IriusRisk Privacy Policy

Last version: October, 2024

Introduction

At IriusRisk we are deeply committed to respecting your fundamental right to data protection and we take privacy and security very seriously. We really appreciate that you are trusting us with your personal data. 

Please, carefully read this Privacy Policy. If you have any questions or concerns, you may contact dpo@iriusrisk.com. If you do not agree with this Privacy Policy, we kindly advise you not to access this website, use our Services or interact with any other aspect of our business. 

This IriusRisk Privacy Policy (“Privacy Policy”) describes how IriusRisk SL and its subsidiaries (“IriusRisk”, “we”, “our” or “us”) collect, store, use, disclose, and otherwise process information from or about you (“Personal Data”). We may use and collect information in various ways, depending on who you are, and how you interact with us and our Website and services. This Privacy Policy also explains the choices that you can make about the way that we use your information. 

What is this Privacy Policy scope?

At IriusRisk, we value your privacy and your rights under data protection regulations, including  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (” GDPR”), UK General Data Protection Regulation (“UK GDPR”), California Online Privacy Protection Act (CalOPPA), California Consumer Privacy Act (CCPA) and any other local data protection law of the countries where IriusRisk operates.

This Privacy Policy describes IriusRisk’s data protection practices in relation to Personal Data of users we collect as Data Controller in the context of this website and associated sub-domains (https://www.iriusrisk.com/, https://community.iriusrisk.com/, https://enterprise-support.iriusrisk.com/s/, https://www.threatmodelingconnect.com/ , and https://www.threatmodcon.com/)  ("Website"), onsite and online events, communities; our marketing and promotional emails, newsletters, and other advertising communications (“Marketing Communications”); and any other activities where we display or link to this Privacy Policy. 

Please, note that this Privacy Policy does not apply to the extent we process Personal Data where we provide our services in the role of a processor on behalf of our customers. This processing of personal data shall be governed by the relevant contract or agreement, licence and/or data protection agreement (DPA) signed between IriusRisk and our customers.

What personal data do we process, for what purpose, for how long and on what legitimate basis?

The categories of Personal Data we collect and process depend on how you interact with us, our services, and the requirements of applicable law. We collect Personal Data that you provide to us directly, Personal Data we obtain automatically when you use our Website and/or services, and information from other sources such as third-party services and organisations, as described in the table below.

Generally, we retain your Personal Data as long as we need to in order to achieve the purpose for which it was collected. Also we retain it to the extent necessary to comply with our legal obligations and applicable law, resolve disputes, and enforce our legal agreements and policies. 

Data provided by you:

Data processing activities / Purpose

Community Edition: Sign up, access and use of the IriusRisk Community Edition. 

Personal data collected or processed

Identification data; (Hostname, Lastname, Username, Firstname); contact data (email); professional data; platform data and user activity (First seen, Signed up, Last seen, Web sessions); device and browser info (Device type Browser language, Browser, Os, Viewport width, Viewport height); location (Country)

Lawful basis  

Execution of Community Service Terms

Retention period

This data will be processed for as long as you remain subscribed to our Community Edition. If you choose to unsubscribe, your personal data collected for this purpose will be deleted, without prejudice to their blocking for 5 years to address possible liabilities.

Data processing activities / Purpose

Threat Modeling Connect: Sign up, access and manage your Threat Modeling Connect Community and/or Forum membership so you can join discussions, collaborate, interact, share ideas, build connections, send messages, participate in community events and webinars, sign up for announcements and apply to write articles.

Personal data collected or processed:

Identification data; (Username, First Name, Last Name); contact data (email); professional data (company, role); country; experience in Threat Modeling; user activity; image, voice.

We may also collect any other information that you choose to provide to us, such as biography, location, message content, posts, comments, articles, opinions and any other interaction or contribution (seminar, workshop, talk) you submit/publish through our Threat Modeling Community Forum.

‍Lawful basis  

Execution of Threat Modeling Connect Community and Forum Terms 

‍Retention period

This data will be used for as long as you remain subscribed to Threat Modelling Connect Community and/or Forum. If you choose to unsubscribe, all your personal data collected for this purpose will be deleted, without prejudice to the blocking for 5 years to address possible liabilities.

Data processing activities / Purpose

Contact & info requests: Provide you with the info you request by contacting us, including through our chatbot.

Demo: Schedule and perform a live demo requested by you.

Pricing: To give you the pricing quote you requested.

IriusRisk resources: Provide you with our ebook or other threat modeling resources from our Website, requested by you.

‍Events, webinars: Participate in onsite and online events, webinars and workshops you register for.

IriusRisk Courses & Trainings: Provide you with Certifications and Accreditations when participating or completing our courses. 

Personal data collected or processed

Identification, contact and professional data: name, surname, email, company name, phone number, location; image, voice.

We may also collect any other information that you choose to provide to us, such as the content of a message that you submit through our Website.

‍Lawful basis  

Execution of the service, event, training  or application requested by you.

Online and onsite events, webinars and courses may be recorded, about which we will inform you in advance and you will be able to give your consent or object (legitimate interest), depending on the specific case.

Retention period

During the necessary time to contact you and/or provide you with the resources and/or services you requested. 

After this time, all your personal data collected for this purpose will be deleted, without prejudice to the blocking for 3 years to address possible liabilities.

Data processing activities / Purpose: 

Information & Support: Provide you with the necessary information and/or support in case there is any technical issue or functionality (e.g. new Community Edition release), important information (e.g. regulatory changes) and news, best practices or other information that may be related to your inquires or questions and/or incident related to the Website or the provision of the Community Edition that need to be reported.

Personal data collected or processed: 

Identification, contact and professional data: Name and surname, email, phone number, country. 

‍Lawful basis  

Execution of Community Service Terms. Legitimate interest to resolve any technical problem or incident and to provide you adequate service.

Retention period

During the time necessary to answer the question and/or solve the incident.

Data processing activities / Purpose

Business development, strategic partnerships and professional contact: To contact professionals, seek prospects, assess and pursue potential business opportunities.

To negotiate and sign pre-contractual documents (e.g.: MNDA, PoC, trials, etc.).

Personal data collected or processed

Identification, contact and professional data: Name and surname, email, phone number, country; image, voice; business preferences; signature.  

Lawful basis  

Our legitimate interest to assess and pursue potential business opportunities.

Execution of pre-contractual measures.

Online business meetings and calls may be recorded if you consent.

Retention period

This data will be used for as long as our business development, strategic partnerships and professional contact relationship remains. 

Once this time has elapsed, all your personal data collected for this purpose will be deleted, without prejudice to the blocking for 5 years to address possible liabilities.

Data processing activities / Purpose

Marketing and advertising: To carry out marketing communications through email, newsletter or adverts, to inform you about special offers, promotions, events, reports and other services that may be interesting to you.

Personal data collected or processed

Identification, contact and professional data: Name and surname, email, phone number, country.

Lawful basis  

Your free, specific and informed consent given through a checkbox, subscription to the newsletter, or acceptance of cookies.

You may withdraw your consent at any time by clicking “unsubscribe” in all our commercial emails, by sending an email to dpo@iriusrisk.com or visiting our Cookies Policy.

Retention period

This data will be used for as long as you remain subscribed to our commercial communications. If you choose to unsubscribe, all your personal data collected for this function will be deleted.

Data processing activities / Purpose

Community Edition Surveys: To improve your UX in our threat modeling tool, if you wish to participate.

Personal data collected or processed

Identification data;

(Hostname, Lastname, Username, Firstname); contact data (email); professional data; platform data and user activity (First seen, Signed up, Last seen, Web sessions); device and browser info (Device type Browser language, Browser, Os, Viewport width, Viewport height); location (Country)

We may also collect any other information that you choose to provide to us through the survey.

Lawful basis  

Your free, specific and informed consent.

Retention period

This data will be processed during the time necessary to perform the survey. Once finished, your personal data collected for this purpose will be anonymised or deleted.

Data collected

Job applications

Please, visit our Candidate Privacy Policy.

Data processing activities / Purpose

Hackathon and other contests: To manage your participation in contests, raffles and tournaments organised by IriusRisk.

Personal data collected or processed

Identification, contact and professional data: Name and surname, email, phone number, country.

Lawful basis  

The execution of the contractual relationship through the acceptance of the Legal Bases.

Retention period

This data will be processed for the duration of the contractual relationship. Once this time has elapsed, all your personal data collected for this purpose will be deleted, without prejudice to the blocking for 5 years to address possible liabilities.

Data processing activities / Purpose

Interactive Features and Social Media: To network and create a strong community of threat model practitioners (e.g. third-party forums, blogs, and social media pages)

Personal data collected or processed

Identification, contact and professional data: name, surname, email, company name, phone number, country; image, voice.

We may collect Personal Data that you submit or make available through our interactive features and social media, which will be considered “public,” unless otherwise required by applicable law.

Lawful basis  

Our legitimate interest in creating a Threat Modeling Community.

Retention period

Please, visit third-party forums, blogs, and social media Privacy Policies.

Data processing activities / Purpose

Data subject requests: To guarantee your data protection rights you may exercise as a data subject in accordance with this Privacy Policy.

Personal data collected or processed

The Personal Data we process depends on the processing activity and  service we provide to you.

Lawful basis  

Legal obligation, set out in data protection regulations.

Retention period

During the necessary time to exercise your data protection rights and to demonstrate compliance.

Data processing activities / Purpose

Regulatory compliance: To comply with any applicable law or regulation, subpoena, court order, government statute, legal or regulatory audit or investigation, or other legal process, including to comply with national security or law enforcement requirements and prevent fraud, harm, illegal activities or abuse of IriusRisk or our users.

Personal data collected or processed

The Personal Data we process depends on the processing activity and  service we provide to you.

Lawful basis  

Our legitimate interest in keeping our Website and services secure for IriusRisk and you.

Retention period

During the time established in applicable law or regulation, subpoena, court order, government statute, or other legal process.

Data collected automatically/from other sources:

Data processing activities / Purpose

Cookies and Other Tracking Technologies: To provide functionality and to recognize you across different Websites and services, which allow an analysis of your navigation in order to improve our Website and services, both on an aggregated and individualized basis, and for other research, analytical or statistical and commercial and advertisment purposes. For more information, please visit our Cookies Policy.

Personal data collected or processed

Site Navigation Data: IP and other characteristics of navigation (e.g., location and/or device) derived from the use of cookies or similar technologies used on the Website. 

For more information, please visit our Cookies Policy.

Lawful basis  

Those cookies categorised as technical which are necessary for the operation of the Website and services: Legitimate Interest.

Rest of cookies: Consent given through the cookie banner at the start of your navigation. 

You may withdraw your consent by following the steps indicated in the Cookies Policy.

Retention period

The retention periods depend on each specific cookie.

For more information, please visit our Cookies Policy.

Data processing activities / Purpose

Business development, strategic partnerships and professional contact: We may also collect Personal Data from prospective customers through third-party services, social media platforms, public databases (publicly available sources) to assess and pursue potential business opportunities.

We may combine this information with information we collect through other means described above. This helps us to update and improve our records, identify new customers and suggest services that may be of interest to you.

Personal data collected or processed

Identification, contact and professional data: Name and surname, email, phone number, country; business preferences. 

Lawful basis  

Our legitimate interest to assess and pursue potential business opportunities.

Retention period

This data will be used for as long as our business development, strategic partnerships and professional contact relationship remains. 

Once this time has elapsed, all your personal data collected for this purpose will be deleted, without prejudice to the blocking for 5 years to address possible liabilities.

To whom we may communicate your personal data?

In addition to access and processing by our employees and collaborators in order to provide our services and fulfil your requests, your Personal Data may also be disclosed to third parties in certain circumstances. It will only be shared with these third parties when strictly necessary, under confidentiality obligations and implementation of appropriate security measures:

IriusRisk companies: We are a global company with subsidiaries in various parts of the world. Therefore, we may disclose your Personal Data to IriusRisk subsidiaries for operational and administrative reasons, as well as to ensure that your service or request is properly provided.

Service Providers: We will often need to disclose your Personal Data to trusted third parties in order to operate, develop, host, audit, improve and customise our Websites and services, send marketing communications and advertisements related to our Websites and services based on your interests and interactions with us. Any third parties we share your Personal Data with are obliged to store your personal data securely and use it only for necessary purposes. We seek to enter into Data Processing Agreements (DPA) with our third party service providers to ensure they only process your data according to data protection regulations and as instructed by us.

Sponsors, partners and promoters of IriusRisk-organised events: If you register for or attend an online or onsite event organised by IriusRisk, we may need to disclose relevant Personal Data to sponsors, partners and promoters, for the sole purpose of organising and running the event.

Links to Third Party Sites: This Website may include links that direct you to other websites or services whose data protection practices may differ from ours. If you submit information to any of those third party sites, your information is governed by their privacy policies, not this one. We encourage you to carefully read the privacy policy of any website you visit.

Business Transfers: We may disclose or transfer your Personal Data as part of, or in connection with, an actual or prospective corporate business transaction, such as merger, sale of company assets, financing, joint venture, financing, acquisition corporate change, reorganisation or insolvency, bankruptcy or receivership of all or a portion of our business to another company. 

Compliance with Enforcement Requests and Applicable Laws; Enforcement of Our Rights: In exceptional circumstances, we may disclose information about you to law enforcement agencies, regulatory or governmental bodies, or other third parties if we consider that sharing is reasonably necessary to (a) comply with any applicable law or regulation, subpoena, court order, government statute, legal or regulatory audit or investigation, or other legal process, including to comply with national security or law enforcement requirements; (b) protect the security or integrity of our products and services; (c) prevent fraud, harm, illegal activities or abuse of IriusRisk or our users (e.g. through ReCaptcha); (d) respond to an emergency which we believe in good faith requires us to disclose information to assist in preventing the death or serious bodily injury of any person. 

‍Advertising Partners: We may share your personal information with third-party advertising partners. These third-party advertising partners may set Technologies and other tracking tools on our Services to collect information regarding your activities and your device (e.g., your IP address, cookie identifiers, page(s) visited, location, time of day). These advertising partners may use this information (and similar information collected from other services) for purposes of delivering personalised advertisements to you when you visit digital properties within their networks. This practice is commonly referred to as “interest-based advertising” or “personalised advertising.”

Market research: When we aggregate and disclose de-identified information collected by our websites or the services to provide statistical information or market research to third parties.

International data transfers

In the above circumstances your Personal Data may be processed, transferred and stored outside your country or jurisdiction. Certain of these countries may not have the same data protection laws and protections as those of the country in which you are based. 

When we transfer Personal Data outside of the United Kingdom, Switzerland, or the European Economic Area (EEA), we take appropriate steps to ensure that the recipient of your Personal Data offers an adequate level of protection and security, for example by entering into standard contractual clauses (SCCs) for the transfer of Personal Data as approved by the European Commission.

Security

IriusRisk places the utmost importance on the security of the Personal Data entrusted to us. We undertake to take all necessary precautions to preserve the security of the Personal Data and, in particular, to protect it against accidental or unlawful destruction, accidental loss, corruption, dissemination or unauthorised access, as well as against any other form of unlawful processing or disclosure to unauthorised persons. 

For this purpose, we are ISO 27001 certified. We use appropriate technical and operational measures (e.g. data encryption, security audits, hashing, etc.) to secure information collected by IriusRisk. 

How can you exercise your data protection rights?

Under data protection regulations, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your Personal Data, which may include:

  • Access or be provided with a copy of your Personal Information held by us and be informed about what Personal Data we hold and how we process it; (Right of access)
  • Request the correction, update, or erasure of your Personal Information held by us; (Your right to rectification and/or erasure)
  • Object to the further processing of your Personal Information (Right to object to processing)
  • Request that we restrict the processing of your Personal Information (for example, while we verify or investigate your concerns with the processing) (Right to restriction of processing)
  • Request that your Personal Information be transferred, where possible, to a third party; and (Right to data portability)

If you wish to exercise one of these rights, please contact us via the email address dpo@iriusrisk.com

We may need to request specific information from you to help us confirm your identity and exercise your rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

We will try to respond to all legitimate requests within 30 days. Occasionally it may take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

You may lodge a complaint related to the processing of your Personal Data to the Spanish Supervisory Authority (AEPD) , with its registered office at Agencia Española de Protección de Datos, C/Jorge Juan, 6, 28001- Madrid, via its website https://www.aepd.es/.

Changes to this Privacy Policy

We may change or update this Privacy Policy from time to time to reflect changes to our processing activities or our services or technology, or to respond to new legal requirements. If we do, we will update the “last updated” date on the first page of this Privacy Policy. 

If we make a material update, we may provide you with notice prior to the update taking effect, such as by posting a notice on our website, or sending you an email, or where required under applicable law and feasible, seek your consent to these changes. We encourage you to periodically review this Privacy Policy for the latest information on our privacy practices.

If you disagree with any changes to this privacy policy, you will need to stop using the Services and deactivate your account(s), as outlined above.

Contact Information

IriusRisk is a Spanish company located in Parque Tecnológico Walga, Ctra. Zaragoza N-330A, Km. 566, 22197 Cuarte (Huesca), Spain, and subsidiaries located in the United States and the United Kingdom.

If you have any questions related to this Privacy Policy or our data protection practices, please contact us at dpo@iriusrisk.com.