  • Records and copies of your correspondence (including email addresses) if you contact us.
  • Your responses to surveys that we might ask you to complete for research purposes.
  • Details of transactions you carry out through our Website and of the fulfillment of your orders. You may be required to provide financial information before placing an order through our Website.
  • Your search queries on the Website.

Information We Collect About You and How We Collect It

We collect several types of information from and about users of our Website, including information:

  • About your internet connection, the equipment you use to access our Website, and usage details.
  • By which you may be personally identified, such as name, postal address, email address, telephone number any other identifier by which you may be contacted online or offline ("personal information");
  • That is about you but individually does not identify you (e.g. IP address).
  • Categories of information we collect are described below:
Category
Examples
Collected
A. Identifiers.
A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.
We collect names, usernames, email addresses, IP addresses, and business addresses to create an account.
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.

Some personal information included in this category may overlap with other categories.
We collect names, telephone numbers, and credit card numbers to provide the services.
C. Protected classification characteristics under California or federal law.
Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
No
D. Commercial information.
Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
We collect a record of the products and services purchased from us.
E. Biometric information.
Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.
No
F. Internet or other similar network activity.
Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.
We only collect your interaction with our website.
G. Geolocation data.
Physical location or movements.
No
H. Sensory data.
Audio, electronic, visual, thermal, olfactory, or similar information.
No
I. Professional or employment-related information.
Current or past job history or performance evaluations.
No
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).
Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
No
K. Inferences drawn from other personal information.
Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
No

We collect this information:

  • Directly from you when you provide it to us.
  • Automatically as you navigate through the site. Information collected automatically may include usage details, IP addresses, and information collected through cookies, and other tracking technologies.
  • From third parties, for example, our business partners.

Information You Provide to Us

The information we collect on or through our Website may include:

  • Information that you provide by filling in forms on our Website. This includes information provided at the time of registering to use our Website, subscribing to our service, creating an account, or requesting further services. We may also ask you for information when you report a problem with our Website.
  • Records and copies of your correspondence (including email addresses) if you contact us.
  • Your responses to surveys that we might ask you to complete for research purposes.
  • Details of transactions you carry out through our Website and of the fulfillment of your orders. You may be required to provide financial information before placing an order through our Website.
  • Your search queries on the Website.

Information We Collect Through Automatic Data Collection Technologies  

As you navigate through and interact with our Website, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions, and patterns, including:

  • Details of your visits to our Website, including traffic data, location data, logs, and other communication data and the resources that you access and use on the Website.
  • Information about your computer and internet connection, including your IP address, operating system, and browser type.

We also may use these technologies to collect information about your online activities over time and across third-party websites or other online services (behavioral tracking). See the Choices About How We Use and Disclose Your Information section below for more information on how to opt out.

The information we collect automatically is only statistical data and does not include personal information, but we may maintain it or associate it with personal information we collect in other ways or receive from third parties. It helps us to improve our Website and to deliver a better and more personalized service, including by enabling us to:

  • Estimate our audience size and usage patterns.
  • Store information about your preferences, allowing us to customize our Website according to your individual interests.
  • Speed up your searches.
  • Recognize you when you return to our Website.

The technologies we use for this automatic data collection may include:

  • Cookies (or browser cookies). A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting you may be unable to access certain parts of our Website. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our Website.
  • Web Beacons. Pages of our Website [and our emails] may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit the Company, for example, to count users who have visited those pages or [opened an email] and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).

Third-Party Use of Cookies

Some content or applications, including advertisements, on the Website are served by third-parties, including advertisers, ad networks and servers, content providers, and application providers. These third parties may use cookies alone or in conjunction with web beacons or other tracking technologies to collect information about you when you use our Website. The information they collect may be associated with your personal information or they may collect information, including personal information, about your online activities over time and across different websites and other online services. They may use this information to provide you with interest-based (behavioral) advertising or other targeted content.

We do not control these third parties' tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly. For information about how you can opt out of receiving targeted advertising from many providers, see Choices About How We Use and Disclose Your Information.

How We Use Your Information

We use information that we collect about you or that you provide to us, including any personal information:

  • To present our Website and its contents to you.
  • To provide you with information, products, or services that you request from us.
  • To fulfill any other purpose for which you provide it.
  • To provide you with notices about your account and services, including expiration and renewal notices.
  • To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection.
  • To notify you about changes to our Website or any products or services we offer or provide though it.
  • To report certain Customer compliance with data security standards to third parties as part of the Services We provide to you.
  • To provide information required by the Payment Card Industry Security Standards Council, the body that certifies Approved Scanning Vendors, which SecurityMetrics must be certified as to provide ASV scanning services.
  • In any other way we may describe when you provide the information.
  • For any other purpose with your consent.

We may also use your information to contact you about our own goods and services that may be of interest to you.

Disclosure of Your Information

We may disclose aggregated information about our users, and information that does not identify any individual, without restriction.

We may disclose personal information that we collect or you provide as described in this privacy policy:

  • To our subsidiaries and affiliates.
  • To contractors, service providers, and other third parties we use to support our business, and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them.
  • To credit card associations, acquiring banks, credit card processors, or merchant service providers, which SecurityMetrics is either required to provide information as part of the PCI DSS or with which SecurityMetrics has a contractual agreement.
  • To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of SecurityMetrics’ assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by SecurityMetrics about our Website users is among the assets transferred.
  • To fulfill the purpose for which you provide it.
  • For any other purpose disclosed by us when you provide the information.
  • With your consent.

We may also disclose your personal information:

  • To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
  • To enforce or apply our terms of use and other agreements, including for billing and collection purposes.
  • If we believe disclosure is necessary or appropriate to protect the rights, property, or safety of SecurityMetrics, our customers, or others.

The categories of personal information we may disclose include:

Personal Information Category
Business Purpose Disclosures
Sales
A: Identifiers.
We disclose the information we specifically collect, as identified above to data analytic providers, government entities upon written request, operating systems and platforms, service providers, the credit card processing service providers of the customer
None
B: California Customer Records personal information categories.
We disclose the information we specifically collect, as identified above to government entities upon written request, operating systems and platforms, service providers, the credit card processing service providers of the customer.
None
C: Protected classification characteristics under California or federal law.
None
None
D: Commercial information.
We disclose the information we specifically collect, as identified above to government entities upon written request, operating systems and platforms, service providers, the credit card processing service providers of the customer.
None
E: Biometric information.
None
None
F: Internet or other similar network activity.
None
None
G: Geolocation data.
None
None
H: Sensory data.
None
None
I: Professional or employment-related information.
None
None
J: Non-public education information.
None
None
K: Inferences drawn from other personal information.
None
None

Choices About How We Use and Disclose Your Information

We strive to provide you with choices regarding the personal information you provide to us. We have created mechanisms to provide you with the following control over your information:

  • Tracking Technologies and Advertising. You can set your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. You can also manage your cookie preferences on our Website by clicking on the relevant banner on the bottom of the site. If you disable or refuse cookies, please note that some parts of this site may then be inaccessible or not function properly.
  • Disclosure of Your Information for Third-Party Advertising. If you do not want us to share your personal information with unaffiliated or non-agent third parties for promotional purposes, you can opt-out by managing your cookie preferences on our Website. You can also always opt-out by sending us an email with your request to privacy@securitymetrics.com.
  • Promotional Offers from the Company. If you do not wish to have your email address used by the Company to promote our own or third parties' products or services, you can opt-out by logging into the Website and adjusting your user preferences in your account profile or replying directly to the promotional email. If we have sent you a promotional email, you may send us a return email asking to be omitted from future email distributions. This opt out does not apply to information provided to the Company as a result of a product purchase, warranty registration, product service experience or other transactions.
  • Targeted Advertising. If you do not want us to use information that we collect or that you provide to us to deliver advertisements according to our advertisers' target-audience preferences, you can opt-out by replying to the promotional email or managing your cookie preferences or disabling cookies through your browser.

We do not control third parties' collection or use of your information to serve interest-based advertising. However these third parties may provide you with ways to choose not to have your information collected or used in this way. You can opt out of receiving targeted ads from members of the Network Advertising Initiative ("NAI") on the NAI's website.

Residents of certain states, such as California, Nevada, Colorado, Connecticut, Virginia, and Utah may have additional personal information rights and choices. Please see Your State Privacy Rights for more information.

Accessing and Correcting Your Information

You can review and change your personal information by logging into the Website and visiting your account profile page.

You may also send us an email at privacy@securitymetrics.com to request access to, correct or delete any personal information that you have provided to us. We cannot delete your personal information except by also deleting your user account. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.

Residents of certain states, such as California, Nevada, Colorado, Virginia, and Utah may have additional personal information rights and choices. Please see Your State Privacy Rights for more information.

Your State Privacy Rights

Colorado, Connecticut, Virginia, and Utah each provide their state residents with rights to:

  • Confirm whether we process their personal information.
  • Access and delete certain personal information.
  • Data portability.
  • Opt-out of personal data processing for targeted advertising and sales.

Colorado, Connecticut, and Virginia also provide their state residents with rights to:

  • Correct inaccuracies in their personal information, taking into account the information's nature processing purpose.
  • Opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects.

To exercise any of these rights please contact us:

To appeal a decision regarding a consumer rights request contact privacy@securitymetrics.com

Nevada provides its residents with a limited right to opt-out of certain personal information sales. However, please know we do not currently sell data triggering that statute's opt-out requirements.

Accessing and Correcting Your Information

You can review and change your personal information by logging into the Website and visiting your account profile page.

You may also send us an email at privacy@securitymetrics.com to request access to, correct or delete any personal information that you have provided to us. We cannot delete your personal information except by also deleting your user account. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.

Residents of certain states, such as California, Nevada, Colorado, Virginia, and Utah may have additional personal information rights and choices. Please see Your State Privacy Rights for more information.

California State Privacy Rights:

Right to Know and Data Portability

You have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months (the "right to know"). Once we receive your request and confirm your identity (see Exercising Your Rights to Know or Delete), we will disclose to you:

  • The categories of personal information we collected about you.
  • The categories of sources for the personal information we collected about you.
  • Our business or commercial purpose for collecting or selling that personal information.
  • The categories of third parties with whom we share that personal information.
  • If we sold or disclosed your personal information for a business purpose, two separate lists disclosing:
    • sales, identifying the personal information categories that each category of recipient purchased; and
    • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
  • The specific pieces of personal information we collected about you (also called a data portability request).

Right to Delete

You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions (the "right to delete"). Once we receive your request and confirm your identity (see Exercising Your Rights to Know or Delete), we will review your request to see if an exception allowing us to retain the information applies. We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

  1. Complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within tvhe context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
  2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  3. Debug products to identify and repair errors that impair existing intended functionality.
  4. Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
  5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
  6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.
  7. Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
  8. Comply with a legal obligation.
  9. Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

We will delete or deidentify personal information not subject to one of these exceptions from our records and will direct our service providers to take similar action.

Exercising Your Rights to Know or Delete

To exercise your rights to know or delete described above, please submit a request by either:

Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to your personal information.  

You may only submit a request to know twice within a 12-month period. Your request to know or delete must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, which may include:
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.

You do not need to create an account with us to submit a request to know or delete.

We will only use personal information provided in the request to verify the requestor's identity or authority to make it.

For instructions on exercising your sale opt-out or opt-in rights, see Personal Information Sales Opt-Out and Opt-In Rights.

Response Timing and Format

We will confirm receipt of your request within ten (10) business days. If you do not receive confirmation within the 10-day timeframe, please contact privacy@securitymetrics.com

We endeavor to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing.

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Personal Information Sales Opt-Out and Opt-In Rights

We do not sell personal information of our Customers.

Data Security

We have implemented measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure.

The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a password for access to certain parts of our Website, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted to our Website. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Website.

EU-US Data Privacy Framework and Swiss-US Data Privacy Framework

SecurityMetrics complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  SecurityMetrics has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  SecurityMetrics  has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/

For purposes of enforcing compliance with the DPF, SecurityMetrics is subject to the investigatory and enforcement authority of the US Federal Trade Commission. For more information about the DPF, see the US Department of Commerce's DPF website located at: https://www.dataprivacyframework.gov/s/. To review SecurityMetrics’ representation on the DPF list, see the US Department of Commerce's DPF self-certification list located at: https://www.dataprivacyframework.gov/s/participant-search.

DPF Questions or Complaints

In compliance with EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, SecurityMetrics commits to resolve DPF Principles-related complaints about our collection and use of your personal information.  EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact us at privacy@securitymetrics.com. We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of your EEA Personal Data within 45 days of receiving your complaint. For any unresolved complaints, we have agreed to cooperate with our Independent Dispute Resolution Body, the EU Data Protection Authorities, who will resolve the issue within a reasonable timeframe. These EU Data Protection Authorities can be reached at: https://edps.europa.eu.

SecurityMetrics has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved DPF complaints concerning data transferred from the EU and Switzerland.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, SecurityMetrics commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

Binding Arbitration

Under certain circumstances, we may remain liable for the acts of our third-party agents or service providers who perform services on our behalf for their handling of EEA Personal Data that we transfer to them.

Customer may have the option to select binding arbitration for the resolution of Customer’s complaint under certain circumstances, provided you have taken the following steps: (1) raised your compliant directly with SecurityMetrics and provided us the opportunity to resolve the issue; (2) made use of the independent dispute resolution mechanism identified above; and (3) raised the issue through the relevant data protection authority and allowed the US Department of Commerce an opportunity to resolve the complaint at no cost to you. For more information on binding arbitration, see (https://www.dataprivacyframework.gov/s/key-requirements).

Changes to Our Privacy Policy

We may make changes to this policy to comply with applicable laws, regulations, or other privacy practices. It is our policy to post any changes we make to our privacy policy on this page with a notice that the privacy policy has been updated on the Website home page. If we make material changes to how we treat our users' personal information, we will notify you through a notice on the Website home page. The date the privacy policy was last revised is identified at the top of the page.

Contact Information

If you have any questions or comments about this notice, the ways in which SecurityMetrics collects and uses your information described here, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

Phone: 801.705.5700

Website: https://www.securitymetrics.com/contact

Email: privacy@securitymetrics.com

Postal Address:
SecurityMetrics, Inc.
1275 W. 1600 N.
Orem, UT 84057
USA

SecurityMetrics Terms of Use Agreement

The following terms and conditions (collectively "Terms of Use Agreement"), are entered into by and between You, the customer ("Customer" or "you"), and SecurityMetrics, Inc., a Utah corporation ("SecurityMetrics"). The Terms of Use Agreement relates to SecurityMetrics' compliance and data security programs and services, which may include but are not limited to Payment Card Industry Data Security Standard ("PCI DSS"), Health Insurance Portability and Accountability Act ("HIPAA"), Managed Firewall, and other data security and compliance services (collectively "Services"). The Terms of Use Agreement also apply to all content functionality, and services offered or purchased on or through www.securitymetrics.com (the "Website"). By use of any Services or the Website, you accept and agree to all conditions imposed in this Terms of Use Agreement. Note: THIS TERMS OF USE AGREEMENT CONTAINS ARBITRATION, WARRANTIES, AND LIMITATION OF LIABLITY CLAUSES THAT AFFECTS YOUR RIGHTS UNDER THIS TERMS OF USE AGREEMENT WITH RESPECT TO ALL SERVICES.

Services

You may select some or all of the following Services:

PCI Compliance
If you have selected service packages that contain PCI Compliance Services, then that package may include, but is not limited to, all or some of the Services listed below.

  • Help you determine the scope of the applicable PCI Compliance requirements. You alone are responsible for determining the scope of your PCI Compliance requirements. SecurityMetrics will not be liable for any mistake or error in determining the scope;
  • Provide you with a copy of the self-assessment questionnaire determined by the scope determined above and help understanding the questions, if needed;
  • Provide vulnerability scanning on IP addresses or domains specified and provided by the Customer; all vulnerability scanning is done in accordance with Warranties and Limitation of Liabilities Sections of this Terms of Use;
  • Provide Customer with access to scan results and copies of the self-assessment questionnaire
  • Report the status of the self-assessment questionnaire and vulnerability scans via SecurityMetrics website;
  • Service Warranty (described below);
  • One or more, depending on the invoice, non-exclusive, non-transferable license(s) of PANscan® during the term of this Terms of Use. PANscan® is SecurityMetrics' software that finds unencrypted credit card numbers on computer systems;
  • One or more, depending on the invoice, non-exclusive, non-transferable license(s) of PIIscan® during the term of this Terms of Use. PIIscan® is SecurityMetrics' software that finds unencrypted personally identifiable information on computer systems;
  • SecurityMetrics Mobile, a software application that scans mobile devices for vulnerabilities;
  • Seats to PCI Compliance trainings; and
  • Technical support.

HIPAA
If you have selected service packages that contain HIPAA Compliance Services, then that package may include, but is not limited to, all or some of the Services listed below:

  • Help you determine a map of the Protected Health Information ("PHI") – as defined by 45 C.F.R. part 164 and subparts A and B of part 160 – contained on your systems. You alone are responsible for determining what, how much, and where PHI is located on your systems. SecurityMetrics will not be liable for any mistake or error in determining your PHI map.
  • Provide a template of a general risk analysis document that inventories the hardware, software, policies, and procedures put in place by you.
  • Provide a template of a risk management plan document.
  • Vulnerability scanning on IP address or domains specified and provided by the Customer.
  • Business Associate Agreement;
  • Service Warranty (described below);
  • One or more, depending on the invoice, non-exclusive, non-transferable license(s) of PANscan® during the term of this Terms of Use Agreement. PANscan® is SecurityMetrics' software that finds unencrypted credit card numbers on computer systems;
  • SecurityMetrics Mobile, a software application that scans mobile devices for vulnerabilities;
  • Seats to SecurityMetrics trainings; and
  • Technical support.

Managed Firewall Services
Managed Firewall Services is part of a PCI Compliance service package. If you have selected service packages that contain Managed Firewall Services, then that package may include, but is not limited to, some or all of the following:

  • SecurityMetrics will provide you with some equipment that contains a firewall, managed by SecurityMetrics ("Managed Equipment"). The firewall may be managed by SecurityMetrics:
    • Monitoring the hardware and the firewall,
    • Updating and patching the firewall,
    • Maintaining logs at SecurityMetrics discretion, and
    • Providing Customer support.
  • The Managed Equipment also has internal vulnerability scanning capability to scan your internal network. All vulnerability scanning is performed in accordance with Warranties and Limitation of Liabilities Sections of this Terms of Use Agreement.
  • SecurityMetrics may also provide another piece of equipment ("Failover Equipment") that supports 3G or 4G failover in case the internet connection of the Managed Equipment is not working or down. You are responsible for purchasing any secure digital ("SD") cards required for the 3G or 4G wireless access to function.
  • SecurityMetrics or other third parties own and retain all rights to the hardware, software, and firmware of the Managed Services, Managed Equipment, and Failover Equipment. The hardware will not be deemed fixtures or in any way part of your premises. SecurityMetrics may remove or change the hardware at SecurityMetrics' sole discretion at any time. You may not sell, lease, abandon, or give away the hardware. The hardware may only be used on the premises that you and SecurityMetrics configured the hardware for during the initial set-up call. YOU UNDERSTAND AND ACKNOWLEDGE THAT IF YOU MOVE, INSTALL, OR USE THE HARDWARE OR MANAGED FIREWALL SERVICES AT A LOCATION OTHER THAN THE PREMISES FOR WHICH IT WAS SET UP, THEN THE SERVICES AND HARDWARE MAY NOT FUNCTION PROPERLY.
  • SecurityMetrics has no obligation to provide support, maintenance, or repair of any hardware or software not owned by SecurityMetrics.

Changes to Services or Rates

SecurityMetrics reserves the right to change the Services, prices, or charges at any time without notice. If you do not accept these changes, you have the right to cancel the Services, but cancellation fees may apply. If you continue to use these services after receiving notice of a change in services, prices, or charges; it will be determined that you understand and accept the changes.

Changes to the Terms of Use Agreement

We may revise and update this Terms of Use Agreement from time to time in our sole discretion. All changes are effective immediately when SecurityMetrics posts them, and apply to all access to and use of the Website thereafter. Your continued use of the Website and the Services following the posting of a revised Terms of Use Agreement means that you accept and agree to the changes. You are expected to check this page so you are aware of any changes, as they are binding on you.

Prohibited Uses:

Users are strictly forbidden to use the Services or the Website to perform security tests on computers, servers, or devices that they do not have permission or authorization to test. If Customer uses a third party hosting service, Customer must notify the service and receive permission for SecurityMetrics to perform security testing. Customer agrees to hold SecurityMetrics harmless for any failure to obtain any necessary permission.

Customer may not use the Services or the Website:

  1. In any way that violates any applicable federal, state, local, or international law or regulation (including, without limitation, any laws regarding the export of data or software to and from the US or other countries).
  2. For the purpose of exploiting, harming, or attempting to exploit or harm minors in any way by exposing them to inappropriate content, asking for personally identifiable information or otherwise.
  3. To impersonate or attempt to personate SecurityMetrics, a SecurityMetrics employee, another user, or any other person or entity (including, without limitation, by using email addresses associated with any of the foregoing).
  4. To transmit, or procure the sending of, any advertising or promotional material including any junk mail, chain letter, or spam or any other similar solicitation.
  5. To engage in any other conduct that restricts or inhibits anyone's use or enjoyment of SecurityMetrics Websites, or may harm SecurityMetrics or any of its users

Additionally, you agree not to:

  1. Use any robot, spider, or other automatic device, process, or means to access this Website for any purpose, including monitoring or copying any of the material on the Website.
  2. Introduce any viruses, Trojan horses, worms, logic bombs or other material which is malicious or technologically harmful.
  3. Attack the Website via a denial-of-service attack or a distributed denial-of-service attack.
  4. Attempt to gain unauthorized access to, interfere with, damage or disrupt any parts of the Website or any user's use of the Website.
  5. Otherwise attempt to interfere with the proper working of the Website.

Enrollment

By creating a user name or accessing and using the SecurityMetrics Website, Customer agree to be bound by this Terms of Use Agreement. Customer hereby requests SecurityMetrics to perform security testing Services as outlined in the SecurityMetrics invoice previously generated by Customer ("Invoice"), as well as any additional services Customer subsequently requests, pursuant to this Terms of Use Agreement. Customer assumes sole responsibility and liability for any problems or liabilities arising out of any failure to provide SecurityMetrics with all of Customer's IP addresses and/or domain names that should be tested. SecurityMetrics has the right to change the Services and its prices at any time; SecurityMetrics will use good faith efforts to notify Customer of such changes via e-mail or other written notice.

Term

By using this Website, you agree to this Terms of Use Agreement. This Terms of Use Agreement are effective upon your access to the Website or agreement to abide by them and will continue in effect for one (1) year, unless Customer has purchased packages including Managed Firewall services. If you have selected service packages that contain Managed Firewall Services, then this Terms of Use Agreement will remain in effect for three (3) years. If Customer is purchasing online Compliance services, this Terms of Use Agreement shall automatically renew for successive one-year terms. Only Customer or SecurityMetrics may terminate this Terms of Use Agreement at any time upon written notice, with or without cause. Customer agrees that SecurityMetrics may contact Customer in furtherance of the automatic renewal of the Services.

Intellectual Property

SecurityMetrics will provide Customer with written or online reports, data, policies, templates, checklists, and other materials (collectively, "Materials") in connection with the Services. Customer agrees that all intellectual property rights in the Materials, including trade secrets, copyrights, patents and trademarks, are exclusively owned by SecurityMetrics and its licensors. Customer shall hold in confidence all Materials marked as "confidential" and shall use the Materials solely for the purposes for which they are disclosed. All Materials are licensed to Customer only for its own use and Customer does not have any rights to copy, distribute or make derivative works of the Materials without the prior written authorization of SecurityMetrics. Dissemination, distribution, copying or use of the Materials in whole or in part by a SecurityMetrics competitor or their agents is strictly prohibited.

Payment

Customer agrees to pay all charges for the Services provided to Customer, unless Customer's acquirer, payment processor, or other entity has entered into an agreement with SecurityMetrics to pay for those services. If Customer's acquirer, processor or other entity has an agreement with SecurityMetrics to pay for the Services, then Customer authorizes its acquiring bank or other merchant service provider to bill Customer for the Services. If Customer has provided SecurityMetrics with credit card information ("Card Information"), Customer authorizes SecurityMetrics to charge Customer the price of the Services, as provided in the invoice or order confirmation sent by SecurityMetrics, using the Card Information. Customer also authorizes SecurityMetrics to charge any cancellation fee associated with the cancellation of the Services. If Customer is purchasing online Compliance services, Customer also authorizes SecurityMetrics to automatically charge the price of Services for each renewal term of this Agreement using the Card Information. Customer agrees to give SecurityMetrics prompt notice of any changes to the Card Information.

Cancellation Fee.

For Customers that have purchased packages of services that contain Managed Firewall Services, a cancellation fee will apply if Customer cancels the Managed Firewall Services before the end of the three-year term. The cancellation fee will cover the costs of hardware and the setup fees and may vary depending on the circumstances of the cancellation.

Collection Costs.

If SecurityMetrics uses a collection agency or attorney to collect money owed by you, you agree to pay the reasonable costs of collection, including, but not limited to, any collection agency's fees, reasonable attorneys' fees, and arbitration or court costs.

Refund Policy.

If an acquirer or merchant service provider pays for the Services, refunds may not apply. Refunds for the unused portion of services may be obtained by contacting the Account Renewals team at SecurityMetrics. Refunds will be processed within 5 business days.

SecurityMetrics owns and operates the servers that host this web site. Contact information for SecurityMetrics may be obtained by clicking the "Contact Us" link at the top of any page.

Accuracy of Information

Customer's compliance depends entirely upon the accuracy of information provided to SecurityMetrics by Customer. Customer agrees that if Customer provides incomplete or inaccurate information this may affect the Services, Customer's compliance status, and SecurityMetrics will not be held liable for any damages incurred as a result of incomplete or inaccurate information provided by customer. A scan result from SecurityMetrics only indicates the compliance status of the systems that SecurityMetrics has scanned and does not represent Customer's overall compliance status with the PCI Data Security Standards. Customer also agrees to give SecurityMetrics prompt notice if any information affecting data security previously provided to SecurityMetrics has changed, is changing or will change. Customer understands and agrees that any threat designated as a false positive by Customer is done at Customer's own risk. In no event shall SecurityMetrics be liable for any damages incurred by Customer as a result of Customer's designation of a threat as a false positive.

Communications

Customer authorizes SecurityMetrics to contact Customer through email, phone or fax to notify Customer of changes in Customer's compliance status or Services. Customer also authorizes SecurityMetrics to contact Customer in regards to payment, renewal, cancellation, or the Services.

Reliance on Information Posted

The information presented on or through the Website is made available solely for general information purposes. SecurityMetrics does not warrant the accuracy, completeness or usefulness of this information. Any reliance you place on such information is strictly at your own risk. SecurityMetrics disclaims all liability arising from any reliance placed on such materials by you or any other visitor to the Website or by anyone who may be informed of any of its contents.

Information About You and Your Visits to the Website

All information we collect on this Website is subject to our Privacy Policy, which can be found at: https://www.securitymetrics.com/terms-of-service#privacy. By using the Website, you consent to all actions taken by us with respect to your information in compliance with the Privacy Policy.

Limited Warranty

DUE TO THE NATURE OF THE COMPUTER SECURITY BUSINESS, NO SECURITY COMPANY CAN GUARANTEE THAT IT WILL DETECT EVERY VULNERABILITY OR SECURITY PROBLEM. SECURITYMETRICS PROVIDES ITS SERVICES ON AN "AS IS" BASIS AND WITHOUT ANY WARRANTIES WHATSOEVER. SECURITYMETRICS DISCLAIMS ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE, WITH RESPECT TO ITS SERVICES, MATERIALS AND PRODUCTS. SECURITYMETRICS DOES NOT WARRANT THAT THE SERVICES WILL DETECT EVERY VULNERABILITY ON CUSTOMER'S SYSTEM, OR THAT SECURITYMETRICS' VULNERABILITY ASSESSMENTS, SUGGESTED SOLUTIONS OR ADVICE WILL BE ERROR-FREE OR COMPLETE. CUSTOMER AGREES THAT SECURITYMETRICS SHALL NOT BE RESPONSIBLE OR LIABLE FOR THE ACCURACY OR USEFULNESS OF ANY INFORMATION PROVIDED BY IT, OR FOR ANY USE OF SUCH INFORMATION.

Limitation of Liability

Customer acknowledges that use of the Services does not guarantee compliance with the PCI DSS, the HIPAA Standard, or any other security or privacy standards, or that its Systems are secure from unauthorized access. This is due to, and Customer acknowledges that, the Services being dependent upon multiple variables, which include the information provided by Customer, and Customer's level of cooperation with policies regarding compliance with the PCI DSS or the validation thereof.

CUSTOMER ACKNOWLEDGES THAT THE RATE OF BRINGING CUSTOMER AND ITS SYSTEM IN COMPLIANCE WITH PCI DSS OR HIPAA IS DEPENDENT UPON MULTIPLE VARIABLES, WHICH INCLUDE CUSTOMER'S LEVEL OF COOPERATION WITH POLICIES REGARDING COMPLIANCE. UNDER NO CIRCUMSTANCES SHALL SECURITYMETRICS, ITS AFFILIATES OR THEIR LICENSORS, SERVICE PROVIDERS, EMPLOYEES, AGENTS, OFFICERS, OR DIRECTORS BE LIABLE FOR DAMAGES OF ANY KIND, UNDER ANY LEGAL THEORY, ARISING OUT OF IN CONNECTION WITH CUSTOMER'S USE, OR INABILITY TO USE, THE WEBSITE, ANY WEBSITES LINKED TO IT, ANY CONTENT ON THE WEBSITE OR SUCH OTHER WEBSITES OR ANY SERVICES ON OR OBTAINED THROUGH THE WEBSITE, DELAY IN BECOMING OR CUSTOMER'S FAILURE TO BECOME COMPLIANT. IN NO EVENT SHALL SECURITYMETRICS OR ITS AGENTS BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO, PERSONAL INJURY, PAIN AND SUFFERING, EMOTIONAL DISTRESS, LOSS OF REVENUE, LOSS OF PROFITS, LOSS OF BUSINESS OR ANTICIPATED SAVINGS, LOSS OF USE, LOSS OF GOODWILL, LOSS OF DATA, AND WHETHER CAUSED BY TORT (INCLUDING NEGLIGENCE), BREACH OF CONTRACT OR OTHERWISE, EVEN IF FORESEEABLE.

THE FOREGOING DOES NOT AFFECT ANY LIABILITY WHICH CANNOT BE EXCLUDED OR LIMITED UNDER APPLICABLE LAW.

Limitation of Action. No action arising out of this Terms of Use Agreement, regardless of the form of action, may be brought by Client more than one year after the action accrued.

Indemnification

You agree to defend, indemnify and hold harmless SecurityMetrics, its affiliates, licensors and service providers, and its and their respective officers, directors, employees, contractors, agents, licensors, suppliers, successors and assigns from and against any claims, liabilities, damages, judgments, awards, losses, costs, expenses or fees (including reasonable attorneys' fees) arising out of or relating to your violation of this Terms of Use Agreement or your use of the Website, including, but not limited to any use of the Website's content, services and products other than as expressly authorized in this Terms of Use Agreement or your use of any information obtained from the Website.

Arbitration

Excluding Customer Complaints regarding SecurityMetrics' Privacy Policy and the Terms and Conditions therein, SecurityMetrics may require you, at SecurityMetrics' sole discretion, to submit any disputes arising from the use of this Terms of Use Agreement or the Website, including disputes arising from or concerning their interpretation, violation, invalidity, non-performance, or termination, to final and binding arbitration under the Rules of Arbitration of the American Arbitration Association applying Utah law.

General Provisions

SecurityMetrics reserves the right to modify this Terms of Use Agreement at any time without notice. This Terms of Use Agreement will be construed in accordance with and governed by the laws of the State of Utah and applicable U.S. federal laws, without regard to conflicts of laws provisions. Jurisdiction and venue for any actions arising under or relating in any way to this Terms of Use Agreement will vest exclusively in the courts of general jurisdiction of the State of Utah. This is the sole agreement between the parties concerning its subject matter. If any term of this Terms of Use Agreement is found void or unenforceable, all other terms shall remain in full force and effect. Customer may not assign this Terms of Use Agreement without SecurityMetrics' written consent. SecurityMetrics and Customer agree to the terms of the Privacy Policy posted on the SecurityMetrics.com Website with respect to the use and protection of Customer's data.

The headings of this Terms of Use Agreement are for convenience and ease of reference only, and shall not be used to construe, interpret, expand, or limit the terms and conditions of this Terms of Use Agreement.

No waiver of any Terms of Use Agreement right will be effective unless in writing signed by an authorized representative of the waiving party. No waiver of a right arising from any breach or failure to perform will be deemed a waiver of any future right.

No person or entity, whether or not mentioned or referred to in this Terms of Use Agreement, other than Customer and SecurityMetrics and their permitted successors and assigns, will be considered to be a third-party beneficiary of or entitled to assert any rights under this Terms of Use Agreement.

None of the information contained within our Services, or within the content SecurityMetrics makes available through our Services, should be regarded as Legal Advice. The distribution and publication of our Services, and the content made available with our Services, does not create an attorney-client relationship between Customer and SecurityMetrics.

SecurityMetrics reserves the right to modify or terminate the Services and SecurityMetrics' Websites or to terminate Customer's access to the Services and SecurityMetrics' Website, in whole or in part, at any time.

PREMIUM SERVICE WARRANTY("BREACH PROTECTION").

The following Premium Service Warranty ("PSW") applies to Customers who have purchased Services that also contains a premium service warranty.

  1. The Warranty.
    1. SecurityMetrics will provide a PSW to merchants or entities in the health industry (collectively "Merchants") that have purchased service packages that include a premium service warranty. This PSW provision modifies the Limited Warranty provision set forth above for those Merchants that are enrolled in and have purchased a service package that includes a PSW. SecurityMetrics represents and warrants that SecurityMetrics PCI DSS and HIPAA compliance Services will be performed in accordance and comply with the PCI DSS as amended or HIPAA as amended from time to time. SecurityMetrics provides a PSW to a Merchant only for Services actually purchased by the Merchants.
    2. Exclusions. This PSW excludes incorrect data, information, or policies provided by the Merchant, zero-day vulnerabilities, customer labeled false positives identified by SecurityMetrics' scanning engine. The PSW does not apply to SecurityMetrics Managed Firewall Services, any security and privacy trainings sold by SecurityMetrics, and any services performed by a Qualified Security Assessor, Payment Application Qualified Security Assessor, Point-to-Point Encryption Qualified Security Assessor, Payment Card Industry Forensic Investigator, penetration tester, or an employee supervised by one of the above-mentioned specialists.
    3. A Merchant that is enrolled in SecurityMetrics' PCI or HIPAA compliance services that includes a PSW, and suffers a data breach as a result of a failure of such SecurityMetrics' Services, will be reimbursed by SecurityMetrics for certain expenses described in Section 2 below and subject to all other terms and conditions in this Terms of Use Agreement. The foregoing sets forth SecurityMetrics' sole liability and a Merchant's sole remedy for any data breach while enrolled with a PSW Service.
    4. A Merchant's credit card processor, acquiring bank, independent sales organization, or merchant services provider (collectively "Acquirer") may contract and/or pay SecurityMetrics for the PCI compliance Services, for which SecurityMetrics provides the PSW.
  2. Reimbursement Limitations.
  3. The PSW is not available to level 1 Merchants, as level 1 Merchants are defined by the card brands. The PSW is only available to Merchants located in the United States and Canada and that have enrolled in and paid (or whose Acquirer has paid) SecurityMetrics for the Services described in this Terms of Use Agreement or an applicable Statement of Work. The PSW reimburses a Merchant up to $100,000 (the "PSW Limit") per Merchant identification number (or other mutually agreed upon form of identification,) subject to the terms and limitations described more fully below. SecurityMetrics will reimburse Merchants only for the following costs and expenses actually incurred as a result of a failure of SecurityMetrics' Services to comply with PCI DSS and HIPAA, and that are timely reported according to Section 5 below by Merchants in connection with a properly reported data breach:
    1. Penalties or fines charged to Merchant by Visa, MasterCard, Discover, American Express, or JCB directly or through an Acquirer. A fine or penalty by a card brand must not exceed the maximum monetary assessment, fine, fee, or penalty permitted by applicable rules or agreements in effect as of the inception date of this Terms of Use Agreement.
    2. Costs of a forensic investigation conducted by a PCI Forensic Investigator approved by the PCI Security Standards Council.
    3. The costs associated with replacing credit cards that were compromised in a breach.
    4. Any GLBA or HIPAA regulatory penalty or fine charged to a Merchant by a governmental regulatory agency or body.
    5. The cost of an audit to determine the cause or extent of a GLBA or HIPAA violation.
    6. If approved in writing by SecurityMetrics, notification costs, victim cost reimbursement, or identity theft monitoring and services.
  5. The Program is Not Insurance.
  6. The PSW is not insurance. Neither Merchants nor any other entity with which the Merchant has a relationship receives insurance as a result of the PSW or this Terms of Use Agreement. Neither the Merchant nor any other entity with which the Merchant has a relationship is an "insured" or beneficiary under any insurance policy. Nothing in PSW or this Terms of Use Agreement creates an insurance relationship between Acquirer or the merchant and AIG (or any other AIG affiliate). SecurityMetrics is not providing Merchants or any entity with which Merchants have a relationship with insurance pursuant to a contractual agreement.
  7. The Program Limit.
  8. The PSW Limit is the most any Merchant can recover for each merchant identification number (or other mutually agreed upon form of identification) during a twelve (12) month period for any or all such costs or expenses, combined, and regardless of the number of data security events discovered or regulatory actions taken.
  9. Notification.
  10. Merchants are required to provide SecurityMetrics notice within thirty (30) days of discovery or suspicious of a breach or compromise. A Merchant is required to provide SecurityMetrics with any documentation, invoice, or other evidence required by SecurityMetrics within thirty (30) days after receipt of this documentation, invoice, or other evidence.
  11. Reporting.
  12. The PSW reimburses Merchants only if a Merchant provides a timely (within 30 days) notification and complete report of a data security event or regulatory action as soon as the Merchant becomes aware of such event or action. Merchants will need to provide details on the data security event or regulatory action including, but not limited to: a complete description of the data security event or regulatory action, all documents relating to the data security event or regulatory action, and any other pertinent information requested by or on behalf of SecurityMetrics. To report a data security event or regulatory action under the Program, contact SecurityMetrics at: Breach_Reporting@securitymetrics.com.
  13. Reimbursement Process.
    1. Merchants must provide invoices of costs described in Section 1 above to SecurityMetrics in a timely manner–within 30 days. Merchants may email SecurityMetrics at the email address above, or by certified mail to 1275 West 1600 North, Orem, Utah 84057.
    2. Once an invoice is received by SecurityMetrics, SecurityMetrics will determine whether the PSW applies to the Merchant's breach or compromise. If SecurityMetrics determines that the PSW applies and SecurityMetrics will reimburse the Merchant in accordance with the PSW terms, then SecurityMetrics will provide the Merchant with the reimbursement in a reasonable time. If SecurityMetrics determines that the PSW doesn't apply, then SecurityMetrics will notify the Merchant that no reimbursement is available.
  14. Limitation of Liability for the Program.
  15. Merchants assume sole responsibility and liability for making timely and complete claims under the PSW, providing necessary or requested data and information, and otherwise complying with the terms and conditions set forth in the PSW.

Scanning Abuse

SecurityMetrics, Inc., is a PCI Approved Scanning Vendor under certificate number 3707-01-08 and performs security assessment scans within the guidelines of the PCI data security initiative.

Scanners

It is important to allow SecurityMetrics security scanners to have the same level of network access to your Internet-connected devices that you provide to the rest of the world under normal circumstances. Users of SecurityMetrics scanning services are encouraged to add rules to their firewalls and inform their ISPs or hosting providers that security assessment scans may originate from the scanning locations listed in the table below. Ensuring that traffic from SecurityMetrics scanners does not get blocked ensures maximum accuracy of the security assessments, which leads to better security. If you have any questions, please contact SecurityMetrics Technical Support.

SecurityMetrics Scanners

  • IP Ranges: 162.211.152.1-255
  • Subnet Mask (Short): 162.211.152.0/24
  • Subnet Mask (Long): 162.211.152.0/255.255.255.0

Note: This may be updated from time to time without notice.

Abuse

Users of SecurityMetrics scanning services are required to consent to abiding by the Terms of Use before purchasing scanning services from SecurityMetrics. SecurityMetrics takes reports of abuse very seriously and works with ISPs, hosting providers, and other organizations to ensure that any abuse is dealt with in a timely and appropriate manner.

CTA

Do you believe some form of SecurityMetrics scanning service abuse is occurring?
Please email us (scanabuse@securitymetrics.com)

Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart Inspect (PCI Req. 11.6.1)Shopping Cart Monitor (PCI Req. 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy Policy
|
Terms and Conditions
|
Your IP Address is:
000.000.000.000