Privacy policy

Last update: November, 3rd, 2023

The website www.tryriot.com (hereinafter the “Website”) published by the company Riot Security, Inc. (hereinafter “Riot Security” or “we”), provides access to the Riot Solution (hereinafter the “Riot Solution”) for companies in order to train employees and raise their awareness about cybersecurity risks (hereinafter “Cybersecurity Services”).

While you are accessing, browsing, navigating and using the Website and the Riot Solution, you communicate your personal data to Riot Security. 

Please read this privacy policy carefully as it explains how Riot Security uses your personal data and how to exercise your rights. This privacy policy supplements the Terms & Conditions or any documents or notices that may refer to this privacy policy. 

Should you have any questions, you may directly contact Riot Security by sending an email to support@tryriot.com.

1. WHO IS THE DATA CONTROLLER OF YOUR PERSONAL DATA?

When you are using the publicly available Website

  • Riot Security is the data controller of personal data collected and processed for the administrative, operational and commercial management of the Website as publisher.

When you are using the Riot Solution:

  • your employer is the data controller of personal data collected and processed for the provision of the Cybersecurity Services to which it has subscribed;
  • Riot Security is the data processor, acting in the name and on behalf of your employer, of personal data collected and processed for the provision of the Cybersecurity Services to which your employer has subscribed.

In the European Union, Riot Security is represented by Riot Security SAS.

2. WHAT KIND OF PERSONAL DATA ARE PROCESSED?

All personal data is directly provided by your employer or you, one of our external partner, as well as generated from your use of the the Cybersecurity Services, namely:

Type of dataExamples of data
Identification dataFirst name, last name, photography
Contact details (professional and/or personal)Email address, telephone number
Professional dataCompany (name and sector), position
Data related to your training and awareness about cybersecurity risks (depending on the Cybersecurity Services subscribed by your employer)Training history, reactions to a phishing campaign (ignored email, opened email, compromised identifiers, etc.), strength of the password, contact details (professional and personal), assessment of your awareness level related to the cybersecurity risks
Data related to your exchanges with Riot SecurityDate, subject, voice and video recordings and content of your exchanges with the internal services of Riot Security
Data related to your job applicationAny information provided as part of your job application

Also, the Website automatically collect the following data via cookies and other trackers:

Type of dataExamples of dataPurposes
Internet or other electronic network activity informationDate and time of the connection, IP address, device type, browser type, operating system, viewed pagesThis data is necessary for the proper functioning of the Website and internal business analytics purposes such as audience measurement. For more information on cookies and other trackers, please see the Cookies Policy.

The provision of certain types of personal data may be necessary or optional,in order to fully use the Website and the Cybersecurity Services subscribed by your employer. Mandatory data will be marked as such at the point of collection. If you refuse to provide mandatory data, Riot Security may not be able to process your request (e.g., creation of your Riot Security account, provisions of the Cybersecurity Services, processing your job application, etc.). 

3. FOR WHAT PURPOSES DOES RIOT SECURITY USE YOUR PERSONAL DATA?

When you are using the publicly available Website and Riot Security therefore acts as data controller (as indicated in section 1 of this policy), your personal data is processed for the following reasons:

Purposes Examples of use of your personal data Legal bases
Booking a demo of the Riot Solution
  • to book a demo of the Riot Solution depending on your availabilities
  • to present you the Riot Solution
  • to contact you if necessary
To take steps prior to entering into a contract and your consent to demo recording
Processing your contact requests
  • to process your contact request
  • to contact you if necessary
Legitimate interest of Riot Security to respond to contact requests
Sending marketing communications
  • to send you communications about the business activities and services of Riot Security that might interest you
  • to measure the performance of marketing and sales communications
Legitimate interest of Riot Security to develop its activity (with your consent when required by the applicable law)
Managing your job application                                             
  • to examine your job application
  • to organize an interview
  • if your job application is successful, to organize an interview to assess your professional skills in regard of the job
To take steps prior to entering into a contract
Including you in our talent pool
  • to let you know about new job opportunities that might interest you
Legitimate interest of Riot Security in feeding its talent pool
Improving the Website, the Cybersecurity Services, as well as your user experience 
  • to collect your feedback about the Cybersecurity Services subscribed by your employer and publish it on the Website (with your consent if applicable)
  • to ensure the proper functioning of the Website and the Riot Solution
  • to take steps designed to protect the security of the Website and the Riot Solution
Legitimate interest of Riot Technology to improve the Website, the Cybersecurity Services, as well as your user experience 
Pre-litigation or litigation management
  • to take action against any identified breach
  • to manage any dispute or litigation
Legitimate interest of Riot Security in defending its rights and interests
Compliance with legal and regulatory obligations  
  • to comply with legal and regulatory obligations
  • to process your requests to exercise your rights
Legal and regulatory obligations to which Riot Technology is subject as data controller
Billing and contract management
  • to allow the contracting of the employer to the Cybersecurity Services
  • to proceed to the payment of the subscribed Cybersecurity Services
  • to provide you with the invoices in your "Billing" space
Performance of the contract

When you are using the Riot Solution and Riot Security therefore acts as data processor (as indicated in section 1 of this policy), your personal data is processed only for the following reasons:

PurposesExamples of use of your personal dataLegal bases that may be used by the controller
Creation and management of your Riot Security accountto create your Riot Security account (via your Slack, Gmail or Outlook identifiers) as manager to allow you to authenticate yourself on the Riot Solution and access the dashboard related to the Cybersecurity Services subscribed by your employers to allow you to update your account as neededLegitimate interest of your employer to train and raise the awareness of their employees about the cybersecurity risks, in order to protect its information systems
Provision of the Cybersecurity Services subscribed by your employerto provide you with the Cybersecurity Services subscribed by your employer (trainings, phishing exercises, etc.)  to make statistics on your awareness level about the cybersecurity risksLegitimate interest of your employer to train and raise the awareness of their employees about the cybersecurity risks, in order to protect its information systems
Monitoring on the web                     (only if your employer wanted to offer you this feature)to check on the web if your contacts details (professional and personal) are availableYour consent
Compliance with legal and regulatory obligations  to comply with legal and regulatory obligations  to process your requests to exercise your rights Legal and regulatory obligations to which Riot Security is subject as data processor

4. WHO CAN ACCESS YOUR PERSONAL DATA?

RecipientsPurposes
Riot Security and its duly authorized employeesFor the management of the Website and the provisions of the Cybersecurity Services, as detailed in the section 3 of this policy
Slack Technologies, LLCFor the sole purpose of authenticating you on the Riot Solution using your Slack identifiers to access your Riot Security account
Google, Inc.For the sole purpose of authenticating you on the Riot Solution using your Gmail identifiers to access your Riot Security account. Riot phishing reporter use and transfer to any other app of information received from Google API will adhere to Google API Services User Data Policy, including the Limited use requirements.
Microsoft, Inc.For the sole purpose of authenticating you on the Riot Solution using your Outlook identifiers to access your Riot Security account
Service providers of Riot Security                                  (hosting provider, IT service providers, IT solutions publishers, etc.) Exclusively for operational and technical purposes related to the management of the Website and the provisions of the Cybersecurity Services, as detailed in the section 3 of this policy
Administrative or judiciary authoritiesExclusively in the case of an express and justified request or in case of an alleged violation of legal or regulatory provisions
Lawyers and all interested partiesExclusively in the case of the management of possible disputes and other legal matters where appropriate
Other third partiesFollowing or during a restructuring, reconstitution,  acquisition, debt financing, merger, sale of assets of Riot Security or a similar transaction, as well as in case of insolvency, bankruptcy or receivership where personal data are transferred to one or more third parties as assets of Riot Security

5. WILL YOUR PERSONAL DATA BE TRANSFERRED OUTSIDE OF THE EUROPEAN UNION/EUROPEAN ECONOMIC AREA? 

As far as possible, your personal data is processed within the European Union (EU)/European Economic Area (EEA). However, Riot Security and some of its service providers are located outside of the EU/EEA. 

Riot Security complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. Riot Security has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

If you have an inquiry or complaint, please contact dpo@tryriot.com so Riot Security can address it. If Riot Security can’t resolve your complaint, you may also contact your local data protection authority within the European Economic Area or the United Kingdom (as applicable), with which Riot Security commits to cooperate, for unresolved complaints concerning the handling of your personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. It is also possible, under certain conditions, to invoke binding arbitration for complaints not resolved by any of the other DPF mechanisms, as outlined more fully on the DPF website. Please note as well that Riot Security is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

In some cases, Riot Security may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. More information about the safeguards that have been implemented to protect transfers of personal data is available in the Data Processing Agreement. If Riot Security transfers your personal data onward to a third party, it will continue to remain liable under the DPF Principles.

When your personal data is transferred outside the EU/EEA, Riot Security will, in the absence of an adequacy decision and after that an assessment of the level of protection of your rights on the territory of the third country where the recipient of your personal data is established has been carried out, implement all necessary measures through the adoption of appropriate safeguards (such as standard contractual clauses). A copy of such safeguards can be obtained by sending an email directly to Riot Security at dpo@tryriot.com.

Service provider Third country Adopted safeguard
Riot Security, Inc. United States EU-US Adequacy decision
Slack Technologies, LLC United States EU-US Adequacy decision
Google, Inc. United States EU-US Adequacy decision
Microsoft, Inc. United States EU-US Adequacy decision
Intercom, Inc. United States EU-US Adequacy decision
Twilio, Inc. United States EU-US Adequacy decision
FullStory, Inc. United States EU-US Adequacy decision
Mailgun Technologies, Inc. United States Standard Contractual Clauses
Functional Software, Inc. United States EU-US Adequacy decision
Datadog, Inc. United States EU-US Adequacy decision
HubSpot, Inc. United States EU-US Adequacy decision
Temporal, Inc. United States Standard Contractual Clauses
Airtable, Inc. United States Standard Contractual Clauses
Stripe, Inc. United States EU-US Adequacy decision
Tagis, Inc. United States Standard Contractual Clauses
Calendly, Inc. United States EU-US Adequacy decision
Docusign, Inc. United States Standard Contractual Clauses
OpenAI OpCo, LLC United States Standard Contractual Clauses
Zoom, Inc. United States Standard Contractual Clauses
ZenLeads, Inc. dba Apollo United States Standard Contractual Clauses
Aircall.io, Inc. United States Standard Contractual Clauses
Superlative Enterprises Pty Ltd United States Standard Contractual Clauses

6. How does RIOT SECURITY protect your personal data?

Riot Security has implemented technical and organizational measures to protect your personal data, in particular against potential data breaches likely to cause, either by accident or unlawfully, the destruction, loss, modification, unauthorized access or divulgation of your personal data. These measures will guarantee a level of security appropriate for the data and will take into account the state of the art and the cost of implementation in relation to the risks and nature of the data to be protected.

Riot Security guarantees that all members of its personnel and any other person processing your personal data will respect the internal rules and procedures related to the processing of personal data, including the technical and organizational security measures put in place to protect your personal data. In this context, Riot Security reviews and updates its practices regularly to enhance your privacy and ensure that its internal policies are followed.

If you have found a vulnerability or would like to report a security incident, you may send an email to  support@tryriot.com.

7. FOR HOW LONG IS YOUR PERSONAL DATA STORED?

As a general rule, your personal data will only be retained for the period necessary for the accomplishment of the purposes for which said data was collected, or as necessary to fulfill legal or regulatory obligations.

  • When you are using the publicly available Website and Riot Security therefore acts as data controller (as indicated in section 1 of this policy), it stores: 
  • the data collected in case of a demo of the Riot Solution during three (3) year for directing marketing;
  • the data collected in case of contact request until the complete processing of such request;
  • the data collected in the context of your application to a job offer is store during two (2) years as from your last contact with Riot Security, except request of destruction of your file;
  • your traffic data will be kept for a period of twelve (12) months from their collection.
  • When you are using the Riot Solution and Riot Security therefore acts as data processor (as indicated in section 1 of this policy), it stores the data provided or generated from the use of the Riot Solution during its contractual relationship with your employer. Beyond, this data is stored during one (1) year, deleted at the request of the employer or anonymized with the employer's permission for research purposes.

8. WHAT ARE YOUR RIGHTS REGARDING YOUR PERSONAL DATA?

When you are using the publicly available Website and Riot Security therefore acts as data controller (as indicated in section 1 of this policy), you may directly contact Riot Security if you have any questions or wish to exercise the following rights by sending an email to dpo@tryriot.com.

When you are using the Rio Solution and Riot Security therefore acts as data processor (as indicated in section 1 of this policy), you may directly contact your employer if you have any questions or wish to exercise the following rights. 

If you are based in the EU/ EEA, you have the following rights over your personal data:

  • you can request access to your personal data in order to obtain clear, transparent and understandable information about how your personal data are processed and about your rights (as provided in this policy), as well as a copy of your personal data. 
  • you can request the rectification of your personal data in order to obtain the modification of your personal data if it is obsolete, inaccurate or incomplete.
  • you can object to the processing of your personal data when the processing is based on legitimate interest. Your personal data will no longer process your personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, such as the respect of a legal obligation (e.g., legal obligation involving the retention of documents), or for the establishment, exercise or defense of legal claims.
  • you can request the restriction of the processing during a limited period of time, in particular in order to carry out some verifications, where one of the following applies:
  • you contest the accuracy of your personal data, the processing of which is thus restricted for the period necessary for the data controller to verify the accuracy of such personal data;
  • the processing is unlawful and, rather than requesting its deletion, you prefer to restrict its use;
  • the data controller no longer needs your personal data for the purposes of the processing, but you need them for the establishment, exercise or defense of legal claims;
  • you have objected to the processing, which is thus restricted pending the verification of whether the compelling legitimate grounds of the data controller may override your interests, rights and freedoms.
  • you can withdraw your consent when it has been obtained, without this withdrawal affecting the lawfulness of the processing operations previously carried out.
  • you can ask to receive your personal data in a structured, commonly used and machine-readable format and also can request their transmission to a third party where technically feasible. This right is not exercised in all circumstances, it applies only if it fulfills all the following conditions: 
  • your request is only related to your personal data (excluding anonymous or third-party data); 
  • your request does not adversely affect the rights and freedoms of the data controller (in particular business secrecy) or third parties (in particular intellectual property rights);
  • the processing is carried out by automated means (paper files are therefore not included); 
  • the processing is based on consent or the performance of a contract (to check if it is the case, you can see the section 3 of this policy). 
  • you can request the deletion of your personal data (or right to be forgotten), where one of the following legal grounds applies:
  • you object to the processing of your personal data and there are no overriding legitimate reasons justifying to maintain the processing of your personal data; 
  • you decide to withdraw your consent on which the processing is based;
  • your personal data are no longer useful for the original purposes for which they were collected or for any other type of processing;
  • the use that is made of your data does not comply with the applicable legal or regulatory provisions. 
  • Depending on your country of residence, you may have additional local rights with respect to our processing of your personal data.

It is specified that the exercise of these rights is based on the legal basis of the processing, as follows:


AccessRectificationErasureRestrictionData portabilityObjection
ConsentYesYesYesYesYesWithdrawal of consent
Steps prior to entering into a contractYesYesYesYesYesNo
ContractYesYesYesYesYesNo
Legitimate interestYesYesYesYesNoYes
Legal obligationYesYesNoYesNoNo

Under certain circumstances, certain specific information can be requested in order to confirm your identity and ensure the exercise of your rights. This is another appropriate security measure to ensure that personal data is not disclosed to an individual who does not have the right to receive it.

If needed, you may also lodge a complaint with your national data protection authority (the CNIL if you are located in France for example). This right may be exercised at any time and free of charge, at the exclusion of potential postal fees or expenses related to legal representation or assistance should you choose to engage third party assistance for the procedure.

9. Changes to this policy

This privacy policy may be amended from time to time, in particular to reflect the changes in the Website, Cybersecurity Services or the applicable regulations. Therefore, we recommend that you review this privacy policy each time you visit the Website or the Riot Solution.